new_order.doc.docx

General
Target

new_order.doc.docx

Filesize

10KB

Completed

21-04-2021 18:06

Score
1 /10
MD5

eb9b4decb03b5c81b5f4c0cc9dd5758f

SHA1

22ee73cf80deaf3122cc4e9fd45b062f71b4e2f4

SHA256

ce47c3f3359a2f2dd2de306544df0e10cf5cefebfccf8d556432918622487f25

Malware Config
Signatures 5

Filter: none

Discovery
  • Checks processor information in registry
    WINWORD.EXE

    Description

    Processor information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0WINWORD.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHzWINWORD.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameStringWINWORD.EXE
  • Enumerates system info in registry
    WINWORD.EXE

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKUWINWORD.EXE
    Key opened\REGISTRY\MACHINE\Hardware\Description\System\BIOSWINWORD.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamilyWINWORD.EXE
  • Suspicious behavior: AddClipboardFormatListener
    WINWORD.EXE

    Reported IOCs

    pidprocess
    708WINWORD.EXE
    708WINWORD.EXE
  • Suspicious use of AdjustPrivilegeToken
    WINWORD.EXE

    Reported IOCs

    descriptionpidprocess
    Token: SeAuditPrivilege708WINWORD.EXE
  • Suspicious use of SetWindowsHookEx
    WINWORD.EXE

    Reported IOCs

    pidprocess
    708WINWORD.EXE
    708WINWORD.EXE
    708WINWORD.EXE
    708WINWORD.EXE
    708WINWORD.EXE
    708WINWORD.EXE
Processes 1
  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\new_order.doc.docx" /o ""
    Checks processor information in registry
    Enumerates system info in registry
    Suspicious behavior: AddClipboardFormatListener
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of SetWindowsHookEx
    PID:708
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                      Privilege Escalation
                        Replay Monitor
                        00:00 00:00
                        Downloads
                        • memory/708-114-0x00007FFF79C30000-0x00007FFF79C40000-memory.dmp

                        • memory/708-115-0x00007FFF79C30000-0x00007FFF79C40000-memory.dmp

                        • memory/708-116-0x00007FFF79C30000-0x00007FFF79C40000-memory.dmp

                        • memory/708-117-0x00007FFF79C30000-0x00007FFF79C40000-memory.dmp

                        • memory/708-119-0x00007FFF79C30000-0x00007FFF79C40000-memory.dmp

                        • memory/708-118-0x00007FFF9BA10000-0x00007FFF9E533000-memory.dmp

                        • memory/708-122-0x000001D087AC0000-0x000001D088BAE000-memory.dmp

                        • memory/708-123-0x00007FFF948B0000-0x00007FFF967A5000-memory.dmp