9276a41770c78d4b4899de54a17125bd390bf02cacf907e3129e8c776a2d50ed

General

Target

77a5159c1b276c88f513d71aed1ecd7d40aeb864a2cb26da646a5a9634b747ea.bin.doc
Size

46KB
MD5

b597371a6096565c712d498c5d23aae6
SHA1

866fa4cd4918cb99405cd78cf2fb475212106ebd
SHA256

77a5159c1b276c88f513d71aed1ecd7d40aeb864a2cb26da646a5a9634b747ea
SHA512

feebb44b6a8ff7d142154000fc76e9255f519b2d5935e047f381f60c8cff20c6273dc0e515dc88d5fd6908456bf97176f47316085211fe6ee9092e48f7130f5d

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEWINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEWINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 3 IoCs

Processes:

WINWORD.EXEWINWORD.EXE

pid process

672 WINWORD.EXE
672 WINWORD.EXE
2128 WINWORD.EXE

Suspicious use of SetWindowsHookEx 28 IoCs

Processes:

WINWORD.EXEWINWORD.EXE

pid	process
672	WINWORD.EXE
672	WINWORD.EXE
672	WINWORD.EXE
672	WINWORD.EXE
672	WINWORD.EXE
672	WINWORD.EXE
672	WINWORD.EXE
672	WINWORD.EXE
672	WINWORD.EXE
672	WINWORD.EXE
672	WINWORD.EXE
672	WINWORD.EXE
672	WINWORD.EXE
672	WINWORD.EXE
2128	WINWORD.EXE
2128	WINWORD.EXE
2128	WINWORD.EXE
2128	WINWORD.EXE
2128	WINWORD.EXE
2128	WINWORD.EXE
2128	WINWORD.EXE
2128	WINWORD.EXE
2128	WINWORD.EXE
2128	WINWORD.EXE
672	WINWORD.EXE
672	WINWORD.EXE
672	WINWORD.EXE
672	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\77a5159c1b276c88f513d71aed1ecd7d40aeb864a2cb26da646a5a9634b747ea.bin.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:672

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2128

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.json
MD5
f1b59332b953b3c99b3c95a44249c0d2

SHA1
1b16a2ca32bf8481e18ff8b7365229b598908991

SHA256
138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c

SHA512
3c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.json
MD5
c56ff60fbd601e84edd5a0ff1010d584

SHA1
342abb130dabeacde1d8ced806d67a3aef00a749

SHA256
200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c

SHA512
acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.json
MD5
e4e83f8123e9740b8aa3c3dfa77c1c04

SHA1
5281eae96efde7b0e16a1d977f005f0d3bd7aad0

SHA256
6034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31

SHA512
bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyEventActivityStats.json
MD5
6ca4960355e4951c72aa5f6364e459d5

SHA1
2fd90b4ec32804dff7a41b6e63c8b0a40b592113

SHA256
88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3

SHA512
8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyHistoryStats.json
MD5
6ca4960355e4951c72aa5f6364e459d5

SHA1
2fd90b4ec32804dff7a41b6e63c8b0a40b592113

SHA256
88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3

SHA512
8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-wal
MD5
ef8bf968b61edcbb962d7206ef3b28cc

SHA1
1e6c01e874017e3475437d177071702464da1777

SHA256
1be9699dde66ef381d3b935afeb7d09724e9065532e7a37b725c6141d49e2eba

SHA512
00ec6fe6d1ddd9818a7c981edf1f9b1b7eb91f3651bd2800bfe67d769088ae36e740a8f28edf885930b82790ae0befa1fdc4e7588cbbfb79193af6ea2e9b3b11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-wal
MD5
2862f27f316b4d2f47b4964c2fe111e5

SHA1
93be745fca2c2aa1ab3edaaa1d9b06dbffe94705

SHA256
0864fd7765347269362abaa75a418ad98c6a3ab271aa70616165dde2b2a2d13e

SHA512
9fe9bd74ccf0639106b416f79f22f41243c8de92ae398e68797092aaaac517b51eb1fdc860d8a731251e1dd6bbd4647dbfd5f47bc387d763b9cf74c75a8c0d4e

Download Submit
memory/672-119-0x00007FF8ACF90000-0x00007FF8ACFA0000-memory.dmp

Filesize
64KB

Download
memory/672-179-0x000001C4F13E0000-0x000001C4F13E4000-memory.dmp

Filesize
16KB

Download
memory/672-123-0x00007FF8C6780000-0x00007FF8C8675000-memory.dmp

Filesize
31.0MB

Download
memory/672-122-0x00007FF8C9130000-0x00007FF8CA21E000-memory.dmp

Filesize
16.9MB

Download
memory/672-118-0x00007FF8CDC40000-0x00007FF8D0763000-memory.dmp

Filesize
43.1MB

Download
memory/672-114-0x00007FF8ACF90000-0x00007FF8ACFA0000-memory.dmp

Filesize
64KB

Download
memory/672-117-0x00007FF8ACF90000-0x00007FF8ACFA0000-memory.dmp

Filesize
64KB

Download
memory/672-116-0x00007FF8ACF90000-0x00007FF8ACFA0000-memory.dmp

Filesize
64KB

Download
memory/672-115-0x00007FF8ACF90000-0x00007FF8ACFA0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads