c12e1ba55ed1a77b43d60e9c2e682daffb9195d8c6ca6fcd1135ef214bcebff5

Analysis

max time kernel
46s
max time network
59s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-12-2024 21:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c12e1ba55ed1a77b43d60e9c2e682daffb9195d8c6ca6fcd1135ef214bcebff5.docm
Size

76KB
MD5

48be04dfaaed78575b4103d151dca15b
SHA1

7156db91750023c5c4f8d9ce1c75afdadc219377
SHA256

c12e1ba55ed1a77b43d60e9c2e682daffb9195d8c6ca6fcd1135ef214bcebff5
SHA512

c737f4e54189c0cf97b27fbf1ff5c557a9b2014facf94db82e2ce880e550e421bb649e25fb2f15af28fbb451163bbb75b2d5328a3df10330f3566806090b26af
SSDEEP

1536:XcpXXk3lkptEwwcWy9pSufJ0Mq0BM6Gnh8rzd02:CnA6m7yeuiMqjEdH

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4996	rad655B9.tmp.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rad655B9.tmp.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3880	WINWORD.EXE
3880	WINWORD.EXE

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
3880	WINWORD.EXE
3880	WINWORD.EXE
3880	WINWORD.EXE
3880	WINWORD.EXE
3880	WINWORD.EXE
3880	WINWORD.EXE
3880	WINWORD.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3880 wrote to memory of 4996	3880	WINWORD.EXE	87
PID 3880 wrote to memory of 4996	3880	WINWORD.EXE	87
PID 3880 wrote to memory of 4996	3880	WINWORD.EXE	87

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\c12e1ba55ed1a77b43d60e9c2e682daffb9195d8c6ca6fcd1135ef214bcebff5.docm" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3880
- C:\Users\Admin\AppData\Local\Temp\rad655B9.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\rad655B9.tmp.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TCDEAAF.tmp\sist02.xsl

Filesize
245KB

MD5
f883b260a8d67082ea895c14bf56dd56

SHA1
7954565c1f243d46ad3b1e2f1baf3281451fc14b

SHA256
ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

SHA512
d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

Download Submit
C:\Users\Admin\AppData\Local\Temp\rad655B9.tmp.exe

Filesize
72KB

MD5
363f604c7fc3d5d26d75913257f8d9d2

SHA1
15a3c4be4de3b9c2bd82c863f23cf5bfefdf732e

SHA256
b51fbd7bafd493ce77df3632a4e052112a86bb8a0d41b1ff6869c6a912afab3a

SHA512
8fec37a8ac7485934868142f6e647fdd33f0af1c715646a99724e648d1fca1a3291e7813ae69bac07118f44806c3a28de111324ca7014554acc4143342156681

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
2KB

MD5
1b383ebe7f1cb970af3a44eeb4ec1d4a

SHA1
ff45138c5320db32f479c25ce7ef84d8f9de77c5

SHA256
6a70125c2a55be88b68a85457d1c395f3032bc845c80e11ae9845421bed6ba40

SHA512
f9f5793e432a2f45a60a484ede6548879be9067bfda8407f6d1b5f8dd113307a1ebc2bc6a0a8f6dd52d939b71fda01e3b15ef3de251be1fa24bcc45610d3088d

Download Submit
memory/3880-17-0x00007FF9C01D0000-0x00007FF9C03C5000-memory.dmp

Filesize
2.0MB

Download
memory/3880-78-0x00007FF9C01D0000-0x00007FF9C03C5000-memory.dmp

Filesize
2.0MB

Download
memory/3880-9-0x00007FF9C01D0000-0x00007FF9C03C5000-memory.dmp

Filesize
2.0MB

Download
memory/3880-8-0x00007FF9C01D0000-0x00007FF9C03C5000-memory.dmp

Filesize
2.0MB

Download
memory/3880-7-0x00007FF9C01D0000-0x00007FF9C03C5000-memory.dmp

Filesize
2.0MB

Download
memory/3880-11-0x00007FF9C01D0000-0x00007FF9C03C5000-memory.dmp

Filesize
2.0MB

Download
memory/3880-10-0x00007FF9C01D0000-0x00007FF9C03C5000-memory.dmp

Filesize
2.0MB

Download
memory/3880-12-0x00007FF97DB00000-0x00007FF97DB10000-memory.dmp

Filesize
64KB

Download
memory/3880-6-0x00007FF980250000-0x00007FF980260000-memory.dmp

Filesize
64KB

Download
memory/3880-13-0x00007FF9C01D0000-0x00007FF9C03C5000-memory.dmp

Filesize
2.0MB

Download
memory/3880-14-0x00007FF9C01D0000-0x00007FF9C03C5000-memory.dmp

Filesize
2.0MB

Download
memory/3880-16-0x00007FF97DB00000-0x00007FF97DB10000-memory.dmp

Filesize
64KB

Download
memory/3880-20-0x00007FF9C01D0000-0x00007FF9C03C5000-memory.dmp

Filesize
2.0MB

Download
memory/3880-40-0x00007FF9C01D0000-0x00007FF9C03C5000-memory.dmp

Filesize
2.0MB

Download
memory/3880-19-0x00007FF9C01D0000-0x00007FF9C03C5000-memory.dmp

Filesize
2.0MB

Download
memory/3880-18-0x00007FF9C01D0000-0x00007FF9C03C5000-memory.dmp

Filesize
2.0MB

Download
memory/3880-0-0x00007FF9C026D000-0x00007FF9C026E000-memory.dmp

Filesize
4KB

Download
memory/3880-15-0x00007FF9C01D0000-0x00007FF9C03C5000-memory.dmp

Filesize
2.0MB

Download
memory/3880-89-0x00007FF9C01D0000-0x00007FF9C03C5000-memory.dmp

Filesize
2.0MB

Download
memory/3880-5-0x00007FF9C01D0000-0x00007FF9C03C5000-memory.dmp

Filesize
2.0MB

Download
memory/3880-21-0x00007FF9C01D0000-0x00007FF9C03C5000-memory.dmp

Filesize
2.0MB

Download
memory/3880-44-0x00007FF9C01D0000-0x00007FF9C03C5000-memory.dmp

Filesize
2.0MB

Download
memory/3880-2-0x00007FF980250000-0x00007FF980260000-memory.dmp

Filesize
64KB

Download
memory/3880-50-0x00007FF9C01D0000-0x00007FF9C03C5000-memory.dmp

Filesize
2.0MB

Download
memory/3880-46-0x00007FF9C01D0000-0x00007FF9C03C5000-memory.dmp

Filesize
2.0MB

Download
memory/3880-43-0x00007FF9C01D0000-0x00007FF9C03C5000-memory.dmp

Filesize
2.0MB

Download
memory/3880-42-0x00007FF9C01D0000-0x00007FF9C03C5000-memory.dmp

Filesize
2.0MB

Download
memory/3880-1-0x00007FF980250000-0x00007FF980260000-memory.dmp

Filesize
64KB

Download
memory/3880-3-0x00007FF980250000-0x00007FF980260000-memory.dmp

Filesize
64KB

Download
memory/3880-74-0x00007FF9C026D000-0x00007FF9C026E000-memory.dmp

Filesize
4KB

Download
memory/3880-75-0x00007FF9C01D0000-0x00007FF9C03C5000-memory.dmp

Filesize
2.0MB

Download
memory/3880-76-0x00007FF9C01D0000-0x00007FF9C03C5000-memory.dmp

Filesize
2.0MB

Download
memory/3880-77-0x00007FF9C01D0000-0x00007FF9C03C5000-memory.dmp

Filesize
2.0MB

Download
memory/3880-41-0x00007FF9C01D0000-0x00007FF9C03C5000-memory.dmp

Filesize
2.0MB

Download
memory/3880-79-0x00007FF9C01D0000-0x00007FF9C03C5000-memory.dmp

Filesize
2.0MB

Download
memory/3880-4-0x00007FF980250000-0x00007FF980260000-memory.dmp

Filesize
64KB

Download
memory/3880-85-0x00007FF9C01D0000-0x00007FF9C03C5000-memory.dmp

Filesize
2.0MB

Download
memory/3880-39-0x00007FF9C01D0000-0x00007FF9C03C5000-memory.dmp

Filesize
2.0MB

Download
memory/4996-64-0x00007FF9C01D0000-0x00007FF9C03C5000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads