8b9f432e0141977ab1cc0cee5b6c22f584f439fa96874a0717ea68cdc679d8e4

Analysis

max time kernel
133s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03/10/2024, 07:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$PLUGINSDIR/License_PT.rtf
Size

7KB
MD5

858d50016b5091a71bde743798e4fde9
SHA1

80fe9815569fab908af407db0b0c386ee5fb0499
SHA256

0d121347542face1889918432c70ce29e0fed3f53a837c9d03c9a73f49ccc834
SHA512

2fa1080a2d667629fe2862075855b6ae1c6b4e592fc2e119f2775fb1ede100cbe9efd5252241b6ee4eddf8925d99e1751f06c0c3f0ad2290f489e0caaac7fce2
SSDEEP

192:YfMZT9jNvNThXsR00Ao2dyTSWOrrgSRfM6+QxFHYidArvNK3pCnLPeWVRX2:X9jxBhXsR00odI1j6Hb8vg3pCLP1VRX2

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3772	WINWORD.EXE
3772	WINWORD.EXE

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
3772	WINWORD.EXE
3772	WINWORD.EXE
3772	WINWORD.EXE
3772	WINWORD.EXE
3772	WINWORD.EXE
3772	WINWORD.EXE
3772	WINWORD.EXE
3772	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\License_PT.rtf" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TCDE022.tmp\iso690.xsl

Filesize
263KB

MD5
ff0e07eff1333cdf9fc2523d323dd654

SHA1
77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

SHA256
3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

SHA512
b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
c8cceb07eebe04be6c7d7f0b676bf96d

SHA1
473c610b3e0681bec948cbc064b4d80af4cb76be

SHA256
630ada99748bafc15ebed704287db381b55a6f27ad51f60992ae4e817c8d46e0

SHA512
971b50c11cff408aa8f098b2b394083b99facd71713d9e7d4299f1ccaa1b9758dd67e0c9f7675e5090a8216c162090681148a3aeb55a3b8eda0c1ced87179820

Download Submit
memory/3772-16-0x00007FF848F10000-0x00007FF849105000-memory.dmp

Filesize
2.0MB

Download
memory/3772-10-0x00007FF848F10000-0x00007FF849105000-memory.dmp

Filesize
2.0MB

Download
memory/3772-4-0x00007FF808F90000-0x00007FF808FA0000-memory.dmp

Filesize
64KB

Download
memory/3772-5-0x00007FF808F90000-0x00007FF808FA0000-memory.dmp

Filesize
64KB

Download
memory/3772-9-0x00007FF848F10000-0x00007FF849105000-memory.dmp

Filesize
2.0MB

Download
memory/3772-8-0x00007FF848F10000-0x00007FF849105000-memory.dmp

Filesize
2.0MB

Download
memory/3772-11-0x00007FF848F10000-0x00007FF849105000-memory.dmp

Filesize
2.0MB

Download
memory/3772-15-0x00007FF848F10000-0x00007FF849105000-memory.dmp

Filesize
2.0MB

Download
memory/3772-17-0x00007FF848F10000-0x00007FF849105000-memory.dmp

Filesize
2.0MB

Download
memory/3772-14-0x00007FF848F10000-0x00007FF849105000-memory.dmp

Filesize
2.0MB

Download
memory/3772-1-0x00007FF848FAD000-0x00007FF848FAE000-memory.dmp

Filesize
4KB

Download
memory/3772-0-0x00007FF808F90000-0x00007FF808FA0000-memory.dmp

Filesize
64KB

Download
memory/3772-12-0x00007FF806B30000-0x00007FF806B40000-memory.dmp

Filesize
64KB

Download
memory/3772-18-0x00007FF806B30000-0x00007FF806B40000-memory.dmp

Filesize
64KB

Download
memory/3772-13-0x00007FF848F10000-0x00007FF849105000-memory.dmp

Filesize
2.0MB

Download
memory/3772-7-0x00007FF848F10000-0x00007FF849105000-memory.dmp

Filesize
2.0MB

Download
memory/3772-6-0x00007FF848F10000-0x00007FF849105000-memory.dmp

Filesize
2.0MB

Download
memory/3772-34-0x00007FF848F10000-0x00007FF849105000-memory.dmp

Filesize
2.0MB

Download
memory/3772-35-0x00007FF848FAD000-0x00007FF848FAE000-memory.dmp

Filesize
4KB

Download
memory/3772-36-0x00007FF848F10000-0x00007FF849105000-memory.dmp

Filesize
2.0MB

Download
memory/3772-37-0x00007FF848F10000-0x00007FF849105000-memory.dmp

Filesize
2.0MB

Download
memory/3772-2-0x00007FF808F90000-0x00007FF808FA0000-memory.dmp

Filesize
64KB

Download
memory/3772-3-0x00007FF808F90000-0x00007FF808FA0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads