Analysis
-
max time kernel
30s -
max time network
44s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
25/09/2024, 19:11
Static task
static1
Behavioral task
behavioral1
Sample
EROOT.docx
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
EROOT.docx
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
ERoot_1.3.1.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
ERoot_1.3.1.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
Eroot 1.2.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
Eroot 1.2.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
Eroot 1.3.3.exe
Resource
win7-20240729-en
Behavioral task
behavioral8
Sample
Eroot 1.3.3.exe
Resource
win10v2004-20240802-en
Errors
General
-
Target
EROOT.docx
-
Size
402KB
-
MD5
116b479d6ddd69cd6f3003fe7f3e680c
-
SHA1
38cfdaa2baed93be0c8a157327688b0d1218b0c5
-
SHA256
c3508f3a554f606adc2ee25736181c64fe6da8d351fd6cfb8a963af8f221189b
-
SHA512
7c3f193fd00338f7c10a04789423bceccadb46c627da13b0c75d942b847c26e014fe907142020525fd73f48bd55609521cb003d70570b724ba148422270f5fe5
-
SSDEEP
6144:LPVgB6IWj6F84miZquPsW5LlTfDxZshwkGpuBGYmbq/aMglTfDxZshwkGpuBGGtp:DVW6IWjOI+UWlxfAMuwYaMgxfAMuwSJ
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4200 WINWORD.EXE 4200 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 11 IoCs
pid Process 4200 WINWORD.EXE 4200 WINWORD.EXE 4200 WINWORD.EXE 4200 WINWORD.EXE 4200 WINWORD.EXE 4200 WINWORD.EXE 4200 WINWORD.EXE 4200 WINWORD.EXE 4200 WINWORD.EXE 4200 WINWORD.EXE 4200 WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\EROOT.docx" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4200
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize1KB
MD5bf23033f1d29c21e838dc70bd6bf3387
SHA10f1cf53af328a53aca0ac3888f4dfe9db4a0f422
SHA256983bddcdbbf31fb2f22a7c9072ba14f8276e222255d4b8773070c25da79bc91f
SHA512769a8e1f41adc781eed6236d3a40caf8c4063d62d55f101673a5adfe5e703c05af23a7105593d75b629bc74e34919d1a7d7ee8ae714350e2b4d777df1763d829