Analysis
-
max time kernel
133s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
03-10-2024 07:09
Static task
static1
Behavioral task
behavioral1
Sample
KBGC_1200O000000_98756.docx
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
KBGC_1200O000000_98756.docx
Resource
win10v2004-20240802-en
General
-
Target
KBGC_1200O000000_98756.docx
-
Size
264KB
-
MD5
da3b3b9590907c35f64e830b2b244ffd
-
SHA1
8393b61a2871bc1ea9cb2c22fa041790ce8fa5b1
-
SHA256
97a4fe736ddd0955e218e7f7fb00d2fddee7896db60aa90e175b4824c9192825
-
SHA512
98d070881920985daa43a793dd5064a4262584f61c34d86d0b51ff9c395ff81712e192b34cef6a1fedb3a274e214f38725b14fdb93aede811043b976ba6a3cf1
-
SSDEEP
6144:AyrTTW+ch8x2ZpfRkdxyl+cOpFVozXHN5dOP:Dwy2O1c0buXHNXc
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 3856 WINWORD.EXE 3856 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WINWORD.EXEdescription pid process Token: SeAuditPrivilege 3856 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
WINWORD.EXEpid process 3856 WINWORD.EXE 3856 WINWORD.EXE 3856 WINWORD.EXE 3856 WINWORD.EXE 3856 WINWORD.EXE 3856 WINWORD.EXE 3856 WINWORD.EXE 3856 WINWORD.EXE -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\KBGC_1200O000000_98756.docx" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3856
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
565KB
MD5adbffccbb78834fa492cc7ca8a676e52
SHA11e5b065d13fa03fb556a7ff315b85db96d369908
SHA25642d08df15b74f7a598895de1590dab57cd973d1b4dd8531f88ac3150260f7e63
SHA512de1bb84f11ad4dcf7035699c8b5ca58e098da937a98b8a701ba202671dbb9bf1510434682675b208f3dc804040a9775b11903709f825758e68a19fc9ef2e8b33
-
Filesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
Filesize
374B
MD5b5a90cf2c18e0aba6b2cccde7da925a5
SHA14b96fe11f2c0224a1855b48d895602fdd9145936
SHA2566bab9bb1e62906615fc199455f1860f3b755c608a0cb855c65e420bdb14eb45a
SHA51244fc9d12ad15b60fd1c0e8c6610cf2eeade293b47a8aca62f345dc8a560690615c60ba4fc42d0208028e9cf01feef12f34451ae325624b5ebbd6b26dd85d278f
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize677B
MD5c907c128dfce4492bde0d513ce766234
SHA199f26fb6b10acad31b135f15861e43dd298e67ba
SHA2565a008a0541e5290da3bf3657d25f5d33853559069ad7a655897c57608f0e22bb
SHA5120c3d6e3d40f0f2daee888aa67454d37b14177aa7ace7a689b975a48299460dc83b42e766fe15733c2103ecf017dafb926ecd558949d2f2e07b794f62a97bf330