Analysis
-
max time kernel
133s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
03-10-2024 12:45
Static task
static1
Behavioral task
behavioral1
Sample
RICHIESTA_OFFERTA_RDO2400423.docx
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
RICHIESTA_OFFERTA_RDO2400423.docx
Resource
win10v2004-20240802-en
General
-
Target
RICHIESTA_OFFERTA_RDO2400423.docx
-
Size
264KB
-
MD5
5efaab9d9accf59510dafa162e958340
-
SHA1
4d2d9082c9e29d7f218feea392e3bb59a0b5719a
-
SHA256
b5b6a451d04745638c7ecf24dbcc73655bb5942bf63a8da317bd7a6badb8dddf
-
SHA512
b5e85d750249a1d4415fe29597720b7a7f293e0013d326d43d986cc966a2d12e4273fc66cef0a438be20eecca55be269e51ec13c28ed3e7f6b102d2ade0f9a99
-
SSDEEP
6144:syrTTW+ch8x2ZpfRkdxyl+cOpFVozXHN5dOG:fwy2O1c0buXHNXF
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 2420 WINWORD.EXE 2420 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WINWORD.EXEdescription pid process Token: SeAuditPrivilege 2420 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
WINWORD.EXEpid process 2420 WINWORD.EXE 2420 WINWORD.EXE 2420 WINWORD.EXE 2420 WINWORD.EXE 2420 WINWORD.EXE 2420 WINWORD.EXE 2420 WINWORD.EXE 2420 WINWORD.EXE -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\RICHIESTA_OFFERTA_RDO2400423.docx" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2420
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
590KB
MD508d1a4e26971fd55013dbc7d2744b2a5
SHA1dd813694fc67b536f242ae7dd3deff14458b82ba
SHA256fd1ca8e9ebe962f23b55669ea495bdb32073b7359031e80a7067d387c0bfa8dc
SHA5123c34748ed68738a24d6c7f1482b4b2f5a26fb6c2a85a1fc0a5303123928fb56974532af9d43b9bb9027558a03be79cf31b48a0c4cb28c41fd833f25e8bb035b6
-
Filesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
Filesize
265B
MD55fc1623354fdbbbbff11c2a2aa132f92
SHA1d0d3c0b5a955e67ce2341d3a0cbb6ef0ac79dcc0
SHA256d4058c628c70dbf0b45005a0816294305aa04f41e0b7da7e5d2eeb3db7e53184
SHA51209a415dc3374b0adb92ff1af29737c4bcf0b5e4ec3ac72f2de41d5cee6f6b32213f0577f003522593869795846d0aff3caf3321e061f8d98cbb2e58afbd13a6f
-
Filesize
16B
MD5d29962abc88624befc0135579ae485ec
SHA1e40a6458296ec6a2427bcb280572d023a9862b31
SHA256a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866
SHA5124311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f