Analysis
-
max time kernel
133s -
max time network
134s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
02-10-2024 09:16
Static task
static1
Behavioral task
behavioral1
Sample
30092463687563.docx
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
30092463687563.docx
Resource
win10v2004-20240802-en
General
-
Target
30092463687563.docx
-
Size
264KB
-
MD5
da3b3b9590907c35f64e830b2b244ffd
-
SHA1
8393b61a2871bc1ea9cb2c22fa041790ce8fa5b1
-
SHA256
97a4fe736ddd0955e218e7f7fb00d2fddee7896db60aa90e175b4824c9192825
-
SHA512
98d070881920985daa43a793dd5064a4262584f61c34d86d0b51ff9c395ff81712e192b34cef6a1fedb3a274e214f38725b14fdb93aede811043b976ba6a3cf1
-
SSDEEP
6144:AyrTTW+ch8x2ZpfRkdxyl+cOpFVozXHN5dOP:Dwy2O1c0buXHNXc
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 3604 WINWORD.EXE 3604 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WINWORD.EXEdescription pid process Token: SeAuditPrivilege 3604 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
WINWORD.EXEpid process 3604 WINWORD.EXE 3604 WINWORD.EXE 3604 WINWORD.EXE 3604 WINWORD.EXE 3604 WINWORD.EXE 3604 WINWORD.EXE 3604 WINWORD.EXE 3604 WINWORD.EXE -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\30092463687563.docx" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3604
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
565KB
MD5adbffccbb78834fa492cc7ca8a676e52
SHA11e5b065d13fa03fb556a7ff315b85db96d369908
SHA25642d08df15b74f7a598895de1590dab57cd973d1b4dd8531f88ac3150260f7e63
SHA512de1bb84f11ad4dcf7035699c8b5ca58e098da937a98b8a701ba202671dbb9bf1510434682675b208f3dc804040a9775b11903709f825758e68a19fc9ef2e8b33
-
Filesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
Filesize
449B
MD530426feea6a9cd18b9a70e781d159235
SHA1d14360ae6ff21535416355ef3f02d8a00458d214
SHA2564ed7511d6363efddd263ca966a31dd6fdd0985096ed28bbefc0df30001bb895e
SHA512960435422db58f4db759bb84beedef7213eadd06d2ecc046176fbfaaabd1e795f19b0a2030ab2bf7343adeda4d7ce38efda111cba6a3af49cbab76d7c6b91ccd
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize4KB
MD590a25ea3a569c05dfa75958074436bf2
SHA1a100d5167ff3f1c124a7efbf996a910022103344
SHA256fd7312ec7aa11b3a650b4811eae1539fe070b12a863a7646e4254cd128feb620
SHA5128137ebd69850262834b3e802a018e1cb3e376383c210b12eeb7b61845f5762b30c69b72c58f16e9088cf0049d4443c727547f985a9ae801ea366e323d22004ef