Analysis
-
max time kernel
101s -
max time network
103s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
05-07-2024 13:37
Static task
static1
Behavioral task
behavioral1
Sample
Quo2024.docx
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
Quo2024.docx
Resource
win10v2004-20240704-en
General
-
Target
Quo2024.docx
-
Size
16KB
-
MD5
3fbe5c0fdd008937310bc6c9dba29c2d
-
SHA1
c4fbc0de50070bae54fdabb458260f8d2878a117
-
SHA256
4b8f8f705246d7d980911042c089e9a9fb450031d5dde069add5f4a207c32dc4
-
SHA512
427800453db7bc6203a6b9166aa73c5a4a15af2b634eb41bcee65d85cbee212c517df431517f929684ef369a818ef170414455b56a2dbbc4cd656ac2f338b333
-
SSDEEP
384:gyXhR4pW0s8PL8wi4OEwH8TIbE91r2fRAJYjviedmPkGf:gch8L5P3DOqnYJOqvzdmPka
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 4904 WINWORD.EXE 4904 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WINWORD.EXEdescription pid process Token: SeAuditPrivilege 4904 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
WINWORD.EXEpid process 4904 WINWORD.EXE 4904 WINWORD.EXE 4904 WINWORD.EXE 4904 WINWORD.EXE 4904 WINWORD.EXE 4904 WINWORD.EXE 4904 WINWORD.EXE 4904 WINWORD.EXE -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Quo2024.docx" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\S5KAZR04\datti[1].docFilesize
525KB
MD57f564621be35915fd063b91684edfe8f
SHA1164fa8ba0b77af03415bb18465866a03fbc5506c
SHA256b4e873d04126d8de007f7b91a394334b6b4c859815529ef90e517bb1b219094e
SHA512101f5dd43a436a4af731b2142716e5e0644b17fea56297c5f9e3c097c1ae172b42c774d66126216a77cdf7d53a77d46f80cc9a00d556c9f17d8c325a9c59f93e
-
C:\Users\Admin\AppData\Local\Temp\TCDF88C.tmp\sist02.xslFilesize
245KB
MD5f883b260a8d67082ea895c14bf56dd56
SHA17954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.datFilesize
295B
MD509265a6806d2ec87f22e9a7d696050ed
SHA1ec9ff7babb4bcff20280252fbbf9d5bd33d7f564
SHA2561c4afedebb2326f08cab3a292a3a514dad89cf96c07bec37ac5bf27ca9fccd92
SHA5128fded01e8d31dbb0d56c6efdb413d5e924f1faf15c2aba69b15f66aa83e35a1498d953d85ce073b15a5d2ce8c8bc6514f1fd53c1f7c00ed446eb65b84f55408a
-
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DICFilesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
memory/4904-7-0x00007FFD5BAD0000-0x00007FFD5BCC5000-memory.dmpFilesize
2.0MB
-
memory/4904-18-0x00007FFD5BAD0000-0x00007FFD5BCC5000-memory.dmpFilesize
2.0MB
-
memory/4904-8-0x00007FFD5BAD0000-0x00007FFD5BCC5000-memory.dmpFilesize
2.0MB
-
memory/4904-0-0x00007FFD1BB50000-0x00007FFD1BB60000-memory.dmpFilesize
64KB
-
memory/4904-6-0x00007FFD5BAD0000-0x00007FFD5BCC5000-memory.dmpFilesize
2.0MB
-
memory/4904-10-0x00007FFD5BAD0000-0x00007FFD5BCC5000-memory.dmpFilesize
2.0MB
-
memory/4904-11-0x00007FFD5BAD0000-0x00007FFD5BCC5000-memory.dmpFilesize
2.0MB
-
memory/4904-12-0x00007FFD191F0000-0x00007FFD19200000-memory.dmpFilesize
64KB
-
memory/4904-9-0x00007FFD5BAD0000-0x00007FFD5BCC5000-memory.dmpFilesize
2.0MB
-
memory/4904-14-0x00007FFD5BAD0000-0x00007FFD5BCC5000-memory.dmpFilesize
2.0MB
-
memory/4904-15-0x00007FFD5BAD0000-0x00007FFD5BCC5000-memory.dmpFilesize
2.0MB
-
memory/4904-16-0x00007FFD5BAD0000-0x00007FFD5BCC5000-memory.dmpFilesize
2.0MB
-
memory/4904-19-0x00007FFD191F0000-0x00007FFD19200000-memory.dmpFilesize
64KB
-
memory/4904-1-0x00007FFD1BB50000-0x00007FFD1BB60000-memory.dmpFilesize
64KB
-
memory/4904-17-0x00007FFD5BAD0000-0x00007FFD5BCC5000-memory.dmpFilesize
2.0MB
-
memory/4904-13-0x00007FFD5BAD0000-0x00007FFD5BCC5000-memory.dmpFilesize
2.0MB
-
memory/4904-5-0x00007FFD1BB50000-0x00007FFD1BB60000-memory.dmpFilesize
64KB
-
memory/4904-4-0x00007FFD1BB50000-0x00007FFD1BB60000-memory.dmpFilesize
64KB
-
memory/4904-2-0x00007FFD1BB50000-0x00007FFD1BB60000-memory.dmpFilesize
64KB
-
memory/4904-86-0x00007FFD5BAD0000-0x00007FFD5BCC5000-memory.dmpFilesize
2.0MB
-
memory/4904-3-0x00007FFD5BB6D000-0x00007FFD5BB6E000-memory.dmpFilesize
4KB
-
memory/4904-589-0x00007FFD1BB50000-0x00007FFD1BB60000-memory.dmpFilesize
64KB
-
memory/4904-588-0x00007FFD1BB50000-0x00007FFD1BB60000-memory.dmpFilesize
64KB
-
memory/4904-591-0x00007FFD1BB50000-0x00007FFD1BB60000-memory.dmpFilesize
64KB
-
memory/4904-590-0x00007FFD1BB50000-0x00007FFD1BB60000-memory.dmpFilesize
64KB
-
memory/4904-592-0x00007FFD5BAD0000-0x00007FFD5BCC5000-memory.dmpFilesize
2.0MB