9e69d44ac094cb6148a2f76c3af9e98795961e4f3092156adf2f9f3f02d5b162

Analysis

max time kernel
133s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/11/2024, 11:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9e69d44ac094cb6148a2f76c3af9e98795961e4f3092156adf2f9f3f02d5b162.rtf
Size

89KB
MD5

db14a63f71b27da34d0f221d87ac1291
SHA1

29249b89a4ccf8b4df4c4888ae458ac6a061778e
SHA256

9e69d44ac094cb6148a2f76c3af9e98795961e4f3092156adf2f9f3f02d5b162
SHA512

8b41bc9659ada2583371a652879ab893264fef3c84a4f64af51f5bf8934b28c3a94cf258e236853b4c8e3ac01f34beb539a0c61331a14ac1818dd91d27a8d114
SSDEEP

384:Dc8eDL2RPGW9cNNwKuE0MAidWe2onXYCqWzhwnC2ibxiW9KbFRDT+Raxt/Q:Dc8XPoN+KuUxLE2eTpQ

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3620	WINWORD.EXE
3620	WINWORD.EXE

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
3620	WINWORD.EXE
3620	WINWORD.EXE
3620	WINWORD.EXE
3620	WINWORD.EXE
3620	WINWORD.EXE
3620	WINWORD.EXE
3620	WINWORD.EXE
3620	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\9e69d44ac094cb6148a2f76c3af9e98795961e4f3092156adf2f9f3f02d5b162.rtf" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TCD4C6D.tmp\gb.xsl

Filesize
262KB

MD5
51d32ee5bc7ab811041f799652d26e04

SHA1
412193006aa3ef19e0a57e16acf86b830993024a

SHA256
6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97

SHA512
5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
3a635f4a2a42717b12d42359371e08a6

SHA1
4cfc4dd02093e606b86bda662a6d3b54d4129549

SHA256
285ba6444ad4dd90c61d9f8b9b727949506c46f58cce83bf2d54fdc7ccfc5b20

SHA512
313ffc71940e597bb3d2527679e8cfa0388f256f6ae6d8a2d5dbd0ff001d731e86da8bde6d7a4abc6ff84741f89339c1d4f92bde65e74e47a2e807eb96da1128

Download Submit
memory/3620-12-0x00007FF9F38D0000-0x00007FF9F3AC5000-memory.dmp

Filesize
2.0MB

Download
memory/3620-9-0x00007FF9F38D0000-0x00007FF9F3AC5000-memory.dmp

Filesize
2.0MB

Download
memory/3620-0-0x00007FF9B3950000-0x00007FF9B3960000-memory.dmp

Filesize
64KB

Download
memory/3620-5-0x00007FF9F38D0000-0x00007FF9F3AC5000-memory.dmp

Filesize
2.0MB

Download
memory/3620-6-0x00007FF9B3950000-0x00007FF9B3960000-memory.dmp

Filesize
64KB

Download
memory/3620-8-0x00007FF9F38D0000-0x00007FF9F3AC5000-memory.dmp

Filesize
2.0MB

Download
memory/3620-7-0x00007FF9F38D0000-0x00007FF9F3AC5000-memory.dmp

Filesize
2.0MB

Download
memory/3620-11-0x00007FF9F38D0000-0x00007FF9F3AC5000-memory.dmp

Filesize
2.0MB

Download
memory/3620-14-0x00007FF9B1540000-0x00007FF9B1550000-memory.dmp

Filesize
64KB

Download
memory/3620-13-0x00007FF9F38D0000-0x00007FF9F3AC5000-memory.dmp

Filesize
2.0MB

Download
memory/3620-4-0x00007FF9B3950000-0x00007FF9B3960000-memory.dmp

Filesize
64KB

Download
memory/3620-1-0x00007FF9B3950000-0x00007FF9B3960000-memory.dmp

Filesize
64KB

Download
memory/3620-10-0x00007FF9F38D0000-0x00007FF9F3AC5000-memory.dmp

Filesize
2.0MB

Download
memory/3620-16-0x00007FF9F38D0000-0x00007FF9F3AC5000-memory.dmp

Filesize
2.0MB

Download
memory/3620-17-0x00007FF9F38D0000-0x00007FF9F3AC5000-memory.dmp

Filesize
2.0MB

Download
memory/3620-19-0x00007FF9F38D0000-0x00007FF9F3AC5000-memory.dmp

Filesize
2.0MB

Download
memory/3620-20-0x00007FF9F38D0000-0x00007FF9F3AC5000-memory.dmp

Filesize
2.0MB

Download
memory/3620-21-0x00007FF9B1540000-0x00007FF9B1550000-memory.dmp

Filesize
64KB

Download
memory/3620-18-0x00007FF9F38D0000-0x00007FF9F3AC5000-memory.dmp

Filesize
2.0MB

Download
memory/3620-15-0x00007FF9F38D0000-0x00007FF9F3AC5000-memory.dmp

Filesize
2.0MB

Download
memory/3620-33-0x00007FF9F38D0000-0x00007FF9F3AC5000-memory.dmp

Filesize
2.0MB

Download
memory/3620-3-0x00007FF9F396D000-0x00007FF9F396E000-memory.dmp

Filesize
4KB

Download
memory/3620-2-0x00007FF9B3950000-0x00007FF9B3960000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads