0c8704fd49a85bec94233219640e3bae68aa4030b3ae6e582d502dbef38b6707

General

Target

commerce _03.09.2021.doc
Size

91KB
MD5

0aa86c039d3fbad067749edf8a4ce659
SHA1

15c9d4ba5557b47dbdde61831296c2d67ede7357
SHA256

0c8704fd49a85bec94233219640e3bae68aa4030b3ae6e582d502dbef38b6707
SHA512

bb41673650c28b4ebfd884f539f1be549124d70912278302dbe8781cf7e051a693b20c9a1d399a4789f0420841c26960cb1e381dede9cd107d433c352d56b9d1

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

xml.com

pid process

3564 xml.com

pid	process
3564	xml.com

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

880 WINWORD.EXE
880 WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

xml.com

description	pid	process
Token: SeIncreaseQuotaPrivilege	3564	xml.com
Token: SeSecurityPrivilege	3564	xml.com
Token: SeTakeOwnershipPrivilege	3564	xml.com
Token: SeLoadDriverPrivilege	3564	xml.com
Token: SeSystemProfilePrivilege	3564	xml.com
Token: SeSystemtimePrivilege	3564	xml.com
Token: SeProfSingleProcessPrivilege	3564	xml.com
Token: SeIncBasePriorityPrivilege	3564	xml.com
Token: SeCreatePagefilePrivilege	3564	xml.com
Token: SeBackupPrivilege	3564	xml.com
Token: SeRestorePrivilege	3564	xml.com
Token: SeShutdownPrivilege	3564	xml.com
Token: SeDebugPrivilege	3564	xml.com
Token: SeSystemEnvironmentPrivilege	3564	xml.com
Token: SeRemoteShutdownPrivilege	3564	xml.com
Token: SeUndockPrivilege	3564	xml.com
Token: SeManageVolumePrivilege	3564	xml.com
Token: 33	3564	xml.com
Token: 34	3564	xml.com
Token: 35	3564	xml.com
Token: 36	3564	xml.com
Token: SeIncreaseQuotaPrivilege	3564	xml.com
Token: SeSecurityPrivilege	3564	xml.com
Token: SeTakeOwnershipPrivilege	3564	xml.com
Token: SeLoadDriverPrivilege	3564	xml.com
Token: SeSystemProfilePrivilege	3564	xml.com
Token: SeSystemtimePrivilege	3564	xml.com
Token: SeProfSingleProcessPrivilege	3564	xml.com
Token: SeIncBasePriorityPrivilege	3564	xml.com
Token: SeCreatePagefilePrivilege	3564	xml.com
Token: SeBackupPrivilege	3564	xml.com
Token: SeRestorePrivilege	3564	xml.com
Token: SeShutdownPrivilege	3564	xml.com
Token: SeDebugPrivilege	3564	xml.com
Token: SeSystemEnvironmentPrivilege	3564	xml.com
Token: SeRemoteShutdownPrivilege	3564	xml.com
Token: SeUndockPrivilege	3564	xml.com
Token: SeManageVolumePrivilege	3564	xml.com
Token: 33	3564	xml.com
Token: 34	3564	xml.com
Token: 35	3564	xml.com
Token: 36	3564	xml.com

Suspicious use of SetWindowsHookEx 17 IoCs

Processes:

WINWORD.EXE

pid	process
880	WINWORD.EXE
880	WINWORD.EXE
880	WINWORD.EXE
880	WINWORD.EXE
880	WINWORD.EXE
880	WINWORD.EXE
880	WINWORD.EXE
880	WINWORD.EXE
880	WINWORD.EXE
880	WINWORD.EXE
880	WINWORD.EXE
880	WINWORD.EXE
880	WINWORD.EXE
880	WINWORD.EXE
880	WINWORD.EXE
880	WINWORD.EXE
880	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

WINWORD.EXExml.com

description	pid	process	target process
PID 880 wrote to memory of 3564	880	WINWORD.EXE	xml.com
PID 880 wrote to memory of 3564	880	WINWORD.EXE	xml.com
PID 3564 wrote to memory of 3968	3564	xml.com	regsvr32.exe
PID 3564 wrote to memory of 3968	3564	xml.com	regsvr32.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\commerce _03.09.2021.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:880

C:\programdata\xml.com
"C:\programdata\xml.com" process list /format : "c:\programdata\i.xsl"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3564

C:\Windows\SYSTEM32\regsvr32.exe
regsvr32 c:\programdata\58886.jpg
3⤵
PID:3968

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\xml.com
MD5
4191f61f2449ccc2bc2f2ac6d8898ce7

SHA1
d49936fc8a03561214ce4bf9791ca59e94ab8fe9

SHA256
74d21e1349aab027cd02d15f2428028c028592f265d1830c8dfc407f9bf76173

SHA512
fe67059bc374cc2d39dd01c22c2183ca44a8e04050d633f78d4eac415ae4528c378c7504ea3cc4b6923675256ae3af199b3a498243a4ca1a4d0f61f2e086821f

Download Submit
\??\c:\programdata\58886.jpg
MD5
cc27f97020f8e62bdd670ff1dc5d6c0f

SHA1
50a767c62c3b69ea2c81c5218b4303c10a218943

SHA256
ef17720640796bbdbd60fe6f961a6319eb392963e3348f84d5a533961734f486

SHA512
b6914b2e3b7e91fcdf70fa7227fdf50debbcd8ebe70a6b978e9775f4380c16e50cf17bd4fd2fe780caabea1fcc2eefa1b3ac0271cdc25c115a9ca83cb2cd0473

Download Submit
\??\c:\programdata\i.xsl
MD5
019bf95cfa8bd8cef5ccbe11a17d5b4a

SHA1
9617ac6e29d86217d54609d37d79bf7dcef986ae

SHA256
2b9c7426ad5db95c7924ea37084742b3af34cdcafad397584b28cf8ea343e774

SHA512
4a267d89006648a046f18565abeb9fe29b9a4cade415f4dfffb167e400e02eebeaca9c9a49dc73bec614f8faafeb5db772978a40cd17b9f74b14df4a11e07f6b

Download Submit
memory/880-2-0x00007FF920240000-0x00007FF920250000-memory.dmp

Filesize
64KB

Download
memory/880-3-0x00007FF920240000-0x00007FF920250000-memory.dmp

Filesize
64KB

Download
memory/880-4-0x00007FF920240000-0x00007FF920250000-memory.dmp

Filesize
64KB

Download
memory/880-5-0x00007FF920240000-0x00007FF920250000-memory.dmp

Filesize
64KB

Download
memory/880-6-0x000002173BFA0000-0x000002173C5D7000-memory.dmp

Filesize
6.2MB

Download
memory/880-7-0x000002174A8A0000-0x000002174A8A4000-memory.dmp

Filesize
16KB

Download
memory/3564-8-0x0000000000000000-mapping.dmp

Download
memory/3968-11-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads