Analysis
-
max time kernel
141s -
max time network
131s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-10-2024 12:55
Static task
static1
Behavioral task
behavioral1
Sample
Purchase order Coloplast AS RFQ 10059170.docx
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Purchase order Coloplast AS RFQ 10059170.docx
Resource
win10v2004-20241007-en
General
-
Target
Purchase order Coloplast AS RFQ 10059170.docx
-
Size
458KB
-
MD5
b95c7303672b29595e704b80697dec29
-
SHA1
62e5567be424853e5f5e72c8d82c077fb5185812
-
SHA256
6e53e98fc01dd05fd91f377afadd8b75a6396958986ea211d879a4e3c713f323
-
SHA512
e9da95e3a678b1f49bac3a3e06065bdd0a9734daab356ad57ac8102a03697fc7a2edcb26c2f32bc948dfc76befe3c291e57b640c7f7fd999730c8f11b29d2838
-
SSDEEP
6144:p1bUb0cVLNEzYvRSPlaMXKaAi69qltTGSmNZ509tmYL6qoPQ7tmYB/l2mDlJjAIz:1kF5SPMM6I9X4X69mrm9Bt2mhW8G0Y6
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 4496 WINWORD.EXE 4496 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WINWORD.EXEdescription pid process Token: SeAuditPrivilege 4496 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
WINWORD.EXEpid process 4496 WINWORD.EXE 4496 WINWORD.EXE 4496 WINWORD.EXE 4496 WINWORD.EXE 4496 WINWORD.EXE 4496 WINWORD.EXE 4496 WINWORD.EXE 4496 WINWORD.EXE -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Purchase order Coloplast AS RFQ 10059170.docx" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4496
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
878KB
MD5cb3af2d8ca17af3ac5f9522f114236a3
SHA1b113356582cf12ea715873bcdbeddc2e0e4fe96b
SHA2560afff6f8e9f46c3b8306e86b4fc5f6951d6cb6fc7a3d0021ac4bbb0479af3efd
SHA512ee3bc7e1f5b85aaf7286bf90189de6d44ad6ac1a8aeee72600b83a54ecd53977d9166ce0ec90c13b61608d5d790e2fe88d05d093003076bf9413c74fb9f1f45b
-
Filesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
Filesize
447B
MD5df46d0a65fc3240d44173d3432cf97aa
SHA13e409dab0e8adb2a26a0b1f7cab9d86c70840406
SHA2561449db034c4d17d63a7348fc6088ca030c7eeddae5942a460fed2e5cfdd76954
SHA5126f11eda33f6130b39867b5f102131523c3d7bd8d5c89c18492c87f15b17793b434f08bae45f6beb8bc750632c88f55f88ee60b34f2ab0675e4a73a6bab197db5
-
Filesize
16B
MD5d29962abc88624befc0135579ae485ec
SHA1e40a6458296ec6a2427bcb280572d023a9862b31
SHA256a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866
SHA5124311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize674B
MD5298353ea13bd9f55557ac57f71e798c7
SHA1d816ce0c4d73891897b620ec11cd3795340dbf5b
SHA256714457b35085457cde456efb2430ed9663a2207fb93f568e56be6571deffaefd
SHA512293eac14644a1a7fd21905514c3933458c545de4f65dd7a01633b0c926335470770eef13d21078248cec63cc4bc41bf02aa3c34315097a03a066022198799f9e