9e7906cf5f653a70e1a30828d805dcf165b50a7e664cb94de562771203219e21

General

Target

files_05.21.doc
Size

75KB
MD5

f143869b5567d92152addee5f40b2544
SHA1

641ba7fc05997aca01b83dfbaa078c86d4b6b7df
SHA256

9e7906cf5f653a70e1a30828d805dcf165b50a7e664cb94de562771203219e21
SHA512

655f4d350a12b39aadbdf7eae54c2e7f39bdd751bede45c28c044f207aef5e4e80abe3031b069331e76a28b2ae1e29438b4fe13815832bd9e25f6484bb1a62fd

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	748	3776	rundll32.exe	WINWORD.EXE

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEWINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEWINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 3 IoCs

Processes:

WINWORD.EXEWINWORD.EXE

pid process

3680 WINWORD.EXE
3680 WINWORD.EXE
3776 WINWORD.EXE

Suspicious use of SetWindowsHookEx 28 IoCs

Processes:

WINWORD.EXEWINWORD.EXE

pid	process
3680	WINWORD.EXE
3680	WINWORD.EXE
3680	WINWORD.EXE
3680	WINWORD.EXE
3680	WINWORD.EXE
3680	WINWORD.EXE
3680	WINWORD.EXE
3680	WINWORD.EXE
3680	WINWORD.EXE
3680	WINWORD.EXE
3680	WINWORD.EXE
3680	WINWORD.EXE
3680	WINWORD.EXE
3680	WINWORD.EXE
3776	WINWORD.EXE
3776	WINWORD.EXE
3776	WINWORD.EXE
3776	WINWORD.EXE
3776	WINWORD.EXE
3776	WINWORD.EXE
3776	WINWORD.EXE
3776	WINWORD.EXE
3776	WINWORD.EXE
3776	WINWORD.EXE
3680	WINWORD.EXE
3680	WINWORD.EXE
3680	WINWORD.EXE
3680	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 3776 wrote to memory of 748	3776	WINWORD.EXE	rundll32.exe
PID 3776 wrote to memory of 748	3776	WINWORD.EXE	rundll32.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\files_05.21.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3680

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3776

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe c:\programdata\storageArgument.jpg,PluginInit
2⤵
- Process spawned unexpected child process
PID:748

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868
MD5
c818d1a2303069fccb29a84353a0e4b9

SHA1
29cf56b6ca40bc9333728ea3c92b4e2dd8f63087

SHA256
ba8bddb399ff54df8d1f560fe3e695d0b0ed072617cb5b485647730e2285e084

SHA512
162d75f4a6f07cacfbd457a7b2e01c24d9fe91bf7a77c11f9ec9326a62d6ddcb4c22e848d863311456d065898a7e007f8ed22f4c98f26255c77ee854a84f3252

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868
MD5
c23e39ffa272b9f1663b6a43e7684594

SHA1
b955fc2884bd64fc5bd48e440ca4272048177ee7

SHA256
8caefa99d3f701c57008cde8a5f5faa90a14018a8b7867242a4b90f7a2719a7c

SHA512
ffb849952e020051ab0769ba0f8ade10a4698be1896f36ddbc3fdda573b5e0284c643b362d86f8133a93526786822fe155de07406b98a4b2197e138ada5330d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\0E41A45B-0BB3-4AD5-A08B-1ECD5C3DB71D
MD5
1ff1ad734f61c2b95c4f106f3f4158f4

SHA1
624767fe3a4dd799f4864efa574bd03068f10b55

SHA256
470dcee0cf34adec248d1d1042270731022c25f2b49876688a11726e7468e1f7

SHA512
b16a6c0513ee42a9ebf7246954043da835cb9d0d7323e3593652769cc1ed8df9ef9de8ab39244f7cd79d2feed8a014f272759d37ee123bd59502f8d34351a632

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-wal
MD5
b33b89b3e88213f5aa19fe207a0cb5f6

SHA1
25b43ad294dc7e51ef28191ba15e431efff53efa

SHA256
0fb8aeb2d4b45952649d794c3ca885cfa30a69ac95d6a475a7f6ec334705bcfe

SHA512
af66aa0b2e79542ee0ce066bd927fa00fe03a5305ada4f30cba0e408a3f734b539f8679c0f96ff258ab975c1c9cfec9d7dcf504f87bc21849b2a0b00e4d3a9da

Download Submit
\??\c:\programdata\storageArgument.jpg
MD5
d9fea499cf43ca9d1b3c30aa11c36b32

SHA1
2029ac0cf93300b10cee62f02c2f0efa41a6d451

SHA256
77c624edd299f5d5c87c5d88f4c7c954edc4bed3ab5d1a2d315b318ba9eab8a6

SHA512
2d9b2676582bf5ab24620fe71320a659e574ac9add3dc2b00cfad856dd425b669cc457908fa35bb8d2d3031e459b7ff4965083cb29e2a2325f381422b1fd8ca9

Download Submit
memory/748-182-0x0000000000000000-mapping.dmp

Download
memory/3680-117-0x00007FF85A170000-0x00007FF85A180000-memory.dmp

Filesize
64KB

Download
memory/3680-123-0x00007FF8736A0000-0x00007FF875595000-memory.dmp

Filesize
31.0MB

Download
memory/3680-179-0x000002EB6AB30000-0x000002EB6AB34000-memory.dmp

Filesize
16KB

Download
memory/3680-122-0x00007FF876250000-0x00007FF87733E000-memory.dmp

Filesize
16.9MB

Download
memory/3680-118-0x00007FF87BE00000-0x00007FF87E923000-memory.dmp

Filesize
43.1MB

Download
memory/3680-119-0x00007FF85A170000-0x00007FF85A180000-memory.dmp

Filesize
64KB

Download
memory/3680-114-0x00007FF85A170000-0x00007FF85A180000-memory.dmp

Filesize
64KB

Download
memory/3680-116-0x00007FF85A170000-0x00007FF85A180000-memory.dmp

Filesize
64KB

Download
memory/3680-115-0x00007FF85A170000-0x00007FF85A180000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads