194c843d5109edd9d14f1b459524dde024bd903d3e70616b9270263279b5416f

Analysis

max time kernel
103s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
05-07-2024 01:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

194c843d5109edd9d14f1b459524dde024bd903d3e70616b9270263279b5416f.docx
Size

16KB
MD5

d5ab2de292b70d3a7f0fc16b236c325b
SHA1

b7e498349dae307fdf4d08dfb5de5eccba4ac3d5
SHA256

194c843d5109edd9d14f1b459524dde024bd903d3e70616b9270263279b5416f
SHA512

2a33a54389da5716021c2a3d181e27819d7c2bfcc4eb921fe4cbed4880b800901ee478f059c7f48375609e4e78f31874eeca5364df01d3fde49d9ef2744fe2ee
SSDEEP

384:IyXKW7AWss8PL8wi4OEwH8TIbE91r2fRMJYvvid4ejeaS:IcK/b5P3DOqnYJKuvs4ejI

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

3488 WINWORD.EXE
3488 WINWORD.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WINWORD.EXE

description pid process

Token: SeAuditPrivilege 3488 WINWORD.EXE
Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

WINWORD.EXE

pid process

3488 WINWORD.EXE
3488 WINWORD.EXE
3488 WINWORD.EXE
3488 WINWORD.EXE
3488 WINWORD.EXE
3488 WINWORD.EXE
3488 WINWORD.EXE
3488 WINWORD.EXE
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

pid	process
3488	WINWORD.EXE
3488	WINWORD.EXE

description	pid	process
Token: SeAuditPrivilege	3488	WINWORD.EXE

pid	process
3488	WINWORD.EXE
3488	WINWORD.EXE
3488	WINWORD.EXE
3488	WINWORD.EXE
3488	WINWORD.EXE
3488	WINWORD.EXE
3488	WINWORD.EXE
3488	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\194c843d5109edd9d14f1b459524dde024bd903d3e70616b9270263279b5416f.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3488

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\WO7P3K64\obizxc[1].doc
Filesize
368KB

MD5
575a373a177f9c8b111c8a68b17df8c8

SHA1
3bc867883140cd48dcf45619b8248e09bcae2e32

SHA256
9ae6cf31f1326e6966550f8cec5ddbedebda8358447a7f8ea5459f1170c5fe63

SHA512
cfef18fb314a54567c2f7afb387413ba129c7f1bfc10151be00c17032fac455f0c022187ac9fd6f19959b36f50fa6e45128dc26adebd5fb60c972cfdc794b1b0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
Filesize
367B

MD5
ceadc6537296c438c9d8ee5d43eab7c8

SHA1
66c121b42c984806ec350bb251d29d6c9487b4b1

SHA256
2bc31f41dd291fe2b08a1766ca0483689dbbd4e473f58af247378b8cb2270021

SHA512
68f122b68e48a1ec01ad6f43e0760586649454a11e945e829fc6e9661e8e38648e6c59f0e0482be7aca2ad57e5f6fddbac4ac6bc719e0b8102cc5de594eb566a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize
2KB

MD5
f9e8fe72ff74feb70861c488bc047511

SHA1
ed3c5a45dc0981feea47e164408014ace72a16c8

SHA256
692ae1d845fa8c740f41be5b0c9e1852100be41e478b9302026e80fd88a3eec0

SHA512
3869abf3ad1bfb93ccdd4a0eb9351833a73c15e2fe839b495fb900aad9cee72ff36c6e0eb33b60d02f5e5deaa33aa67182407bc15c4b2acbcf3e76e7f3dde2d0

Download Submit
memory/3488-18-0x00007FFF9DA70000-0x00007FFF9DC65000-memory.dmp

Filesize
2.0MB

Download
memory/3488-19-0x00007FFF9DA70000-0x00007FFF9DC65000-memory.dmp

Filesize
2.0MB

Download
memory/3488-5-0x00007FFF5DAF0000-0x00007FFF5DB00000-memory.dmp

Filesize
64KB

Download
memory/3488-8-0x00007FFF9DA70000-0x00007FFF9DC65000-memory.dmp

Filesize
2.0MB

Download
memory/3488-11-0x00007FFF9DA70000-0x00007FFF9DC65000-memory.dmp

Filesize
2.0MB

Download
memory/3488-10-0x00007FFF9DA70000-0x00007FFF9DC65000-memory.dmp

Filesize
2.0MB

Download
memory/3488-9-0x00007FFF9DA70000-0x00007FFF9DC65000-memory.dmp

Filesize
2.0MB

Download
memory/3488-12-0x00007FFF5B770000-0x00007FFF5B780000-memory.dmp

Filesize
64KB

Download
memory/3488-14-0x00007FFF9DA70000-0x00007FFF9DC65000-memory.dmp

Filesize
2.0MB

Download
memory/3488-15-0x00007FFF9DA70000-0x00007FFF9DC65000-memory.dmp

Filesize
2.0MB

Download
memory/3488-17-0x00007FFF9DA70000-0x00007FFF9DC65000-memory.dmp

Filesize
2.0MB

Download
memory/3488-2-0x00007FFF5DAF0000-0x00007FFF5DB00000-memory.dmp

Filesize
64KB

Download
memory/3488-20-0x00007FFF9DA70000-0x00007FFF9DC65000-memory.dmp

Filesize
2.0MB

Download
memory/3488-4-0x00007FFF5DAF0000-0x00007FFF5DB00000-memory.dmp

Filesize
64KB

Download
memory/3488-13-0x00007FFF9DA70000-0x00007FFF9DC65000-memory.dmp

Filesize
2.0MB

Download
memory/3488-16-0x00007FFF9DA70000-0x00007FFF9DC65000-memory.dmp

Filesize
2.0MB

Download
memory/3488-7-0x00007FFF9DA70000-0x00007FFF9DC65000-memory.dmp

Filesize
2.0MB

Download
memory/3488-6-0x00007FFF9DA70000-0x00007FFF9DC65000-memory.dmp

Filesize
2.0MB

Download
memory/3488-21-0x00007FFF5B770000-0x00007FFF5B780000-memory.dmp

Filesize
64KB

Download
memory/3488-3-0x00007FFF9DB0D000-0x00007FFF9DB0E000-memory.dmp

Filesize
4KB

Download
memory/3488-0-0x00007FFF5DAF0000-0x00007FFF5DB00000-memory.dmp

Filesize
64KB

Download
memory/3488-1-0x00007FFF5DAF0000-0x00007FFF5DB00000-memory.dmp

Filesize
64KB

Download
memory/3488-73-0x00007FFF9DA70000-0x00007FFF9DC65000-memory.dmp

Filesize
2.0MB

Download
memory/3488-99-0x00007FFF5DAF0000-0x00007FFF5DB00000-memory.dmp

Filesize
64KB

Download
memory/3488-101-0x00007FFF5DAF0000-0x00007FFF5DB00000-memory.dmp

Filesize
64KB

Download
memory/3488-100-0x00007FFF5DAF0000-0x00007FFF5DB00000-memory.dmp

Filesize
64KB

Download
memory/3488-98-0x00007FFF5DAF0000-0x00007FFF5DB00000-memory.dmp

Filesize
64KB

Download
memory/3488-102-0x00007FFF9DA70000-0x00007FFF9DC65000-memory.dmp

Filesize
2.0MB

Download