dfffacd10a8887ff9e48cb452696fa8a9b6b83ea3e285b4f7d3692677c8c30fc

General

Target

file.01.21.doc
Size

92KB
MD5

cfbd343882b57a2d395ddb566984a0dd
SHA1

8baa1cb1935bafa0f89bd4fc5d5c8c47d05d1f4c
SHA256

dfffacd10a8887ff9e48cb452696fa8a9b6b83ea3e285b4f7d3692677c8c30fc
SHA512

e3606d5bc2354c7e4b3eff6aa681ee77d8f9aeaec07641a93ac02aed063b952feaa8ffebbb1fb4e68e5d131ece24264c03a6f4a5191d15e42767203bf83e1653

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

hello.com

pid process

2208 hello.com

pid	process
2208	hello.com

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

4092 WINWORD.EXE
4092 WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

hello.com

description	pid	process
Token: SeIncreaseQuotaPrivilege	2208	hello.com
Token: SeSecurityPrivilege	2208	hello.com
Token: SeTakeOwnershipPrivilege	2208	hello.com
Token: SeLoadDriverPrivilege	2208	hello.com
Token: SeSystemProfilePrivilege	2208	hello.com
Token: SeSystemtimePrivilege	2208	hello.com
Token: SeProfSingleProcessPrivilege	2208	hello.com
Token: SeIncBasePriorityPrivilege	2208	hello.com
Token: SeCreatePagefilePrivilege	2208	hello.com
Token: SeBackupPrivilege	2208	hello.com
Token: SeRestorePrivilege	2208	hello.com
Token: SeShutdownPrivilege	2208	hello.com
Token: SeDebugPrivilege	2208	hello.com
Token: SeSystemEnvironmentPrivilege	2208	hello.com
Token: SeRemoteShutdownPrivilege	2208	hello.com
Token: SeUndockPrivilege	2208	hello.com
Token: SeManageVolumePrivilege	2208	hello.com
Token: 33	2208	hello.com
Token: 34	2208	hello.com
Token: 35	2208	hello.com
Token: 36	2208	hello.com
Token: SeIncreaseQuotaPrivilege	2208	hello.com
Token: SeSecurityPrivilege	2208	hello.com
Token: SeTakeOwnershipPrivilege	2208	hello.com
Token: SeLoadDriverPrivilege	2208	hello.com
Token: SeSystemProfilePrivilege	2208	hello.com
Token: SeSystemtimePrivilege	2208	hello.com
Token: SeProfSingleProcessPrivilege	2208	hello.com
Token: SeIncBasePriorityPrivilege	2208	hello.com
Token: SeCreatePagefilePrivilege	2208	hello.com
Token: SeBackupPrivilege	2208	hello.com
Token: SeRestorePrivilege	2208	hello.com
Token: SeShutdownPrivilege	2208	hello.com
Token: SeDebugPrivilege	2208	hello.com
Token: SeSystemEnvironmentPrivilege	2208	hello.com
Token: SeRemoteShutdownPrivilege	2208	hello.com
Token: SeUndockPrivilege	2208	hello.com
Token: SeManageVolumePrivilege	2208	hello.com
Token: 33	2208	hello.com
Token: 34	2208	hello.com
Token: 35	2208	hello.com
Token: 36	2208	hello.com

Suspicious use of SetWindowsHookEx 17 IoCs

Processes:

WINWORD.EXE

pid	process
4092	WINWORD.EXE
4092	WINWORD.EXE
4092	WINWORD.EXE
4092	WINWORD.EXE
4092	WINWORD.EXE
4092	WINWORD.EXE
4092	WINWORD.EXE
4092	WINWORD.EXE
4092	WINWORD.EXE
4092	WINWORD.EXE
4092	WINWORD.EXE
4092	WINWORD.EXE
4092	WINWORD.EXE
4092	WINWORD.EXE
4092	WINWORD.EXE
4092	WINWORD.EXE
4092	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

WINWORD.EXEhello.com

description	pid	process	target process
PID 4092 wrote to memory of 2208	4092	WINWORD.EXE	hello.com
PID 4092 wrote to memory of 2208	4092	WINWORD.EXE	hello.com
PID 2208 wrote to memory of 2112	2208	hello.com	regsvr32.exe
PID 2208 wrote to memory of 2112	2208	hello.com	regsvr32.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\file.01.21.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4092

\??\c:\programdata\hello.com
c:\programdata\hello.com pagefile get /format:"c:\programdata\hello.xsL"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2208

C:\Windows\SYSTEM32\regsvr32.exe
regsvr32 c:\programdata\41401.jpg
3⤵
PID:2112

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\hello.com
MD5
4191f61f2449ccc2bc2f2ac6d8898ce7

SHA1
d49936fc8a03561214ce4bf9791ca59e94ab8fe9

SHA256
74d21e1349aab027cd02d15f2428028c028592f265d1830c8dfc407f9bf76173

SHA512
fe67059bc374cc2d39dd01c22c2183ca44a8e04050d633f78d4eac415ae4528c378c7504ea3cc4b6923675256ae3af199b3a498243a4ca1a4d0f61f2e086821f

Download Submit
\??\c:\programdata\41401.jpg
MD5
486a121ad856b15492d8da27ba93b7f7

SHA1
74e1a88a60e820a15998db6057d9aefb69f06c9d

SHA256
f1aac5eef3352554aa19449523f5d4ab0627ba70011fac75aede60e1d4284da7

SHA512
c60b3ba8900090f035b150272c357b11625fb23f4301d1312680fbf463301b205b379fe557b90e0d48f298d4aa1512aacd7b9ea0e294109da59f0ac636fc3c4f

Download Submit
\??\c:\programdata\hello.xsL
MD5
886f82da2d65f460b35eb737d2897940

SHA1
bd75c902bb9b490cb38667e11ee5979187b82468

SHA256
04d407837c3a0a82ecc6d73c8d5685ca48621ee018b698f469bc954506a14f74

SHA512
fff94b2555fa49f7b4f03d2bfd1bdb14c24ed2947f0332f6e65046b98406c706224a612dac74bebad14cfe0f1cbe88e3df51b2b5b25fb2f436d53d29357d2ca8

Download Submit
memory/2112-11-0x0000000000000000-mapping.dmp

Download
memory/2208-8-0x0000000000000000-mapping.dmp

Download
memory/4092-6-0x00007FFFABD70000-0x00007FFFABD80000-memory.dmp

Filesize
64KB

Download
memory/4092-14-0x00007FFFCCE80000-0x00007FFFCF9A3000-memory.dmp

Filesize
43.1MB

Download
memory/4092-2-0x00007FFFABD70000-0x00007FFFABD80000-memory.dmp

Filesize
64KB

Download
memory/4092-5-0x0000021282650000-0x0000021282C87000-memory.dmp

Filesize
6.2MB

Download
memory/4092-4-0x00007FFFABD70000-0x00007FFFABD80000-memory.dmp

Filesize
64KB

Download
memory/4092-3-0x00007FFFABD70000-0x00007FFFABD80000-memory.dmp

Filesize
64KB

Download
memory/4092-13-0x00007FFFCCE80000-0x00007FFFCF9A3000-memory.dmp

Filesize
43.1MB

Download
memory/4092-7-0x0000021291E80000-0x0000021291E84000-memory.dmp

Filesize
16KB

Download
memory/4092-15-0x00007FFFCCE80000-0x00007FFFCF9A3000-memory.dmp

Filesize
43.1MB

Download
memory/4092-16-0x00007FFFCCE80000-0x00007FFFCF9A3000-memory.dmp

Filesize
43.1MB

Download
memory/4092-17-0x00007FFFABD70000-0x00007FFFABD80000-memory.dmp

Filesize
64KB

Download
memory/4092-18-0x00007FFFABD70000-0x00007FFFABD80000-memory.dmp

Filesize
64KB

Download
memory/4092-19-0x00007FFFABD70000-0x00007FFFABD80000-memory.dmp

Filesize
64KB

Download
memory/4092-20-0x00007FFFABD70000-0x00007FFFABD80000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads