6ade703e01e1f599ca3e5686760aa1c200d975df13ed50bf829bbd1fa5e74113

Analysis

max time kernel
47s
max time network
36s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-10-2024 21:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6ade703e01e1f599ca3e5686760aa1c200d975df13ed50bf829bbd1fa5e74113.doc
Size

222KB
MD5

1a9d520dd9a594a0e27bd75e0bed8fd6
SHA1

a55f6eb53742665288bb6691e686ff98771f8b84
SHA256

6ade703e01e1f599ca3e5686760aa1c200d975df13ed50bf829bbd1fa5e74113
SHA512

def5c37116a35172b8f786ad31f2b9f0523d93e7897805a3674d98c92cca7205bb94a5682aa3b6f5bed6e76d0a8584221db1b536bba5140764411b6aac83384f
SSDEEP

3072:zVIfFuR6AqFMa2fL3NtkWL90y7K4mlQCww7zDTW6HNRn0nPmaw:zVIf8RsOtZclptz78Pk

Score

4^/10

defense_evasion

Malware Config

Signatures

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\{4230BF66-58D0-4A3E-ADAB-4B8E0A2C8016}\8tr.exe:Zone.Identifier	WINWORD.EXE

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\{4230BF66-58D0-4A3E-ADAB-4B8E0A2C8016}\8tr.exe:Zone.Identifier	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 3 IoCs

pid	Process
2888	WINWORD.EXE
2888	WINWORD.EXE
2864	WINWORD.EXE

Suspicious use of SetWindowsHookEx 24 IoCs

pid	Process
2888	WINWORD.EXE
2888	WINWORD.EXE
2888	WINWORD.EXE
2888	WINWORD.EXE
2888	WINWORD.EXE
2888	WINWORD.EXE
2888	WINWORD.EXE
2888	WINWORD.EXE
2888	WINWORD.EXE
2888	WINWORD.EXE
2888	WINWORD.EXE
2888	WINWORD.EXE
2888	WINWORD.EXE
2888	WINWORD.EXE
2864	WINWORD.EXE
2864	WINWORD.EXE
2864	WINWORD.EXE
2864	WINWORD.EXE
2864	WINWORD.EXE
2864	WINWORD.EXE
2864	WINWORD.EXE
2864	WINWORD.EXE
2864	WINWORD.EXE
2864	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2888 wrote to memory of 2316	2888	WINWORD.EXE	87
PID 2888 wrote to memory of 2316	2888	WINWORD.EXE	87

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\6ade703e01e1f599ca3e5686760aa1c200d975df13ed50bf829bbd1fa5e74113.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2888
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2316

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
1⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

Filesize
471B

MD5
b972dd67952580fcaf7d49802d206a55

SHA1
386c6729fb12a5e796bc70518b41ece5f5a58165

SHA256
96ecc543a87a4a5ef2f69a1200a64ff12e34a8e660a12e568be97c9f114e9eb2

SHA512
0e74929d46c1455043104117cca1c05a63e857987e73990a5cdbb3c10cfc0985d9df3b0bbdac4befe8b796d19f602c1487411250373d7d5b1af30e4fdca3d4cc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

Filesize
420B

MD5
3d06a952da2fd5ef113542b9c8422405

SHA1
4ccba16406f774a17a718a292d3ae6793221c6e0

SHA256
9b992e1835fac37b6d6b7de56b1e25bf9c80baac8a213f4867c1a40cbf81eb89

SHA512
d6d3bef687f1c7697d1f8a7225082aa71d1f79b47da6f3470cc79c9da3c32488abb57fa2933c554714d436f88b68cb63579000408698ff974ecf59e72724a6c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\4FB88EED-5585-4560-8D43-691625D9CCF1

Filesize
172KB

MD5
261615c021f5cf4b03b022bd503d149a

SHA1
2c159b30990ce9fb704cf9d6e7cddaa859f64818

SHA256
a3da0c917aea7ce67fae31863de1aa9296c5c2708625e33e69225942d924597e

SHA512
96a7ecd589325adae8936b1f71f254145961b82aef83a3452bcf2f638880ed374456524dd7d1473945cbc59d41f1d45b63034a5166f3e1d486b368c5e77a2980

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

Filesize
11KB

MD5
73a70c5b052bcbd1da29732963a33308

SHA1
263f256ec61726693b27cbabf664995b48e51522

SHA256
c72b24167ef491ffb68e0cbe81435679d325689811b45e0f53e05cc18ea7b701

SHA512
4f638976d0988a4d1ed489d1a41d10381e18d4705ac5c269fdac2c4c13704ac7fbfd7660a43afe8953a13a98cd477c8ff1fb3832d0832ffd2d31cf8475c03c27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-wal

Filesize
8KB

MD5
5114adeaddde0979d6856d0358585384

SHA1
e75125df475093d4a26717e1729a1ffbbd22ef4e

SHA256
d0cc84fa66a4b20792bb6fc13942dc444eca69508d84956f03667fb05cc120ee

SHA512
5be764e445b1f1853752244c173cc17e75e5a7cc1a181e3153a96f9f8bcfdc6e4c946527a864dcfcd0553910755b3c4ae1e062f9de270605dd87893a073813b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
bf1bb17d98f30b558e831cb0ab03212b

SHA1
1f09d8d83785c5f2a7c2a7ff7f722a97515f8ddc

SHA256
3bfb4851bcf3f229f10f1ff39a03b60207d85bee045820e57d02082cd7aae05a

SHA512
046646b71bdd58bc15148c7d3d2515aae5a9949b5e9c7d617203535b521262fe19686a8c1e0b13046517b39083e7212af6ffcc91d86486e4bd995280b3c1553b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
7554c7288ae334b34e26e0990a4f86c6

SHA1
0b80035fae47ded6210be691beed3f34935e3f6a

SHA256
dd0b32d29ad0f34e77e58ee652764fb8e380a1afb66f9188179d521218bf9642

SHA512
61039811724a23e6c0a2765edc38a56f5d1214551ae2679e0b28d17da1823da68c5deb59a2d77c1d38203ce235717646d2439ceb8fb4e004bfaeb4102d50f4d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\475197BB.emf

Filesize
5KB

MD5
0ed5bc16545d23c325d756013579a697

SHA1
dcdde3196414a743177131d7d906cb67315d88e7

SHA256
3e430584cd9774ea3b21d8e19b485b48212fe356776158dd5f3c5f63a5bde7d3

SHA512
c93072d11058fa50e3b09ff4da9f3dbe2637c2b5df05e616bd8ddd04557ea1e8b0db106b1545fad334619118c467776f81cf97ca52d3f2fcbbe007f30032b8af

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCDF18A.tmp\sist02.xsl

Filesize
245KB

MD5
f883b260a8d67082ea895c14bf56dd56

SHA1
7954565c1f243d46ad3b1e2f1baf3281451fc14b

SHA256
ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

SHA512
d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbhja.rtf

Filesize
816KB

MD5
dfa92b235e1d6930e74141c5c604cb9b

SHA1
d2e3aa018347e9d3585c0f1bf90d80f87ca2172c

SHA256
317b547bd7cbb250b7bb9e414069017076e06b98dfd5d38a73b9417710c48cae

SHA512
625a8a0ddd7638bc4c5393f564f7f5bd2670cc071b634518c7f66f18453ed9d77280ee9a23f85584e6177060e94077fd180f8317938e773582a9b98a9f71d669

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
16B

MD5
d29962abc88624befc0135579ae485ec

SHA1
e40a6458296ec6a2427bcb280572d023a9862b31

SHA256
a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866

SHA512
4311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
4KB

MD5
2beb3e202f324c4ae9e8abe37ca81fb9

SHA1
6c8660c6e34b90d3241f5ef6d7140f17b097da7f

SHA256
06a73b7c5bd1c95451771fabfad5e93f1ed274c95b85a0d9323d9085a71be47e

SHA512
26b32c2ce4e67e8988e6263c8d36a4703064f17352bf981c45f2f7dc9feb8b73c7600e53398a5bda90844930eb3313f25bb21f6e9f63fc25b5e93553dc3a0573

Download Submit
memory/2864-180-0x00007FFFA0550000-0x00007FFFA0560000-memory.dmp

Filesize
64KB

Download
memory/2864-177-0x00007FFFA0550000-0x00007FFFA0560000-memory.dmp

Filesize
64KB

Download
memory/2864-179-0x00007FFFA0550000-0x00007FFFA0560000-memory.dmp

Filesize
64KB

Download
memory/2864-178-0x00007FFFA0550000-0x00007FFFA0560000-memory.dmp

Filesize
64KB

Download
memory/2888-59-0x00007FFFE04D0000-0x00007FFFE06C5000-memory.dmp

Filesize
2.0MB

Download
memory/2888-144-0x00007FFFE04D0000-0x00007FFFE06C5000-memory.dmp

Filesize
2.0MB

Download
memory/2888-0-0x00007FFFA0550000-0x00007FFFA0560000-memory.dmp

Filesize
64KB

Download
memory/2888-19-0x00007FFF9DD30000-0x00007FFF9DD40000-memory.dmp

Filesize
64KB

Download
memory/2888-1-0x00007FFFE056D000-0x00007FFFE056E000-memory.dmp

Filesize
4KB

Download
memory/2888-4-0x00007FFFA0550000-0x00007FFFA0560000-memory.dmp

Filesize
64KB

Download
memory/2888-10-0x00007FFFE04D0000-0x00007FFFE06C5000-memory.dmp

Filesize
2.0MB

Download
memory/2888-11-0x00007FFFE04D0000-0x00007FFFE06C5000-memory.dmp

Filesize
2.0MB

Download
memory/2888-17-0x00007FFFE04D0000-0x00007FFFE06C5000-memory.dmp

Filesize
2.0MB

Download
memory/2888-18-0x00007FFFE04D0000-0x00007FFFE06C5000-memory.dmp

Filesize
2.0MB

Download
memory/2888-16-0x00007FFFE04D0000-0x00007FFFE06C5000-memory.dmp

Filesize
2.0MB

Download
memory/2888-14-0x00007FFF9DD30000-0x00007FFF9DD40000-memory.dmp

Filesize
64KB

Download
memory/2888-141-0x00007FFFE04D0000-0x00007FFFE06C5000-memory.dmp

Filesize
2.0MB

Download
memory/2888-2-0x00007FFFA0550000-0x00007FFFA0560000-memory.dmp

Filesize
64KB

Download
memory/2888-143-0x00007FFFE056D000-0x00007FFFE056E000-memory.dmp

Filesize
4KB

Download
memory/2888-15-0x00007FFFE04D0000-0x00007FFFE06C5000-memory.dmp

Filesize
2.0MB

Download
memory/2888-12-0x00007FFFE04D0000-0x00007FFFE06C5000-memory.dmp

Filesize
2.0MB

Download
memory/2888-13-0x00007FFFE04D0000-0x00007FFFE06C5000-memory.dmp

Filesize
2.0MB

Download
memory/2888-6-0x00007FFFE04D0000-0x00007FFFE06C5000-memory.dmp

Filesize
2.0MB

Download
memory/2888-7-0x00007FFFE04D0000-0x00007FFFE06C5000-memory.dmp

Filesize
2.0MB

Download
memory/2888-8-0x00007FFFE04D0000-0x00007FFFE06C5000-memory.dmp

Filesize
2.0MB

Download
memory/2888-181-0x00007FFFE04D0000-0x00007FFFE06C5000-memory.dmp

Filesize
2.0MB

Download
memory/2888-9-0x00007FFFE04D0000-0x00007FFFE06C5000-memory.dmp

Filesize
2.0MB

Download
memory/2888-5-0x00007FFFA0550000-0x00007FFFA0560000-memory.dmp

Filesize
64KB

Download
memory/2888-188-0x00007FFFE04D0000-0x00007FFFE06C5000-memory.dmp

Filesize
2.0MB

Download
memory/2888-3-0x00007FFFA0550000-0x00007FFFA0560000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads