487f4dd9bdbe94a9cf1a04a8fdec19f16f86864d05d06f0511544b3ff68c850c

Resubmissions

13/04/2025, 09:00

250413-kyfgbasydv 10

13/04/2025, 08:55

250413-kvgj7ssmw7 10

13/04/2025, 08:32

250413-kfmgxaskw4 10

13/04/2025, 08:10

250413-j22y2s1q13 10

Analysis

max time kernel
90s
max time network
92s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
13/04/2025, 08:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

virusshare/3/VirusShare_3fb34964fa7b8c6bfad8d960380ff04e.doc
Size

34KB
MD5

3fb34964fa7b8c6bfad8d960380ff04e
SHA1

9a3aec40056ce74bac833989ed71dfb6c2626f4c
SHA256

26026b1b3d0cb660c6be6c536df679acca0b5562a3adbb507d001474d23f5650
SHA512

a82b522dfd7eac30292a9e9ab19ddac94563804e77a1090e5f44de7e794ef4e5ebe0e7fb36e5177479417c8176ae0475613700755ca015c7ce941a4740215faa
SSDEEP

384:bzIPMepSbSsG/CdPvunCpeJzKoSS3D6JO5LfBqtjbjk4Eohubn3ezta:nIPMecWsGKVunFFRDE6pqjhust

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
5272	WINWORD.EXE
5272	WINWORD.EXE

Suspicious use of SetWindowsHookEx 20 IoCs

pid	Process
5272	WINWORD.EXE
5272	WINWORD.EXE
5272	WINWORD.EXE
5272	WINWORD.EXE
5272	WINWORD.EXE
5272	WINWORD.EXE
5272	WINWORD.EXE
5272	WINWORD.EXE
5272	WINWORD.EXE
5272	WINWORD.EXE
5272	WINWORD.EXE
5272	WINWORD.EXE
5272	WINWORD.EXE
5272	WINWORD.EXE
5272	WINWORD.EXE
5272	WINWORD.EXE
5272	WINWORD.EXE
5272	WINWORD.EXE
5272	WINWORD.EXE
5272	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 5272 wrote to memory of 5532	5272	WINWORD.EXE	110
PID 5272 wrote to memory of 5532	5272	WINWORD.EXE	110

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\virusshare\3\VirusShare_3fb34964fa7b8c6bfad8d960380ff04e.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5272
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:5532

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:4956

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRD0003.docx

Filesize
45KB

MD5
0a6f8eb2d2eebd202703d8554a440313

SHA1
0911f7a622b7e12735de9a214121e6f01407c8bf

SHA256
8c796d107e98dd07fff65ce120ccc2688202b37c097cdcb447c9350b3a9894bf

SHA512
13f4d072871fc01790b19425afdbde4a7f726162ff6b5bee35a6a84965b84cc29e2ae7b29586dbea62ad1aefe97713c7a64a07ab3e42024d4326e1b780f32a30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRD0005.docx

Filesize
45KB

MD5
235ad4cf690946e6050704a780e72efa

SHA1
85e9dc4e9c4770ffc9f06fcbc16c98ea22361c9f

SHA256
1d8b11b605095e5e83375cafeb7fa7500aa0e2ec977a91b60f1fbe771c33aa8c

SHA512
347796d3e88a65163dcbf6a39896e3acb45c74fd596e5972b756e36d1019da40b23f6fdf761b8da2a29c5efcca67a13744fef28fe867eb3231d816871820a7c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCD5DDB.tmp\sist02.xsl

Filesize
245KB

MD5
f883b260a8d67082ea895c14bf56dd56

SHA1
7954565c1f243d46ad3b1e2f1baf3281451fc14b

SHA256
ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

SHA512
d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

Download Submit
memory/5272-4-0x00007FF8F3EF0000-0x00007FF8F3F00000-memory.dmp

Filesize
64KB

Download
memory/5272-14-0x00007FF8F18B0000-0x00007FF8F18C0000-memory.dmp

Filesize
64KB

Download
memory/5272-6-0x00007FF933E70000-0x00007FF934065000-memory.dmp

Filesize
2.0MB

Download
memory/5272-0-0x00007FF8F3EF0000-0x00007FF8F3F00000-memory.dmp

Filesize
64KB

Download
memory/5272-7-0x00007FF8F3EF0000-0x00007FF8F3F00000-memory.dmp

Filesize
64KB

Download
memory/5272-9-0x00007FF933E70000-0x00007FF934065000-memory.dmp

Filesize
2.0MB

Download
memory/5272-11-0x00007FF933E70000-0x00007FF934065000-memory.dmp

Filesize
2.0MB

Download
memory/5272-8-0x00007FF933E70000-0x00007FF934065000-memory.dmp

Filesize
2.0MB

Download
memory/5272-12-0x00007FF933E70000-0x00007FF934065000-memory.dmp

Filesize
2.0MB

Download
memory/5272-10-0x00007FF933E70000-0x00007FF934065000-memory.dmp

Filesize
2.0MB

Download
memory/5272-13-0x00007FF8F18B0000-0x00007FF8F18C0000-memory.dmp

Filesize
64KB

Download
memory/5272-5-0x00007FF933E70000-0x00007FF934065000-memory.dmp

Filesize
2.0MB

Download
memory/5272-26-0x00007FF933E70000-0x00007FF934065000-memory.dmp

Filesize
2.0MB

Download
memory/5272-27-0x00007FF933F0D000-0x00007FF933F0E000-memory.dmp

Filesize
4KB

Download
memory/5272-28-0x00007FF933E70000-0x00007FF934065000-memory.dmp

Filesize
2.0MB

Download
memory/5272-3-0x00007FF8F3EF0000-0x00007FF8F3F00000-memory.dmp

Filesize
64KB

Download
memory/5272-2-0x00007FF8F3EF0000-0x00007FF8F3F00000-memory.dmp

Filesize
64KB

Download
memory/5272-1-0x00007FF933F0D000-0x00007FF933F0E000-memory.dmp

Filesize
4KB

Download
memory/5272-560-0x00007FF8F3EF0000-0x00007FF8F3F00000-memory.dmp

Filesize
64KB

Download
memory/5272-562-0x00007FF8F3EF0000-0x00007FF8F3F00000-memory.dmp

Filesize
64KB

Download
memory/5272-561-0x00007FF8F3EF0000-0x00007FF8F3F00000-memory.dmp

Filesize
64KB

Download
memory/5272-563-0x00007FF8F3EF0000-0x00007FF8F3F00000-memory.dmp

Filesize
64KB

Download
memory/5272-564-0x00007FF933E70000-0x00007FF934065000-memory.dmp

Filesize
2.0MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads