0e78a2fb957ed535df8419efeb6836d27b504181b5ee2f37439934055638d608

Analysis

max time kernel
149s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20/11/2024, 11:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

E3-20200929_222100.doc
Size

150KB
MD5

6b3290c1a91c54cc0a16b30a533e7fe3
SHA1

951cb8535ed8f79e2d6e7adddb90763966498303
SHA256

cc309254f3cdd186551c54c300edb3ef4643447a39ab2c10fe91a33a84b45979
SHA512

2a445db2b08163e90e9cc0dea6d55ec765f49e4dd4a853844eb46d1ddd0f98cf9a3857cadfcd90e6801caaa8cf35c350fd3e741a93919af1efdb795ac32d6a35
SSDEEP

3072:+DW9ZcHT9yEgaLE47f4xlP83+lq8GtqzAR:+8ZcB7Lp4X807GoAR

Score

6^/10

Malware Config

Signatures

Process spawned suspicious child process 1 IoCs

This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	1916	4756	DW20.EXE	84

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dwwin.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dwwin.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dwwin.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dwwin.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwwin.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4756	WINWORD.EXE
4756	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4756	WINWORD.EXE
4756	WINWORD.EXE
4756	WINWORD.EXE
4756	WINWORD.EXE

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4756	WINWORD.EXE
4756	WINWORD.EXE
4756	WINWORD.EXE
4756	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4756 wrote to memory of 1916	4756	WINWORD.EXE	88
PID 4756 wrote to memory of 1916	4756	WINWORD.EXE	88
PID 1916 wrote to memory of 1552	1916	DW20.EXE	89
PID 1916 wrote to memory of 1552	1916	DW20.EXE	89

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\E3-20200929_222100.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4756
- C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE
  "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE" -x -s 4724
  2⤵
  - Process spawned suspicious child process
  - Suspicious use of WriteProcessMemory
  PID:1916
- - C:\Windows\system32\dwwin.exe
    C:\Windows\system32\dwwin.exe -x -s 4724
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:1552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1916-76-0x00007FFD431B0000-0x00007FFD431C0000-memory.dmp

Filesize
64KB

Download
memory/1916-73-0x00007FFD431B0000-0x00007FFD431C0000-memory.dmp

Filesize
64KB

Download
memory/1916-74-0x00007FFD431B0000-0x00007FFD431C0000-memory.dmp

Filesize
64KB

Download
memory/1916-75-0x00007FFD431B0000-0x00007FFD431C0000-memory.dmp

Filesize
64KB

Download
memory/4756-15-0x00007FFD83130000-0x00007FFD83325000-memory.dmp

Filesize
2.0MB

Download
memory/4756-16-0x00007FFD83130000-0x00007FFD83325000-memory.dmp

Filesize
2.0MB

Download
memory/4756-8-0x00007FFD83130000-0x00007FFD83325000-memory.dmp

Filesize
2.0MB

Download
memory/4756-7-0x00007FFD83130000-0x00007FFD83325000-memory.dmp

Filesize
2.0MB

Download
memory/4756-10-0x00007FFD83130000-0x00007FFD83325000-memory.dmp

Filesize
2.0MB

Download
memory/4756-9-0x00007FFD83130000-0x00007FFD83325000-memory.dmp

Filesize
2.0MB

Download
memory/4756-12-0x00007FFD83130000-0x00007FFD83325000-memory.dmp

Filesize
2.0MB

Download
memory/4756-11-0x00007FFD83130000-0x00007FFD83325000-memory.dmp

Filesize
2.0MB

Download
memory/4756-13-0x00007FFD409B0000-0x00007FFD409C0000-memory.dmp

Filesize
64KB

Download
memory/4756-6-0x00007FFD83130000-0x00007FFD83325000-memory.dmp

Filesize
2.0MB

Download
memory/4756-1-0x00007FFD431B0000-0x00007FFD431C0000-memory.dmp

Filesize
64KB

Download
memory/4756-4-0x00007FFD431B0000-0x00007FFD431C0000-memory.dmp

Filesize
64KB

Download
memory/4756-19-0x00007FFD83130000-0x00007FFD83325000-memory.dmp

Filesize
2.0MB

Download
memory/4756-20-0x00007FFD83130000-0x00007FFD83325000-memory.dmp

Filesize
2.0MB

Download
memory/4756-18-0x00007FFD83130000-0x00007FFD83325000-memory.dmp

Filesize
2.0MB

Download
memory/4756-14-0x00007FFD83130000-0x00007FFD83325000-memory.dmp

Filesize
2.0MB

Download
memory/4756-17-0x00007FFD409B0000-0x00007FFD409C0000-memory.dmp

Filesize
64KB

Download
memory/4756-30-0x00007FFD83130000-0x00007FFD83325000-memory.dmp

Filesize
2.0MB

Download
memory/4756-33-0x00007FFD83130000-0x00007FFD83325000-memory.dmp

Filesize
2.0MB

Download
memory/4756-5-0x00007FFD431B0000-0x00007FFD431C0000-memory.dmp

Filesize
64KB

Download
memory/4756-3-0x00007FFD831CD000-0x00007FFD831CE000-memory.dmp

Filesize
4KB

Download
memory/4756-0-0x00007FFD431B0000-0x00007FFD431C0000-memory.dmp

Filesize
64KB

Download
memory/4756-2-0x00007FFD431B0000-0x00007FFD431C0000-memory.dmp

Filesize
64KB

Download
memory/4756-77-0x00007FFD83130000-0x00007FFD83325000-memory.dmp

Filesize
2.0MB

Download