Analysis
-
max time kernel
133s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
02-10-2024 12:59
Static task
static1
Behavioral task
behavioral1
Sample
SCANNED COPY.rtf
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
SCANNED COPY.rtf
Resource
win10v2004-20240802-en
General
-
Target
SCANNED COPY.rtf
-
Size
699KB
-
MD5
4b6a210109e97c5168659caaac0895f1
-
SHA1
5edaab62f69f03a0ce76130be6281ed12b8974f2
-
SHA256
1abbd41ea4c50b4db3acfe9a14f07b93ee52e0ea8515f34cc007f4d314d60746
-
SHA512
59505a64198a017143c01f58564b14b282e5f502ad23b1f71f4d0c0458d17ece1b96bf2fd0d8f38a8ded2eef0f433c3b1c134cb947a05fc565bf0e9ddf7972e7
-
SSDEEP
6144:/wAYwAYwAYwAYwASlhaA48Ix9kN25/bQ9/vlT79Gz:cE
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 2512 WINWORD.EXE 2512 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
WINWORD.EXEpid process 2512 WINWORD.EXE 2512 WINWORD.EXE 2512 WINWORD.EXE 2512 WINWORD.EXE 2512 WINWORD.EXE 2512 WINWORD.EXE 2512 WINWORD.EXE 2512 WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\SCANNED COPY.rtf" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2512
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
245KB
MD5f883b260a8d67082ea895c14bf56dd56
SHA17954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD53c6705a861d957c1680fbdb4f8c5f307
SHA1b6c8ee1c8229585f551be7192fec121c0e7cc9d1
SHA2562e299354f59cbac08592548c06bc7a0353153bee614c1629d43f4ddb8d012923
SHA512dd6423f77fe0c022dedbf47ed516bbdcf2e9481643bb27c87531c2d35c46937d09d3b4f5ec44586f75fbcc7fa2c8807c0e0435deeeda70e5a815684053469bf8