9a752f4b373e32ef86ead4516cceb238bdef9519191922abf5141261b13c38f3

General

Target

ordine.12.20.doc
Size

91KB
MD5

d877528f01cafe6d9401c89e4c4799a5
SHA1

10836e28ae5184ae004c3b60159c2e994832c90c
SHA256

9a752f4b373e32ef86ead4516cceb238bdef9519191922abf5141261b13c38f3
SHA512

c33b67bebe288ed9718f6485fb0ac3a46bdcaf0726bf37b378b1ed8920450cabc22b7cd57b3a6dc6f9daeedca6929e899f4b49969d674ed865211dd121a02bc4

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

ms.com

pid process

2376 ms.com

pid	process
2376	ms.com

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

1036 WINWORD.EXE
1036 WINWORD.EXE

Suspicious use of SetWindowsHookEx 17 IoCs

Processes:

WINWORD.EXE

pid	process
1036	WINWORD.EXE
1036	WINWORD.EXE
1036	WINWORD.EXE
1036	WINWORD.EXE
1036	WINWORD.EXE
1036	WINWORD.EXE
1036	WINWORD.EXE
1036	WINWORD.EXE
1036	WINWORD.EXE
1036	WINWORD.EXE
1036	WINWORD.EXE
1036	WINWORD.EXE
1036	WINWORD.EXE
1036	WINWORD.EXE
1036	WINWORD.EXE
1036	WINWORD.EXE
1036	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

ms.com

description pid process target process

PID 2376 wrote to memory of 1492 2376 ms.com regsvr32.exe
PID 2376 wrote to memory of 1492 2376 ms.com regsvr32.exe

description	pid	process	target process
PID 2376 wrote to memory of 1492	2376	ms.com	regsvr32.exe
PID 2376 wrote to memory of 1492	2376	ms.com	regsvr32.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\ordine.12.20.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1036

C:\users\public\ms.com
C:\users\public\ms.com C:\users\public\ms.html
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2376

C:\Windows\System32\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" C:\Users\Admin\AppData\Local\Temp\temp.tmp
2⤵
PID:1492

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\temp.tmp
MD5
6bba6235197ae9997ec5da8631fdc6cc

SHA1
408071b5b21e4b8b78ff9dfda36484270fc537e1

SHA256
cf410691b63dd4e596d9a3a01855aa77f04ae6b4c93e7dc15890f6f06cc1ffa6

SHA512
55466541278bbe28245fdcf86ddfd24b7bc04bd8074c19bfbbce2e5ef5685385020cdede98841ba5592fd8e24c53fea2b17b3c09b8b81aacdf45aecb1c51be2a

Download Submit
C:\Users\Public\ms.com
MD5
98447a7f26ee9dac6b806924d6e21c90

SHA1
a67909346a56289b7087821437efcaa51da3b083

SHA256
c162abe51a04727507be4f98b95db6356dd64decd042dfb4090e57fa0101f2ed

SHA512
c708672a28072c7754eb99f0cf2aa81bf7205d8512ae44242848c2160acf26454029bfb4b76f928bac27a3bed260f95a71bd12bcf2620865b756ba89d66f261b

Download Submit
C:\users\public\ms.com
MD5
98447a7f26ee9dac6b806924d6e21c90

SHA1
a67909346a56289b7087821437efcaa51da3b083

SHA256
c162abe51a04727507be4f98b95db6356dd64decd042dfb4090e57fa0101f2ed

SHA512
c708672a28072c7754eb99f0cf2aa81bf7205d8512ae44242848c2160acf26454029bfb4b76f928bac27a3bed260f95a71bd12bcf2620865b756ba89d66f261b

Download Submit
C:\users\public\ms.html
MD5
f92fb6fe7f0536a53a813177585dcfee

SHA1
855b96cd27e0eb6f0bdff03242a7375fde19d3d7

SHA256
f2855229bb557b3abfc20e95e879c1cd4c0102fbd9fecd7c2cbfbe6cf5be3f30

SHA512
94f766077d27d8c04d69dcdabea02a01b8b396a0cefb1f5d81aa9f9baba6b03b3134dd822c6fe48839f7c8a944131f107cfbb5962bd242a922937ce884ccebd6

Download Submit
memory/1036-2-0x000002616E8C0000-0x000002616EEF7000-memory.dmp

Filesize
6.2MB

Download
memory/1036-3-0x0000026179094000-0x0000026179099000-memory.dmp

Filesize
20KB

Download
memory/1036-5-0x00000261791BC000-0x00000261791C1000-memory.dmp

Filesize
20KB

Download
memory/1036-4-0x00000261791BC000-0x00000261791C1000-memory.dmp

Filesize
20KB

Download
memory/1036-6-0x00000261791BC000-0x00000261791C1000-memory.dmp

Filesize
20KB

Download
memory/1036-7-0x00000261791FB000-0x0000026179205000-memory.dmp

Filesize
40KB

Download
memory/1036-8-0x00000261791FB000-0x0000026179205000-memory.dmp

Filesize
40KB

Download
memory/1492-12-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads