9fe890f4a1393ef301e24b02ab3c173f230ad7a982808ce6daf130c861422208

General

Target

Docs_caa116070d1f2f48f3a9964e695226cc.17
Sample

190917-dr4x6669xx
SHA256

9fe890f4a1393ef301e24b02ab3c173f230ad7a982808ce6daf130c861422208

Score

N/A

Malware Config

Signatures

Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx

Drops Office document 2 IoCs

at	description	ioc	Process
10828	File created	C:\Users\Admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm	WINWORD.EXE
11312	File created	C:\Users\Admin\AppData\Local\Temp\~$cs_caa116070d1f2f48f3a9964e695226cc.17.docx	WINWORD.EXE

Checks system information in the registry (likely anti-VM) 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

at	description	ioc	Process
11250	Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	WINWORD.EXE
11250	Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	WINWORD.EXE

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

at	description	ioc	Process
11250	Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
11250	Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
11265	Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
11265	Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
11265	Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Checks processor information in registry (likely anti-VM) 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

at	description	ioc	Process
11250	Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
11250	Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Suspicious use of WriteProcessMemory 1 IoCs

at	description	Process	procid_target
14593	PID 4076 wrote to memory of 2812	SppExtComObj.exe	42

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Docs_caa116070d1f2f48f3a9964e695226cc.17.docx" /o ""
1⤵
- Drops Office document
- Checks system information in the registry (likely anti-VM)
- Enumerates system info in registry
- Checks processor information in registry (likely anti-VM)
PID:2976

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:4076

C:\Windows\System32\SLUI.exe
"C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent
1⤵
PID:2812

Network

52.109.32.27:443

officeclient.microsoft.com
52.109.124.22:443

nexus.officeapps.live.com
52.109.76.30:443

nexusrules.officeapps.live.com

10.0.0.255:137
10.0.0.72:137
8.8.8.8:53

officeclient.microsoft.com

DNS Request

officeclient.microsoft.com

DNS Response

52.109.32.27
8.8.8.8:53

nexus.officeapps.live.com

DNS Request

nexus.officeapps.live.com

DNS Response

52.109.124.22
8.8.8.8:53

nexusrules.officeapps.live.com

DNS Request

nexusrules.officeapps.live.com

DNS Response

52.109.76.30

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.