0d2550dd62ff770b199e1843e64d433c426fc7412c2602956b56567fd41806c4

Analysis

max time kernel
133s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21/11/2024, 09:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

安天/附件/人大信访系统绕过登录后台文件上传导致getshell漏洞_142937_L_72597_2Dw9vBqw_0day省人大.docx
Size

1.7MB
MD5

f8151912223b907f334bacb0ad8db3c5
SHA1

955dca6f5cac7d4bb7d2149a8ef892c73b2f7d97
SHA256

2ff71883086944d037a74ce1e4773dd8d5467b7d42b76dc46955bad0f0e720d6
SHA512

0a7f6ed8e96e7ab9064beea97672b16062febb05284b11c776dec252533c6d0b8a0ddc161a39e7481f9d832d4a0e2d2a9a7b68cffecb313783ed26873968a1b4
SSDEEP

49152:skvPigQZ5wCRGAqH99xfE1Ipie4kfXbRGfEOgOyYa:sk3OZVRGnH99xkPMXb0t8n

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2624	WINWORD.EXE
2624	WINWORD.EXE

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2624	WINWORD.EXE
2624	WINWORD.EXE
2624	WINWORD.EXE
2624	WINWORD.EXE
2624	WINWORD.EXE
2624	WINWORD.EXE
2624	WINWORD.EXE
2624	WINWORD.EXE
2624	WINWORD.EXE
2624	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\安天\附件\人大信访系统绕过登录后台文件上传导致getshell漏洞_142937_L_72597_2Dw9vBqw_0day省人大.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\3684CEB5.emf

Filesize
7KB

MD5
80d11e6b0ac15f72e13c9142e167bded

SHA1
6912c30bb5bbbfecab75a471f4fc05c53a08549e

SHA256
c7320e743b28dc042c0c2468908c0ea1fce91c4e7f23738d3694356b3a039cb0

SHA512
b8d36f614d01c8fa3ff74be984c0cf7e503c7b329c775447e56d271731dd6b37bf836c121fd384110e166b0e0468a43ffdeaad456d1fd6e492ec1ebe47d9e988

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCD5B23.tmp\sist02.xsl

Filesize
245KB

MD5
f883b260a8d67082ea895c14bf56dd56

SHA1
7954565c1f243d46ad3b1e2f1baf3281451fc14b

SHA256
ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

SHA512
d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
1KB

MD5
8d4038c19f1485a24be91ad74a85a618

SHA1
16b174af495ebf032d8ef7190e42982ea4843763

SHA256
cd3d7fe9de9bc75e8956800c22a57e0371184f60157d5c2adab9271155deb715

SHA512
ee49fcb6e051bd977de2f9330f7147691a8262f7fd241f5cf92a3a1cbbf607f3c94721378408c340da88404ab8ba9d850a13497ee240499ff9c568039e056782

Download Submit
memory/2624-11-0x00007FFB5F250000-0x00007FFB5F445000-memory.dmp

Filesize
2.0MB

Download
memory/2624-16-0x00007FFB5F250000-0x00007FFB5F445000-memory.dmp

Filesize
2.0MB

Download
memory/2624-8-0x00007FFB5F250000-0x00007FFB5F445000-memory.dmp

Filesize
2.0MB

Download
memory/2624-1-0x00007FFB5F2ED000-0x00007FFB5F2EE000-memory.dmp

Filesize
4KB

Download
memory/2624-10-0x00007FFB5F250000-0x00007FFB5F445000-memory.dmp

Filesize
2.0MB

Download
memory/2624-9-0x00007FFB5F250000-0x00007FFB5F445000-memory.dmp

Filesize
2.0MB

Download
memory/2624-7-0x00007FFB5F250000-0x00007FFB5F445000-memory.dmp

Filesize
2.0MB

Download
memory/2624-12-0x00007FFB1C970000-0x00007FFB1C980000-memory.dmp

Filesize
64KB

Download
memory/2624-14-0x00007FFB5F250000-0x00007FFB5F445000-memory.dmp

Filesize
2.0MB

Download
memory/2624-17-0x00007FFB5F250000-0x00007FFB5F445000-memory.dmp

Filesize
2.0MB

Download
memory/2624-19-0x00007FFB5F250000-0x00007FFB5F445000-memory.dmp

Filesize
2.0MB

Download
memory/2624-20-0x00007FFB5F250000-0x00007FFB5F445000-memory.dmp

Filesize
2.0MB

Download
memory/2624-18-0x00007FFB1C970000-0x00007FFB1C980000-memory.dmp

Filesize
64KB

Download
memory/2624-4-0x00007FFB1F2D0000-0x00007FFB1F2E0000-memory.dmp

Filesize
64KB

Download
memory/2624-15-0x00007FFB5F250000-0x00007FFB5F445000-memory.dmp

Filesize
2.0MB

Download
memory/2624-13-0x00007FFB5F250000-0x00007FFB5F445000-memory.dmp

Filesize
2.0MB

Download
memory/2624-6-0x00007FFB5F250000-0x00007FFB5F445000-memory.dmp

Filesize
2.0MB

Download
memory/2624-3-0x00007FFB1F2D0000-0x00007FFB1F2E0000-memory.dmp

Filesize
64KB

Download
memory/2624-5-0x00007FFB1F2D0000-0x00007FFB1F2E0000-memory.dmp

Filesize
64KB

Download
memory/2624-62-0x00007FFB5F250000-0x00007FFB5F445000-memory.dmp

Filesize
2.0MB

Download
memory/2624-64-0x00007FFB5F250000-0x00007FFB5F445000-memory.dmp

Filesize
2.0MB

Download
memory/2624-63-0x00007FFB5F2ED000-0x00007FFB5F2EE000-memory.dmp

Filesize
4KB

Download
memory/2624-65-0x00007FFB5F250000-0x00007FFB5F445000-memory.dmp

Filesize
2.0MB

Download
memory/2624-66-0x00007FFB5F250000-0x00007FFB5F445000-memory.dmp

Filesize
2.0MB

Download
memory/2624-2-0x00007FFB1F2D0000-0x00007FFB1F2E0000-memory.dmp

Filesize
64KB

Download
memory/2624-0-0x00007FFB1F2D0000-0x00007FFB1F2E0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads