685630bc62de6b7700f0370419e102fed425f60e764c2a76473336a0f6f2c7ac

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15-12-2024 21:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

685630bc62de6b7700f0370419e102fed425f60e764c2a76473336a0f6f2c7ac.doc
Size

250KB
MD5

5fd8c0a425255c3eb8972a3e2d5ad810
SHA1

fbc67cb81231a53bb9fef7b4c2e92d5c670b9625
SHA256

685630bc62de6b7700f0370419e102fed425f60e764c2a76473336a0f6f2c7ac
SHA512

4acc1138e1b1c04bc20a35871d72c5838e0ca5af75b6e435fd6e304e3dd40ba0fa6a7a4b9ae96aec4318c6cb327f416b83bdf1c24b6a713dd4a2f2eb5da48720
SSDEEP

3072:1VIf+rqpDAoBxgfWsopbVTd5E8SNolOW1NN2e08CeVA4Rjt:1VIfEMDAoBxHpZ08SEjtZ

Score

4^/10

defense_evasion

Malware Config

Signatures

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\{4D99D00F-526A-4FD0-A4BC-B3A262E103C9}\pm1.exe:Zone.Identifier	WINWORD.EXE

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\{4D99D00F-526A-4FD0-A4BC-B3A262E103C9}\pm1.exe:Zone.Identifier	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 3 IoCs

pid	Process
2524	WINWORD.EXE
2524	WINWORD.EXE
3508	WINWORD.EXE

Suspicious use of SetWindowsHookEx 23 IoCs

pid	Process
2524	WINWORD.EXE
2524	WINWORD.EXE
2524	WINWORD.EXE
2524	WINWORD.EXE
2524	WINWORD.EXE
2524	WINWORD.EXE
2524	WINWORD.EXE
2524	WINWORD.EXE
2524	WINWORD.EXE
2524	WINWORD.EXE
2524	WINWORD.EXE
2524	WINWORD.EXE
2524	WINWORD.EXE
3508	WINWORD.EXE
3508	WINWORD.EXE
3508	WINWORD.EXE
3508	WINWORD.EXE
3508	WINWORD.EXE
3508	WINWORD.EXE
3508	WINWORD.EXE
3508	WINWORD.EXE
3508	WINWORD.EXE
3508	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 5048	2524	WINWORD.EXE	86
PID 2524 wrote to memory of 5048	2524	WINWORD.EXE	86

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\685630bc62de6b7700f0370419e102fed425f60e764c2a76473336a0f6f2c7ac.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:5048

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
1⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

Filesize
471B

MD5
36ce87aa90710b7502f69482b83e4bc9

SHA1
53c589e1d5957f93f3905395fbd62b828ed224cb

SHA256
5b4dff4fa64ffe275aeb3e502beb9d3302840e81fdca4ea607f867b423a485e6

SHA512
25e1f38bd0519eb0d9985035f0f79cd7138779639be5a453a7672b1529b1da20c5eab7efd08c3778728858b7280ecda5932f619c1c1aa73804636c8206866423

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

Filesize
420B

MD5
20a67c7834986a08365955be737993be

SHA1
4d32e9c656df6a64d3b123656a44e1e0451b6891

SHA256
5f4e308022006f502bc478a44025eae802cbdcdbc0302236c012dad4767d1799

SHA512
27a72f095eee107bdf4a5d16eb54db26bc56d45d7aab9c742fcad9931b523a023f17d51238e6c12414400abb80ad7dbc99ae3af563fcac54977355dbb7b66a54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\173E044C-99D0-4B1F-9B34-68AEEA4354E1

Filesize
176KB

MD5
56dc767369bfbffce3c8c1001682c889

SHA1
4ffa7dfc2c317ccd8bd87e674c40343668b4b185

SHA256
2a8d0ef5c020de018648fdbfecef6f6101feb202c2fed3894116e2197f1cb242

SHA512
3d67e6bc679854c1dfe75e6e947632fc9e2fb2b59d083b914190f1fa8d46e4d1b310f4805f3509078a1262caac12d73804fe1a04b02ad04c9a129afa1e87ad9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

Filesize
10KB

MD5
31989646ee011ef85e622872e55cc714

SHA1
d35562d2969c3cd721c8e9c75edc94ce26cba507

SHA256
9e751d7ac16396857f51a7f1d6822691e66b4af9a36af56bde7829c67104f5c3

SHA512
7d7be95c17a5bdad865d680b0af31b73e5f11e7e97d063e9e55c5b632d9884099fc3cd989ee522dcd0530a2d939678bb006401271ad5b3d28dc202c06a23c441

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-wal

Filesize
8KB

MD5
04c470b06d5f30166e4feb5363ff1886

SHA1
7f4eab5c346755c33663b660dbe2cf494c03b4bd

SHA256
2fe0f274f5c2774bf88a3c80dfd80ba94051a85f4d0d40182c75b8d32f4286bd

SHA512
553e91b1feee71a578b146ad7fb1c21d383f689ad5010377627c30ac70ca9dd3a076ee0788c46d011f259242081ce9872a6aec0becfa9f729e2bd2f1e057029d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
af8c53edf20c06f858f42d9cf743d02f

SHA1
e1349def017c3d0a540fcca78f61a39d810962a5

SHA256
641b600558bb79ed21c2981e7ca60f0697e9c49e73cee5a4cf8c1a1576ff7383

SHA512
ad27aa2f0b485dee592481ce43922029e43bb4d78a651ad53c64de67ab1fd0fa954f0540da3d9e3493fe8ac56644ddb526d95b6a7180a238a05ab57920f45f57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
335ff687180a995f33ce1cbb3debed6d

SHA1
5df6a3e081bdb1983b6cd87bfa1f1e1bc5fa71d9

SHA256
b70a1ea77074533270eff04ebdb991752a5339b392740b814c7e1745a7288562

SHA512
69c3da837a51d9dfc3ee5864d26a2659e1ccaa118ca97ce4b613020fe6d3c5e091489cba853f21eaeda2ef0ee1797ae86fd70f0ba0e8c7ae35f15d4962bf8292

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\F42F77D1.emf

Filesize
5KB

MD5
b723ca9637677e7803c126c2e40154f3

SHA1
d99104c8c5445c85601f2215e3ee006506bbf982

SHA256
036064e258892f1692a42304d504d8c1de9f3396462d6974a855571ffe598d01

SHA512
71695eee3390e2ebd27873eb3639cd3faa7c4f8c0e42e347e7f7c67acf113cd128e24049bf42902d3c049925bac4ab9cf9aabc445483579ba9b30587068a582c

Download Submit
C:\Users\Admin\AppData\Local\Temp\322.rtf

Filesize
873KB

MD5
192065067d2487c45894296e29a21eb6

SHA1
f5a2de7c304182e6375d43cdf9b70b0cd38df7f8

SHA256
db79e5d34431ad136cf7a6b16b30eb6bf8c44158f16a707a17b4b3c6e3a21e3d

SHA512
9304f0a15d5294b277bdb192a45070c86307ba87a4b93a3e4496a2775a844ce871c86db68d18fecebe7156074953b83cba8e1565999a2d8a22d78d283bb10ed8

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCDB8DC.tmp\gb.xsl

Filesize
262KB

MD5
51d32ee5bc7ab811041f799652d26e04

SHA1
412193006aa3ef19e0a57e16acf86b830993024a

SHA256
6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97

SHA512
5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
16B

MD5
d29962abc88624befc0135579ae485ec

SHA1
e40a6458296ec6a2427bcb280572d023a9862b31

SHA256
a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866

SHA512
4311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f

Download Submit
memory/2524-12-0x00007FFB1ED00000-0x00007FFB1ED10000-memory.dmp

Filesize
64KB

Download
memory/2524-11-0x00007FFB60E70000-0x00007FFB61065000-memory.dmp

Filesize
2.0MB

Download
memory/2524-17-0x00007FFB1ED00000-0x00007FFB1ED10000-memory.dmp

Filesize
64KB

Download
memory/2524-18-0x00007FFB60E70000-0x00007FFB61065000-memory.dmp

Filesize
2.0MB

Download
memory/2524-16-0x00007FFB60E70000-0x00007FFB61065000-memory.dmp

Filesize
2.0MB

Download
memory/2524-8-0x00007FFB60E70000-0x00007FFB61065000-memory.dmp

Filesize
2.0MB

Download
memory/2524-7-0x00007FFB60E70000-0x00007FFB61065000-memory.dmp

Filesize
2.0MB

Download
memory/2524-6-0x00007FFB60E70000-0x00007FFB61065000-memory.dmp

Filesize
2.0MB

Download
memory/2524-64-0x00007FFB60E70000-0x00007FFB61065000-memory.dmp

Filesize
2.0MB

Download
memory/2524-15-0x00007FFB60E70000-0x00007FFB61065000-memory.dmp

Filesize
2.0MB

Download
memory/2524-13-0x00007FFB60E70000-0x00007FFB61065000-memory.dmp

Filesize
2.0MB

Download
memory/2524-3-0x00007FFB60F0D000-0x00007FFB60F0E000-memory.dmp

Filesize
4KB

Download
memory/2524-9-0x00007FFB60E70000-0x00007FFB61065000-memory.dmp

Filesize
2.0MB

Download
memory/2524-14-0x00007FFB60E70000-0x00007FFB61065000-memory.dmp

Filesize
2.0MB

Download
memory/2524-10-0x00007FFB60E70000-0x00007FFB61065000-memory.dmp

Filesize
2.0MB

Download
memory/2524-5-0x00007FFB20EF0000-0x00007FFB20F00000-memory.dmp

Filesize
64KB

Download
memory/2524-4-0x00007FFB20EF0000-0x00007FFB20F00000-memory.dmp

Filesize
64KB

Download
memory/2524-154-0x00007FFB60E70000-0x00007FFB61065000-memory.dmp

Filesize
2.0MB

Download
memory/2524-2-0x00007FFB20EF0000-0x00007FFB20F00000-memory.dmp

Filesize
64KB

Download
memory/2524-0-0x00007FFB20EF0000-0x00007FFB20F00000-memory.dmp

Filesize
64KB

Download
memory/2524-1-0x00007FFB20EF0000-0x00007FFB20F00000-memory.dmp

Filesize
64KB

Download
memory/2524-191-0x00007FFB60E70000-0x00007FFB61065000-memory.dmp

Filesize
2.0MB

Download
memory/3508-188-0x00007FFB20EF0000-0x00007FFB20F00000-memory.dmp

Filesize
64KB

Download
memory/3508-187-0x00007FFB20EF0000-0x00007FFB20F00000-memory.dmp

Filesize
64KB

Download
memory/3508-189-0x00007FFB20EF0000-0x00007FFB20F00000-memory.dmp

Filesize
64KB

Download
memory/3508-190-0x00007FFB20EF0000-0x00007FFB20F00000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads