cfbbe350a3a5b906db87fa22e8a58a1760cfa776e6f1e0149b73a02b799d9b3a

General

Target

Revised Pro-forma.doc
Size

245KB
MD5

31355a427ccc38ba77df8c75626e33f7
SHA1

47d42d7885c1f27ebdae079d70a72042c94debe9
SHA256

cfbbe350a3a5b906db87fa22e8a58a1760cfa776e6f1e0149b73a02b799d9b3a
SHA512

917d2f60b8ac0f2f18158e382a8ce66ffbf13ddca867786a2833d1c9f0e54922e9d3db080eec8ec59fbe8d00b0c77095224f34a6347999e2378d6e24284943bf

Score

1^/10

Malware Config

Signatures

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
2416	WINWORD.EXE
2416	WINWORD.EXE
2416	WINWORD.EXE
2416	WINWORD.EXE
2416	WINWORD.EXE
2416	WINWORD.EXE
2416	WINWORD.EXE
2416	WINWORD.EXE
2416	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2416	WINWORD.EXE
2416	WINWORD.EXE

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\AbctfhghghghghŽ.scT:Zone.Identifier	WINWORD.EXE

Modifies registry class 6 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-189460363-3174933371-2742955088-2634980605-3424317636-501327713-710934452	WINWORD.EXE
Key created	\Registry\User\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-189460363-3174933371-2742955088-2634980605-3424317636-501327713-710934452	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-189460363-3174933371-2742955088-2634980605-3424317636-501327713-710934452\DisplayName = "OICE_16_974FA576_32C1D314_3AB9"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-189460363-3174933371-2742955088-2634980605-3424317636-501327713-710934452\Moniker = "oice_16_974fa576_32c1d314_3ab9"	WINWORD.EXE
Key created	\Registry\User\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-189460363-3174933371-2742955088-2634980605-3424317636-501327713-710934452\Children	WINWORD.EXE
Key deleted	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-189460363-3174933371-2742955088-2634980605-3424317636-501327713-710934452\Children	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Revised Pro-forma.doc" /o ""
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: AddClipboardFormatListener
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Modifies registry class
PID:2416

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads