685630bc62de6b7700f0370419e102fed425f60e764c2a76473336a0f6f2c7ac

Analysis

max time kernel
46s
max time network
42s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15-12-2024 21:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

685630bc62de6b7700f0370419e102fed425f60e764c2a76473336a0f6f2c7ac.doc
Size

250KB
MD5

5fd8c0a425255c3eb8972a3e2d5ad810
SHA1

fbc67cb81231a53bb9fef7b4c2e92d5c670b9625
SHA256

685630bc62de6b7700f0370419e102fed425f60e764c2a76473336a0f6f2c7ac
SHA512

4acc1138e1b1c04bc20a35871d72c5838e0ca5af75b6e435fd6e304e3dd40ba0fa6a7a4b9ae96aec4318c6cb327f416b83bdf1c24b6a713dd4a2f2eb5da48720
SSDEEP

3072:1VIf+rqpDAoBxgfWsopbVTd5E8SNolOW1NN2e08CeVA4Rjt:1VIfEMDAoBxHpZ08SEjtZ

Score

4^/10

defense_evasion

Malware Config

Signatures

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\{E00FFB95-FA70-4278-92C4-4C26026904BD}\pm1.exe:Zone.Identifier	WINWORD.EXE

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\{E00FFB95-FA70-4278-92C4-4C26026904BD}\pm1.exe:Zone.Identifier	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 3 IoCs

pid	Process
2640	WINWORD.EXE
2640	WINWORD.EXE
3076	WINWORD.EXE

Suspicious use of SetWindowsHookEx 24 IoCs

pid	Process
2640	WINWORD.EXE
2640	WINWORD.EXE
2640	WINWORD.EXE
2640	WINWORD.EXE
2640	WINWORD.EXE
2640	WINWORD.EXE
2640	WINWORD.EXE
2640	WINWORD.EXE
2640	WINWORD.EXE
2640	WINWORD.EXE
2640	WINWORD.EXE
2640	WINWORD.EXE
2640	WINWORD.EXE
3076	WINWORD.EXE
3076	WINWORD.EXE
3076	WINWORD.EXE
3076	WINWORD.EXE
3076	WINWORD.EXE
3076	WINWORD.EXE
3076	WINWORD.EXE
3076	WINWORD.EXE
3076	WINWORD.EXE
3076	WINWORD.EXE
3076	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2640 wrote to memory of 4156	2640	WINWORD.EXE	83
PID 2640 wrote to memory of 4156	2640	WINWORD.EXE	83

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\685630bc62de6b7700f0370419e102fed425f60e764c2a76473336a0f6f2c7ac.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:4156

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
1⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Filesize
471B

MD5
bb71b013e563b7ae869761fe2b37c4e5

SHA1
f8e1fc825c466058acc909f5c4f1ffc640b87779

SHA256
114eb2409b821e694df21047f77fb8b36d212d2c4766ac8abf6814d6d594a274

SHA512
7bbc40233ccd7f4ac97eb1646001eca79fbad892f45de131047e8a1a8c07196dc6ee1eb11aab56f87f29c40c24273ec63db132260cacdd83546709bf0ce5d3ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Filesize
412B

MD5
2421f8d6c82e5026e3b4ed6fc3086d27

SHA1
b3ae9e28a7038662d5886e482b3488b2e2647aa9

SHA256
18462bf86bde1db9cd2918e44547fbef2f09a41e959e85f6f975fb34fefbd25e

SHA512
9892f5d7b629693625ac2d85634285d62c35119547144b24d607961775932c6df3589a4ab3f649a13ec6db381ce617e1aaa067087007bbfad3f144c921f47783

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\B0EA2750-57E6-423C-A601-E9FC914DF99C

Filesize
176KB

MD5
9ae38827dfb79bfed7fa1f4e04d56659

SHA1
596cf16da5c77771dcac6f61b40d4857afa3d1fd

SHA256
df83155ed2e324b349b636118e0bb801732094190661fd81050ba3055fe123f9

SHA512
b0ee5efa73e1b85d3efd40951240bf71f99d95990dc580a7cd177730febf5f1519036fac80d15bc0d8472e8b9de84e3b6e3209ff2b604f11ae80e1e347a3503d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

Filesize
10KB

MD5
149a10b307bdc64c04097edae8070d52

SHA1
8bad3b1bbc1d43481467178fe643acd835c790e1

SHA256
860d72e759c415dd8dbebbdbb9c85d9ff60dc5eef0a2d9cb43df0ecf3535cf2f

SHA512
cfb57c6d9d5372602d20efd7ecb347a1925b1e5f59d1acdc6b42affd37073e7deacabfcbec0314311870eed1a8f897f8ade58574eb48ef1df22974c3226063d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-wal

Filesize
8KB

MD5
f1bc0140c073c3dd2eea52d95b6fe06c

SHA1
67af3636e658b66fff7b1011510a5ec3cda52ee0

SHA256
44eac827ba0984cae6322df175241d6a5711180b26e34fef24f8f6ad04fe5951

SHA512
da3d0fef9b60eedd0e0fd8970b959bda9258bff7f4ee116f649b57bf4cf3516992de65da8e90973c2208b49e89b24023e03ace59303d186a3c174451be7cf799

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
e3d38950f7bd331cfea331a7394e00ac

SHA1
f10fd4a9d8bbe31ac222bc737285d9f8434862a7

SHA256
b0ec6233e52b4e5c80eb34569bdc7b0c93d6a85fcb0c4859f920de56ce5ffb73

SHA512
10e3e9dad6bec96a9f190c83cd9eab74dde1f40e78280037825922301b7b5bce71fbf8c20965f6c74017ccb3f5670febab1010620cba8e209f93f9b42371380d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
ad52f46ca2679fb231a0bea3443f34a9

SHA1
6b8b41db5667c0c488a8e1058e8b6b12ed1c2957

SHA256
da9f399d049f4af454e5abc37b6c6787bbd29d6ecfc86deb11c81784b8a2ae74

SHA512
5cda730b6c94dcd7273b14bfa10ddc775caaf02c767f6cc12936ed136456de9910d27b88423153f704f40731f80b75b0950c96ef622f88fa15bb025d6a03808d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\7AA5C871.emf

Filesize
5KB

MD5
b723ca9637677e7803c126c2e40154f3

SHA1
d99104c8c5445c85601f2215e3ee006506bbf982

SHA256
036064e258892f1692a42304d504d8c1de9f3396462d6974a855571ffe598d01

SHA512
71695eee3390e2ebd27873eb3639cd3faa7c4f8c0e42e347e7f7c67acf113cd128e24049bf42902d3c049925bac4ab9cf9aabc445483579ba9b30587068a582c

Download Submit
C:\Users\Admin\AppData\Local\Temp\322.rtf

Filesize
873KB

MD5
f20ee51cb23511c90982ea6c1010f0b6

SHA1
dba3f83ff82c399c344f4bd94c94615b61e39425

SHA256
4f59cb0e77bb664d267a8f38815c982cef383ed0a4d9a45e775c23c7834c6b66

SHA512
d0dced8d0fae0155314c9c4f1f1071e695fb19bb86a66de60a4c368306be7f9fb22d1b89e26aac9f666caa273ddf99701c252a5f06500f9cbc86d5d6103b2bb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCDBDD6.tmp\gb.xsl

Filesize
262KB

MD5
51d32ee5bc7ab811041f799652d26e04

SHA1
412193006aa3ef19e0a57e16acf86b830993024a

SHA256
6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97

SHA512
5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
16B

MD5
d29962abc88624befc0135579ae485ec

SHA1
e40a6458296ec6a2427bcb280572d023a9862b31

SHA256
a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866

SHA512
4311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
1KB

MD5
1293f8a436a033bc98040b304c4f6642

SHA1
b6f5a5525312ea57502e3cf9784daf6b0ea27260

SHA256
87c5a4e41277b59415543502afa1ea7f5e72c840242e04eb1773a8b0efd734e3

SHA512
0e341bad47799d5acfd7c000392faecad3c16055a428af0bf2e795544bddf075984e4b8341161fdb57c4576720ccf90576eedc47a30d171e1154ffd0933fc738

Download Submit
memory/2640-5-0x00007FFCF71F0000-0x00007FFCF73E5000-memory.dmp

Filesize
2.0MB

Download
memory/2640-8-0x00007FFCB7270000-0x00007FFCB7280000-memory.dmp

Filesize
64KB

Download
memory/2640-19-0x00007FFCF71F0000-0x00007FFCF73E5000-memory.dmp

Filesize
2.0MB

Download
memory/2640-20-0x00007FFCB4910000-0x00007FFCB4920000-memory.dmp

Filesize
64KB

Download
memory/2640-18-0x00007FFCF71F0000-0x00007FFCF73E5000-memory.dmp

Filesize
2.0MB

Download
memory/2640-17-0x00007FFCF71F0000-0x00007FFCF73E5000-memory.dmp

Filesize
2.0MB

Download
memory/2640-16-0x00007FFCF71F0000-0x00007FFCF73E5000-memory.dmp

Filesize
2.0MB

Download
memory/2640-9-0x00007FFCF71F0000-0x00007FFCF73E5000-memory.dmp

Filesize
2.0MB

Download
memory/2640-1-0x00007FFCF728D000-0x00007FFCF728E000-memory.dmp

Filesize
4KB

Download
memory/2640-44-0x00007FFCF71F0000-0x00007FFCF73E5000-memory.dmp

Filesize
2.0MB

Download
memory/2640-15-0x00007FFCF71F0000-0x00007FFCF73E5000-memory.dmp

Filesize
2.0MB

Download
memory/2640-14-0x00007FFCF71F0000-0x00007FFCF73E5000-memory.dmp

Filesize
2.0MB

Download
memory/2640-13-0x00007FFCB4910000-0x00007FFCB4920000-memory.dmp

Filesize
64KB

Download
memory/2640-12-0x00007FFCF71F0000-0x00007FFCF73E5000-memory.dmp

Filesize
2.0MB

Download
memory/2640-11-0x00007FFCF71F0000-0x00007FFCF73E5000-memory.dmp

Filesize
2.0MB

Download
memory/2640-10-0x00007FFCF71F0000-0x00007FFCF73E5000-memory.dmp

Filesize
2.0MB

Download
memory/2640-6-0x00007FFCB7270000-0x00007FFCB7280000-memory.dmp

Filesize
64KB

Download
memory/2640-151-0x00007FFCF71F0000-0x00007FFCF73E5000-memory.dmp

Filesize
2.0MB

Download
memory/2640-171-0x00007FFCF728D000-0x00007FFCF728E000-memory.dmp

Filesize
4KB

Download
memory/2640-172-0x00007FFCF71F0000-0x00007FFCF73E5000-memory.dmp

Filesize
2.0MB

Download
memory/2640-7-0x00007FFCF71F0000-0x00007FFCF73E5000-memory.dmp

Filesize
2.0MB

Download
memory/2640-4-0x00007FFCF71F0000-0x00007FFCF73E5000-memory.dmp

Filesize
2.0MB

Download
memory/2640-185-0x00007FFCF71F0000-0x00007FFCF73E5000-memory.dmp

Filesize
2.0MB

Download
memory/2640-3-0x00007FFCB7270000-0x00007FFCB7280000-memory.dmp

Filesize
64KB

Download
memory/2640-2-0x00007FFCB7270000-0x00007FFCB7280000-memory.dmp

Filesize
64KB

Download
memory/2640-0-0x00007FFCB7270000-0x00007FFCB7280000-memory.dmp

Filesize
64KB

Download
memory/2640-194-0x00007FFCF71F0000-0x00007FFCF73E5000-memory.dmp

Filesize
2.0MB

Download
memory/3076-192-0x00007FFCB7270000-0x00007FFCB7280000-memory.dmp

Filesize
64KB

Download
memory/3076-191-0x00007FFCB7270000-0x00007FFCB7280000-memory.dmp

Filesize
64KB

Download
memory/3076-193-0x00007FFCB7270000-0x00007FFCB7280000-memory.dmp

Filesize
64KB

Download
memory/3076-190-0x00007FFCB7270000-0x00007FFCB7280000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads