7df11aa42a30d550a3fba77ed9fc353108f4cac53a2dac6f29a6534dd0ecbd06

General

Target

INV-1581.doc
Size

149KB
MD5

470b5f77bd00e2002939833ab72ad47a
SHA1

540fb80aae64faccbb47ced4d4ec57448ca4297e
SHA256

7df11aa42a30d550a3fba77ed9fc353108f4cac53a2dac6f29a6534dd0ecbd06
SHA512

69a569c079bf78693d751d3834f94888de5f3276b69d9eb63c09bec678335dbb0740337d87646ea26325851d2e4754c881d7c7512520d5831468bc07a84f6b55

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

explorer.exeexplorer.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	2916	1212	explorer.exe	WINWORD.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	1224	1212	explorer.exe	WINWORD.EXE

Blocklisted process makes network request 1 IoCs

Processes:

WScript.exe

flow pid process

12 2832 WScript.exe

flow	pid	process
12	2832	WScript.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE

Modifies registry class 1 IoCs

Processes:

explorer.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings explorer.exe
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

1212 WINWORD.EXE
1212 WINWORD.EXE
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

WINWORD.EXE

pid process

1212 WINWORD.EXE
1212 WINWORD.EXE
1212 WINWORD.EXE
1212 WINWORD.EXE
1212 WINWORD.EXE
1212 WINWORD.EXE
1212 WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings	explorer.exe

pid	process
1212	WINWORD.EXE
1212	WINWORD.EXE

pid	process
1212	WINWORD.EXE
1212	WINWORD.EXE
1212	WINWORD.EXE
1212	WINWORD.EXE
1212	WINWORD.EXE
1212	WINWORD.EXE
1212	WINWORD.EXE

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

WINWORD.EXEexplorer.exe

description	pid	process	target process
PID 1212 wrote to memory of 2916	1212	WINWORD.EXE	explorer.exe
PID 1212 wrote to memory of 2916	1212	WINWORD.EXE	explorer.exe
PID 644 wrote to memory of 2832	644	explorer.exe	WScript.exe
PID 644 wrote to memory of 2832	644	explorer.exe	WScript.exe
PID 1212 wrote to memory of 1224	1212	WINWORD.EXE	explorer.exe
PID 1212 wrote to memory of 1224	1212	WINWORD.EXE	explorer.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\INV-1581.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1212

C:\Windows\explorer.exe
explorer.exe C:\Users\Admin\AppData\Local\Temp\healthother.vbs
2⤵
- Process spawned unexpected child process
PID:2916

C:\Windows\explorer.exe
explorer.exe C:\Users\Admin\AppData\Local\Temp\agoright.exe
2⤵
- Process spawned unexpected child process
PID:1224

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:644

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\healthother.vbs"
2⤵
- Blocklisted process makes network request
PID:2832

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:1860

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\agoright.exe
MD5
62962daa1b19bbcc2db10b7bfd531ea6

SHA1
d64bae91091eda6a7532ebec06aa70893b79e1f8

SHA256
80c3fe2ae1062abf56456f52518bd670f9ec3917b7f85e152b347ac6b6faf880

SHA512
9002a0475fdb38541e78048709006926655c726e93e823b84e2dbf5b53fd539a5342e7266447d23db0e5528e27a19961b115b180c94f2272ff124c7e5c8304e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\healthother.vbs
MD5
552f3e780bb97a3f81a732d5e26e2474

SHA1
bfddf68ec2daf167f212a0157b258ead3827ca47

SHA256
c711528dad5f1237a870ac01a6657579ac276dd30b0904aa0d4bcb795678d2ab

SHA512
1fe1db760854d0182c20d80ae98a19679aee1760a508ddbc31eb3b9081f4d105259028dfcd14d08d7d3bfba2670685d896aa642cd630947fd58dd66b417da2a0

Download Submit
memory/1212-2-0x00007FFC22770000-0x00007FFC22780000-memory.dmp

Filesize
64KB

Download
memory/1212-3-0x00007FFC22770000-0x00007FFC22780000-memory.dmp

Filesize
64KB

Download
memory/1212-4-0x00007FFC22770000-0x00007FFC22780000-memory.dmp

Filesize
64KB

Download
memory/1212-5-0x00007FFC419B0000-0x00007FFC41FE7000-memory.dmp

Filesize
6.2MB

Download
memory/1212-6-0x00007FFC22770000-0x00007FFC22780000-memory.dmp

Filesize
64KB

Download
memory/1224-10-0x0000000000000000-mapping.dmp

Download
memory/2832-9-0x0000000000000000-mapping.dmp

Download
memory/2916-7-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads