32a1f6000760b5eaa73ccfcbb44b2e26a575130cffdb2bb0ba5d0562e7e720c3

General

Target

Fischfangstatistik.doc
Size

824KB
MD5

ba5cc4d279e4b036a4f49a6582bf1e54
SHA1

6c3b3a4e09f7b8c2f5907968084f71cbdde357ce
SHA256

32a1f6000760b5eaa73ccfcbb44b2e26a575130cffdb2bb0ba5d0562e7e720c3
SHA512

4587c2b85983e7bafcb0a11bee14eee347d40d8d736771e9584785af1c5cbade9dee21977ed562fd1ebe247df40e1462a53c002bb609faf5caf8320ea13862dc

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEEXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEWINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

504 WINWORD.EXE
504 WINWORD.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

EXCEL.EXE

description pid process

Token: SeDebugPrivilege 2976 EXCEL.EXE

description	pid	process
Token: SeDebugPrivilege	2976	EXCEL.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

WINWORD.EXEEXCEL.EXE

pid	process
504	WINWORD.EXE
504	WINWORD.EXE
504	WINWORD.EXE
504	WINWORD.EXE
2976	EXCEL.EXE
2976	EXCEL.EXE
2976	EXCEL.EXE
2976	EXCEL.EXE
2976	EXCEL.EXE
504	WINWORD.EXE
504	WINWORD.EXE
504	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Fischfangstatistik.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:504

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2976

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868
MD5
724dd728c7dd60c4b1637674a6b621d0

SHA1
6ae653d2e5dc30cd98659ce1ef608fbd05745786

SHA256
277489f9280fb57f60ac3bd73f37878dcb628b0a9832cfd093514464b4fbc160

SHA512
89173fe3f71d421a0c50f0d7df1af05c48bfbc70f6310b49baa61678649e4bb37f12b835f1bff16fe91fee751a59a3282ff7a84cb41cd8d340218eb1c05e5a4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868
MD5
927ee0aa044a0ae54ec27fc6c93b9ac9

SHA1
26467b420400390e7b5bb954f7277ef33c5b1ac2

SHA256
fbf56b3bf4baf4deb1127fedaffc09df6334bb6863b5b24c1b05737cf678beae

SHA512
11441f9c5ce0b67cf899e6496389e51214d58398c293a37ef6a2c6976ce944bf707194c2b0da81bd5ce1c31ad9811594267a6ba74baddb3025c5bd21d9416825

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\TenantInfo.xml
MD5
0f8eb2423d2bf6cb5b8bdb44cb170ca3

SHA1
242755226012b4449a49b45491c0b1538ebf6410

SHA256
385347c0cbacdd3c61d2635fbd390e0095a008fd75eeb23af2f14f975c083944

SHA512
a9f23a42340b83a2f59df930d7563e8abd669b9f0955562cd3c2872e2e081f26d6d8b26357972b6d0423af05b2392bddbb46da769788e77fd169b3264ff53886

Download Submit
memory/504-3-0x00007FF7DFCE0000-0x00007FF7DFCF0000-memory.dmp

Filesize
64KB

Download
memory/504-4-0x00007FF7DFCE0000-0x00007FF7DFCF0000-memory.dmp

Filesize
64KB

Download
memory/504-5-0x00007FF7DFCE0000-0x00007FF7DFCF0000-memory.dmp

Filesize
64KB

Download
memory/504-6-0x00007FF800510000-0x00007FF800B47000-memory.dmp

Filesize
6.2MB

Download
memory/504-2-0x00007FF7DFCE0000-0x00007FF7DFCF0000-memory.dmp

Filesize
64KB

Download
memory/2976-13-0x0000020C17A50000-0x0000020C17A5B000-memory.dmp

Filesize
44KB

Download
memory/2976-16-0x0000020C2FF10000-0x0000020C2FF12000-memory.dmp

Filesize
8KB

Download
memory/2976-17-0x0000020C2FF13000-0x0000020C2FF15000-memory.dmp

Filesize
8KB

Download
memory/2976-18-0x0000020C2FF16000-0x0000020C2FF17000-memory.dmp

Filesize
4KB

Download
memory/2976-14-0x0000020C17B40000-0x0000020C17B43000-memory.dmp

Filesize
12KB

Download
memory/2976-12-0x00007FFFF7E80000-0x00007FFFF886C000-memory.dmp

Filesize
9.9MB

Download
memory/2976-11-0x00007FF800510000-0x00007FF800B47000-memory.dmp

Filesize
6.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads