0c8704fd49a85bec94233219640e3bae68aa4030b3ae6e582d502dbef38b6707

General

Target

commerce _03.09.2021.doc
Size

91KB
MD5

0aa86c039d3fbad067749edf8a4ce659
SHA1

15c9d4ba5557b47dbdde61831296c2d67ede7357
SHA256

0c8704fd49a85bec94233219640e3bae68aa4030b3ae6e582d502dbef38b6707
SHA512

bb41673650c28b4ebfd884f539f1be549124d70912278302dbe8781cf7e051a693b20c9a1d399a4789f0420841c26960cb1e381dede9cd107d433c352d56b9d1

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

xml.com

pid process

2012 xml.com

pid	process
2012	xml.com

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

1192 WINWORD.EXE
1192 WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

xml.com

description	pid	process
Token: SeIncreaseQuotaPrivilege	2012	xml.com
Token: SeSecurityPrivilege	2012	xml.com
Token: SeTakeOwnershipPrivilege	2012	xml.com
Token: SeLoadDriverPrivilege	2012	xml.com
Token: SeSystemProfilePrivilege	2012	xml.com
Token: SeSystemtimePrivilege	2012	xml.com
Token: SeProfSingleProcessPrivilege	2012	xml.com
Token: SeIncBasePriorityPrivilege	2012	xml.com
Token: SeCreatePagefilePrivilege	2012	xml.com
Token: SeBackupPrivilege	2012	xml.com
Token: SeRestorePrivilege	2012	xml.com
Token: SeShutdownPrivilege	2012	xml.com
Token: SeDebugPrivilege	2012	xml.com
Token: SeSystemEnvironmentPrivilege	2012	xml.com
Token: SeRemoteShutdownPrivilege	2012	xml.com
Token: SeUndockPrivilege	2012	xml.com
Token: SeManageVolumePrivilege	2012	xml.com
Token: 33	2012	xml.com
Token: 34	2012	xml.com
Token: 35	2012	xml.com
Token: 36	2012	xml.com
Token: SeIncreaseQuotaPrivilege	2012	xml.com
Token: SeSecurityPrivilege	2012	xml.com
Token: SeTakeOwnershipPrivilege	2012	xml.com
Token: SeLoadDriverPrivilege	2012	xml.com
Token: SeSystemProfilePrivilege	2012	xml.com
Token: SeSystemtimePrivilege	2012	xml.com
Token: SeProfSingleProcessPrivilege	2012	xml.com
Token: SeIncBasePriorityPrivilege	2012	xml.com
Token: SeCreatePagefilePrivilege	2012	xml.com
Token: SeBackupPrivilege	2012	xml.com
Token: SeRestorePrivilege	2012	xml.com
Token: SeShutdownPrivilege	2012	xml.com
Token: SeDebugPrivilege	2012	xml.com
Token: SeSystemEnvironmentPrivilege	2012	xml.com
Token: SeRemoteShutdownPrivilege	2012	xml.com
Token: SeUndockPrivilege	2012	xml.com
Token: SeManageVolumePrivilege	2012	xml.com
Token: 33	2012	xml.com
Token: 34	2012	xml.com
Token: 35	2012	xml.com
Token: 36	2012	xml.com

Suspicious use of SetWindowsHookEx 17 IoCs

Processes:

WINWORD.EXE

pid	process
1192	WINWORD.EXE
1192	WINWORD.EXE
1192	WINWORD.EXE
1192	WINWORD.EXE
1192	WINWORD.EXE
1192	WINWORD.EXE
1192	WINWORD.EXE
1192	WINWORD.EXE
1192	WINWORD.EXE
1192	WINWORD.EXE
1192	WINWORD.EXE
1192	WINWORD.EXE
1192	WINWORD.EXE
1192	WINWORD.EXE
1192	WINWORD.EXE
1192	WINWORD.EXE
1192	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

WINWORD.EXExml.com

description	pid	process	target process
PID 1192 wrote to memory of 2012	1192	WINWORD.EXE	xml.com
PID 1192 wrote to memory of 2012	1192	WINWORD.EXE	xml.com
PID 2012 wrote to memory of 3416	2012	xml.com	regsvr32.exe
PID 2012 wrote to memory of 3416	2012	xml.com	regsvr32.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\commerce _03.09.2021.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1192

C:\programdata\xml.com
"C:\programdata\xml.com" process list /format : "c:\programdata\i.xsl"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2012

C:\Windows\SYSTEM32\regsvr32.exe
regsvr32 c:\programdata\58886.jpg
3⤵
PID:3416

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\xml.com
MD5
4191f61f2449ccc2bc2f2ac6d8898ce7

SHA1
d49936fc8a03561214ce4bf9791ca59e94ab8fe9

SHA256
74d21e1349aab027cd02d15f2428028c028592f265d1830c8dfc407f9bf76173

SHA512
fe67059bc374cc2d39dd01c22c2183ca44a8e04050d633f78d4eac415ae4528c378c7504ea3cc4b6923675256ae3af199b3a498243a4ca1a4d0f61f2e086821f

Download Submit
\??\c:\programdata\58886.jpg
MD5
4dcb2e40b2730cd9d3a99276fc75c3f5

SHA1
202170a629dc8d6ca13bb8fce5effeabadfc84a0

SHA256
7764e8098c2b208213316207109cec34b604fb9b92569ae202c1a2c194936abe

SHA512
8aed4236deaba89feab1f5f596fe2460f8d0e0325e1714f7c87266076b9c947a04863157c79c3e723fea672ea5430dd8d592f781b398cf1a9de110113696429a

Download Submit
\??\c:\programdata\i.xsl
MD5
019bf95cfa8bd8cef5ccbe11a17d5b4a

SHA1
9617ac6e29d86217d54609d37d79bf7dcef986ae

SHA256
2b9c7426ad5db95c7924ea37084742b3af34cdcafad397584b28cf8ea343e774

SHA512
4a267d89006648a046f18565abeb9fe29b9a4cade415f4dfffb167e400e02eebeaca9c9a49dc73bec614f8faafeb5db772978a40cd17b9f74b14df4a11e07f6b

Download Submit
memory/1192-10-0x000001E95DB80000-0x000001E95DB84000-memory.dmp

Filesize
16KB

Download
memory/1192-3-0x00007FFDFD230000-0x00007FFDFD240000-memory.dmp

Filesize
64KB

Download
memory/1192-20-0x00007FFDFD230000-0x00007FFDFD240000-memory.dmp

Filesize
64KB

Download
memory/1192-5-0x000001E94E780000-0x000001E94EDB7000-memory.dmp

Filesize
6.2MB

Download
memory/1192-4-0x00007FFDFD230000-0x00007FFDFD240000-memory.dmp

Filesize
64KB

Download
memory/1192-2-0x00007FFDFD230000-0x00007FFDFD240000-memory.dmp

Filesize
64KB

Download
memory/1192-19-0x00007FFDFD230000-0x00007FFDFD240000-memory.dmp

Filesize
64KB

Download
memory/1192-6-0x00007FFDFD230000-0x00007FFDFD240000-memory.dmp

Filesize
64KB

Download
memory/1192-13-0x00007FFE1EBF0000-0x00007FFE21713000-memory.dmp

Filesize
43.1MB

Download
memory/1192-14-0x00007FFE1EBF0000-0x00007FFE21713000-memory.dmp

Filesize
43.1MB

Download
memory/1192-15-0x00007FFE1EBF0000-0x00007FFE21713000-memory.dmp

Filesize
43.1MB

Download
memory/1192-16-0x00007FFE1EBF0000-0x00007FFE21713000-memory.dmp

Filesize
43.1MB

Download
memory/1192-17-0x00007FFDFD230000-0x00007FFDFD240000-memory.dmp

Filesize
64KB

Download
memory/1192-18-0x00007FFDFD230000-0x00007FFDFD240000-memory.dmp

Filesize
64KB

Download
memory/2012-7-0x0000000000000000-mapping.dmp

Download
memory/3416-11-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads