3fcb2dde6e1867fdbb5b6d5d9ed05a486b69855df4438dce4f4313f454effaf2

General

Target

ORDINE 2021004.doc
Size

196KB
MD5

797f651c45b0b81311e0e23844a448e2
SHA1

2bfaa69508304632718274c6a648cf28f0199bd3
SHA256

3fcb2dde6e1867fdbb5b6d5d9ed05a486b69855df4438dce4f4313f454effaf2
SHA512

61873f8c6e9fe9a67667fef1f57d60a25a5cae7f7df372a2f099849f764bc55361909c52f2cb62de9776350f7566b13f661d80cf350eb71b751bdefa4c815e68

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

explorer.exeexplorer.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	1664	4772	explorer.exe	WINWORD.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	4516	4772	explorer.exe	WINWORD.EXE

Blocklisted process makes network request 1 IoCs

Processes:

WScript.exe

flow pid process

14 3108 WScript.exe

flow	pid	process
14	3108	WScript.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE

Modifies registry class 1 IoCs

Processes:

explorer.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings explorer.exe
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

4772 WINWORD.EXE
4772 WINWORD.EXE
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

WINWORD.EXE

pid process

4772 WINWORD.EXE
4772 WINWORD.EXE
4772 WINWORD.EXE
4772 WINWORD.EXE
4772 WINWORD.EXE
4772 WINWORD.EXE
4772 WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings	explorer.exe

pid	process
4772	WINWORD.EXE
4772	WINWORD.EXE

pid	process
4772	WINWORD.EXE
4772	WINWORD.EXE
4772	WINWORD.EXE
4772	WINWORD.EXE
4772	WINWORD.EXE
4772	WINWORD.EXE
4772	WINWORD.EXE

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

WINWORD.EXEexplorer.exe

description	pid	process	target process
PID 4772 wrote to memory of 1664	4772	WINWORD.EXE	explorer.exe
PID 4772 wrote to memory of 1664	4772	WINWORD.EXE	explorer.exe
PID 4084 wrote to memory of 3108	4084	explorer.exe	WScript.exe
PID 4084 wrote to memory of 3108	4084	explorer.exe	WScript.exe
PID 4772 wrote to memory of 4516	4772	WINWORD.EXE	explorer.exe
PID 4772 wrote to memory of 4516	4772	WINWORD.EXE	explorer.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\ORDINE 2021004.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4772

C:\Windows\explorer.exe
explorer.exe C:\Users\Admin\AppData\Local\Temp\restnatural.vbs
2⤵
- Process spawned unexpected child process
PID:1664

C:\Windows\explorer.exe
explorer.exe C:\Users\Admin\AppData\Local\Temp\attacksix.exe
2⤵
- Process spawned unexpected child process
PID:4516

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4084

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\restnatural.vbs"
2⤵
- Blocklisted process makes network request
PID:3108

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4496

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\attacksix.exe
MD5
62962daa1b19bbcc2db10b7bfd531ea6

SHA1
d64bae91091eda6a7532ebec06aa70893b79e1f8

SHA256
80c3fe2ae1062abf56456f52518bd670f9ec3917b7f85e152b347ac6b6faf880

SHA512
9002a0475fdb38541e78048709006926655c726e93e823b84e2dbf5b53fd539a5342e7266447d23db0e5528e27a19961b115b180c94f2272ff124c7e5c8304e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\restnatural.vbs
MD5
d4926c9d3b391f4dddb6afbda8e36c0c

SHA1
028b9ff60116aff36689ecc486b3748a19cb57fe

SHA256
f2a1ece0b0e07f25d1800b0d02ebc8d642cd81c890f682e7ea6babff29004224

SHA512
5daf4184ebf19cc844602ddbce92e638fb2b66b192e08abcc30e0572fb3c51be411dea5e21b115678d978294be0710f50ee5b56c63b7b96ce4cc30a8a53aa6bb

Download Submit
memory/1664-7-0x0000000000000000-mapping.dmp

Download
memory/3108-9-0x0000000000000000-mapping.dmp

Download
memory/4516-10-0x0000000000000000-mapping.dmp

Download
memory/4772-2-0x00007FFBC05B0000-0x00007FFBC05C0000-memory.dmp

Filesize
64KB

Download
memory/4772-3-0x00007FFBC05B0000-0x00007FFBC05C0000-memory.dmp

Filesize
64KB

Download
memory/4772-4-0x00007FFBC05B0000-0x00007FFBC05C0000-memory.dmp

Filesize
64KB

Download
memory/4772-6-0x00007FFBC05B0000-0x00007FFBC05C0000-memory.dmp

Filesize
64KB

Download
memory/4772-5-0x0000017320A20000-0x0000017321057000-memory.dmp

Filesize
6.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads