9c9d3701bb36c5fc3498ca7d57d553ee644ddd6daa8e551b80b2d109bdd08d35

General

Target

contract invoce.doc
Size

132KB
MD5

85585f5162a053f177019cec24e86375
SHA1

720f60ada0426fe82aabaa4c3f8db95c2e09b07a
SHA256

9c9d3701bb36c5fc3498ca7d57d553ee644ddd6daa8e551b80b2d109bdd08d35
SHA512

6f1f1fae3a7d5a16611df9f46e78b57d72721499b7ad7b79bc2054d71b02c9245338a8f6ffd19e4b23944ae511c08c9eb02e788bbe26e5b940703b41bd9c38ea

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

POWERPNT.EXEWINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

POWERPNT.EXEWINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	POWERPNT.EXE

Suspicious behavior: AddClipboardFormatListener 3 IoCs

Processes:

WINWORD.EXEPOWERPNT.EXE

pid process

4716 WINWORD.EXE
4716 WINWORD.EXE
804 POWERPNT.EXE

Suspicious use of SetWindowsHookEx 11 IoCs

Processes:

WINWORD.EXEPOWERPNT.EXE

pid	process
4716	WINWORD.EXE
4716	WINWORD.EXE
4716	WINWORD.EXE
4716	WINWORD.EXE
4716	WINWORD.EXE
4716	WINWORD.EXE
4716	WINWORD.EXE
4716	WINWORD.EXE
4716	WINWORD.EXE
804	POWERPNT.EXE
804	POWERPNT.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\contract invoce.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4716

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /s "C:\Users\Admin\Desktop\UninstallResume.ppsm" /ou ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:804

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868
MD5
22ba402e0739745b8696dd96469a51f0

SHA1
9e96368116f98716356816f5788f9b121a1145f8

SHA256
5fc371f8c7a7d9f430866ad606d43872f0b138384d684a1aa88207ed937d34c7

SHA512
3dcbb7b6ffe1580492cfe7db070c4b13abb71e582b8c1ed224353bdab48e5e91a13dd123afd1ddd4fb0bbebb0f9cde5f129777ea18daba627ab0f0e2fa0a7c36

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868
MD5
e86763e8ca85a2b9d0a8b2be4f7908c8

SHA1
da0897b52062efdcbc93fbbeeac54f991ecad6c3

SHA256
c8bcbec80afde0e9ff112a39c449030676fc4c3be5f67adff4a7a33448f61ba8

SHA512
b8aa1a755b85e462e86ffe7f14f46e614cd83131a11b4374c0f0f0b16bc3825e3eca0a9b8d19536eac4e0fbeab81c9ce13a8104fa6765e1592ac434e73ebe245

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\E28A66AA-6CDA-4909-8915-128BE54AB5FD
MD5
212acd105ae954863f03c1e373150144

SHA1
77112b0044b11dae917957ae26781cf06b4300e1

SHA256
29ee2563782511d8e85216c706ebf0a62eea9e90ebf9e0b446058df1031267ec

SHA512
8319a8dfe7a78712ac55ab0390922742c2a94c0f4d37f20a7b9873ef7fa35c8475a5e0784a154192b7e9aa13e3525c28c15afe966fa0c6df98bf7d630217c095

Download Submit
memory/804-14-0x00007FF83FDE0000-0x00007FF83FDF0000-memory.dmp

Filesize
64KB

Download
memory/804-19-0x00007FF83FDE0000-0x00007FF83FDF0000-memory.dmp

Filesize
64KB

Download
memory/804-17-0x00007FF861140000-0x00007FF861777000-memory.dmp

Filesize
6.2MB

Download
memory/804-16-0x00007FF83FDE0000-0x00007FF83FDF0000-memory.dmp

Filesize
64KB

Download
memory/804-15-0x00007FF83FDE0000-0x00007FF83FDF0000-memory.dmp

Filesize
64KB

Download
memory/4716-7-0x00007FF861990000-0x00007FF8644B3000-memory.dmp

Filesize
43.1MB

Download
memory/4716-11-0x00007FF83FDE0000-0x00007FF83FDF0000-memory.dmp

Filesize
64KB

Download
memory/4716-12-0x00007FF83FDE0000-0x00007FF83FDF0000-memory.dmp

Filesize
64KB

Download
memory/4716-13-0x00007FF83FDE0000-0x00007FF83FDF0000-memory.dmp

Filesize
64KB

Download
memory/4716-10-0x00007FF83FDE0000-0x00007FF83FDF0000-memory.dmp

Filesize
64KB

Download
memory/4716-9-0x00007FF861990000-0x00007FF8644B3000-memory.dmp

Filesize
43.1MB

Download
memory/4716-8-0x00007FF861990000-0x00007FF8644B3000-memory.dmp

Filesize
43.1MB

Download
memory/4716-2-0x00007FF83FDE0000-0x00007FF83FDF0000-memory.dmp

Filesize
64KB

Download
memory/4716-6-0x00007FF83FDE0000-0x00007FF83FDF0000-memory.dmp

Filesize
64KB

Download
memory/4716-5-0x000001B36FF90000-0x000001B3705C7000-memory.dmp

Filesize
6.2MB

Download
memory/4716-4-0x00007FF83FDE0000-0x00007FF83FDF0000-memory.dmp

Filesize
64KB

Download
memory/4716-3-0x00007FF83FDE0000-0x00007FF83FDF0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads