1a65c42dcc0f217a5d4b06b7655d3958db5e33abf4fc6bfdbf88a1fdfcc4eeb2

Analysis

max time kernel
47s
max time network
38s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-10-2024 21:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a65c42dcc0f217a5d4b06b7655d3958db5e33abf4fc6bfdbf88a1fdfcc4eeb2.doc
Size

222KB
MD5

202fe901eec6ef893f5f8d86528e5d54
SHA1

1ded84a8c931c682d21fbc3c5802eff21e336f0e
SHA256

1a65c42dcc0f217a5d4b06b7655d3958db5e33abf4fc6bfdbf88a1fdfcc4eeb2
SHA512

13f64d4af37a5f19526384113a587c690fea24fb05307c15a81125ff5b34c05b08eb27b88f67fcde470c3ebfa172f95f817f5c73252744bc81932496380c88b1
SSDEEP

3072:zVIfFuR6AqFMa2fL3NtkWL90y7K4mlQCww7zDTW6HNRn0nPmaw:zVIf8RsOtZclptz78Pk

Score

4^/10

defense_evasion

Malware Config

Signatures

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\{9955B8A9-1539-4EFF-8906-5852D2B2CD79}\8tr.exe:Zone.Identifier	WINWORD.EXE

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\{9955B8A9-1539-4EFF-8906-5852D2B2CD79}\8tr.exe:Zone.Identifier	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 3 IoCs

pid	Process
4496	WINWORD.EXE
4496	WINWORD.EXE
1468	WINWORD.EXE

Suspicious use of SetWindowsHookEx 24 IoCs

pid	Process
4496	WINWORD.EXE
4496	WINWORD.EXE
4496	WINWORD.EXE
4496	WINWORD.EXE
4496	WINWORD.EXE
4496	WINWORD.EXE
4496	WINWORD.EXE
4496	WINWORD.EXE
4496	WINWORD.EXE
4496	WINWORD.EXE
4496	WINWORD.EXE
4496	WINWORD.EXE
4496	WINWORD.EXE
4496	WINWORD.EXE
1468	WINWORD.EXE
1468	WINWORD.EXE
1468	WINWORD.EXE
1468	WINWORD.EXE
1468	WINWORD.EXE
1468	WINWORD.EXE
1468	WINWORD.EXE
1468	WINWORD.EXE
1468	WINWORD.EXE
1468	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4496 wrote to memory of 836	4496	WINWORD.EXE	87
PID 4496 wrote to memory of 836	4496	WINWORD.EXE	87

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\1a65c42dcc0f217a5d4b06b7655d3958db5e33abf4fc6bfdbf88a1fdfcc4eeb2.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4496
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:836

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
1⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

Filesize
471B

MD5
b972dd67952580fcaf7d49802d206a55

SHA1
386c6729fb12a5e796bc70518b41ece5f5a58165

SHA256
96ecc543a87a4a5ef2f69a1200a64ff12e34a8e660a12e568be97c9f114e9eb2

SHA512
0e74929d46c1455043104117cca1c05a63e857987e73990a5cdbb3c10cfc0985d9df3b0bbdac4befe8b796d19f602c1487411250373d7d5b1af30e4fdca3d4cc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

Filesize
420B

MD5
aa97e3b84bb909a95a982d6ae99f394a

SHA1
6ea2fc1850b1e7c4715058f2b2aff2b7ba78a9c4

SHA256
7df718b8151c57c5603f098d29743c402d0ca1863c9d631e42d4b69d3f4b5d32

SHA512
d7983d689bdfe3b55763552025be77c9259208477f55421ebd3f860e70d2c285549bbeb81d4ab05d5c9f4734d890927897528013be902c95f46a481e40712329

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\0D725AD8-4AC5-4A8C-BF09-47A2B87DFFD5

Filesize
172KB

MD5
8135a91972eaa3a8235d1dfc3eddf105

SHA1
d84babcdc8f742f5661b91eef198b725d36489d7

SHA256
f19962df528002ac68bc3804100c4a8a6c46f5bcafd3e45648ff7e759c14c8af

SHA512
acc3e8fedad3b63403c4a470d23c33fbfc7093fcf6a5f10e6489fdd94de90f41fb427b070c03d8024d6e6011ea01d5841174da42bd11d623cb8e3179e19dbadf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

Filesize
11KB

MD5
30164b60a113fcc0bebe3b38937b11da

SHA1
10a870a975725b56b49e66f5041291b606744700

SHA256
02f0aec52c95ff84b9e3de135f4bd5076e9230136f72b73aaf77824bc18bfb60

SHA512
7372c90a413d9d54a51b461ffad213f57906074c6e4b12079bc9411105cb6758d327e2cc5ece25ae9a1d97c43caa77b995099c4086f827b5d5fca17ff3dd649f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-wal

Filesize
8KB

MD5
76a46669cd2b30165f4209acb22017f0

SHA1
de2a7a5f3d6b96c56c0a341a59ea8a71b87e5515

SHA256
5b55ec2b5ce46fcbd6bb56865685cf8e4a229b7fc6836d1f511d66536b678f18

SHA512
db9a8d58195d0b6398df0fcf6a9e003cc4d7bab54736459043aef6959558e4a4fd01be2a6b6e07269789f587fbc39b768fd04cdcc84340dd64f198335e2714e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
063eb6737589b4d02702cabe16abb270

SHA1
eab3382ab3215077795e329c7d0c6d29d77e9123

SHA256
9b4df4a2228f23816acf633f6691be7f710a184a3948461eafb655ef00f6fe94

SHA512
08158b59352cbf0ca017e9b2cdb78f69ad975c2541ac1c0b001e02f37a3e0328409184b6d9d9a0c69ae884c3be146f3d24e8ea427a0fdc36c6c274f64ed2a4d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
254236566694b30087e2bee902b47017

SHA1
2a9652bbd166eb0a0a618fee21d3d9628622d09b

SHA256
44b1eac89b5fefdac0b604164e44bf5d46066d41c6a3e16f8d35d8e41a03ccad

SHA512
3d5ceff3b0595268d719101da153bbeb06d2dfed628f152289b2ef533da2751a44682c14885bdb8b63729124f4194f56b1f9d2a11753254403fdbec8898fdaaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\2D822205.emf

Filesize
5KB

MD5
0ed5bc16545d23c325d756013579a697

SHA1
dcdde3196414a743177131d7d906cb67315d88e7

SHA256
3e430584cd9774ea3b21d8e19b485b48212fe356776158dd5f3c5f63a5bde7d3

SHA512
c93072d11058fa50e3b09ff4da9f3dbe2637c2b5df05e616bd8ddd04557ea1e8b0db106b1545fad334619118c467776f81cf97ca52d3f2fcbbe007f30032b8af

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCDE0BC.tmp\iso690.xsl

Filesize
263KB

MD5
ff0e07eff1333cdf9fc2523d323dd654

SHA1
77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

SHA256
3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

SHA512
b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbhja.rtf

Filesize
816KB

MD5
094161ce8407dbe8f82c301e168d7ec6

SHA1
acaf83d591e4bb42149b65ba31f09b1838c55199

SHA256
816ca0d178c917ca62e32b8c8d6f7c3b4108844ea36f74e21d8f9bbd32c648fc

SHA512
57ef5f3f8f63cdea6db48c0475a7add185121a0bfe48ed20198f9e89944cdcb871af8117702affa1227cc868ec65a294f90c073dbe3230fce6fb3d1af277f1dd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
1c3fd46cba74a416843ca7962f23cb7c

SHA1
b6fe35f47b807b1e4aa1f8c37ce26fe22f3fa7de

SHA256
a2e10d359486213e214ace85135e505ad4f6765646a9110e4c6ef50298f0fa7c

SHA512
e4b4db7a2a978f27ebb180987a9fc9463c659e5ff07d718375ebe15b780300c4c79172855e2a5389aa51faea8b9ab7c4980c092e2b961fae681096643266b3cf

Download Submit
memory/1468-179-0x00007FF9678B0000-0x00007FF9678C0000-memory.dmp

Filesize
64KB

Download
memory/1468-182-0x00007FF9678B0000-0x00007FF9678C0000-memory.dmp

Filesize
64KB

Download
memory/1468-181-0x00007FF9678B0000-0x00007FF9678C0000-memory.dmp

Filesize
64KB

Download
memory/1468-180-0x00007FF9678B0000-0x00007FF9678C0000-memory.dmp

Filesize
64KB

Download
memory/4496-6-0x00007FF9A7830000-0x00007FF9A7A25000-memory.dmp

Filesize
2.0MB

Download
memory/4496-10-0x00007FF9A7830000-0x00007FF9A7A25000-memory.dmp

Filesize
2.0MB

Download
memory/4496-19-0x00007FF9A7830000-0x00007FF9A7A25000-memory.dmp

Filesize
2.0MB

Download
memory/4496-18-0x00007FF9A7830000-0x00007FF9A7A25000-memory.dmp

Filesize
2.0MB

Download
memory/4496-16-0x00007FF9A7830000-0x00007FF9A7A25000-memory.dmp

Filesize
2.0MB

Download
memory/4496-13-0x00007FF9650C0000-0x00007FF9650D0000-memory.dmp

Filesize
64KB

Download
memory/4496-7-0x00007FF9A7830000-0x00007FF9A7A25000-memory.dmp

Filesize
2.0MB

Download
memory/4496-1-0x00007FF9A78CD000-0x00007FF9A78CE000-memory.dmp

Filesize
4KB

Download
memory/4496-47-0x00007FF9A7830000-0x00007FF9A7A25000-memory.dmp

Filesize
2.0MB

Download
memory/4496-21-0x00007FF9A7830000-0x00007FF9A7A25000-memory.dmp

Filesize
2.0MB

Download
memory/4496-20-0x00007FF9650C0000-0x00007FF9650D0000-memory.dmp

Filesize
64KB

Download
memory/4496-17-0x00007FF9A7830000-0x00007FF9A7A25000-memory.dmp

Filesize
2.0MB

Download
memory/4496-15-0x00007FF9A7830000-0x00007FF9A7A25000-memory.dmp

Filesize
2.0MB

Download
memory/4496-14-0x00007FF9A7830000-0x00007FF9A7A25000-memory.dmp

Filesize
2.0MB

Download
memory/4496-9-0x00007FF9A7830000-0x00007FF9A7A25000-memory.dmp

Filesize
2.0MB

Download
memory/4496-22-0x00007FF9A7830000-0x00007FF9A7A25000-memory.dmp

Filesize
2.0MB

Download
memory/4496-140-0x00007FF9A7830000-0x00007FF9A7A25000-memory.dmp

Filesize
2.0MB

Download
memory/4496-144-0x00007FF9A7830000-0x00007FF9A7A25000-memory.dmp

Filesize
2.0MB

Download
memory/4496-143-0x00007FF9A7830000-0x00007FF9A7A25000-memory.dmp

Filesize
2.0MB

Download
memory/4496-142-0x00007FF9A78CD000-0x00007FF9A78CE000-memory.dmp

Filesize
4KB

Download
memory/4496-145-0x00007FF9A7830000-0x00007FF9A7A25000-memory.dmp

Filesize
2.0MB

Download
memory/4496-11-0x00007FF9A7830000-0x00007FF9A7A25000-memory.dmp

Filesize
2.0MB

Download
memory/4496-12-0x00007FF9A7830000-0x00007FF9A7A25000-memory.dmp

Filesize
2.0MB

Download
memory/4496-167-0x00007FF9A7830000-0x00007FF9A7A25000-memory.dmp

Filesize
2.0MB

Download
memory/4496-8-0x00007FF9A7830000-0x00007FF9A7A25000-memory.dmp

Filesize
2.0MB

Download
memory/4496-5-0x00007FF9678B0000-0x00007FF9678C0000-memory.dmp

Filesize
64KB

Download
memory/4496-2-0x00007FF9678B0000-0x00007FF9678C0000-memory.dmp

Filesize
64KB

Download
memory/4496-4-0x00007FF9678B0000-0x00007FF9678C0000-memory.dmp

Filesize
64KB

Download
memory/4496-3-0x00007FF9678B0000-0x00007FF9678C0000-memory.dmp

Filesize
64KB

Download
memory/4496-188-0x00007FF9A7830000-0x00007FF9A7A25000-memory.dmp

Filesize
2.0MB

Download
memory/4496-0-0x00007FF9678B0000-0x00007FF9678C0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads