ff71526ee8d92ee36f36e5daa68bfc81e64a71931b2baf14b350a38d25ac5f10

General

Target

ecb02fbc_by_Libranalysis.doc
Size

10KB
MD5

ecb02fbc03e5081a20ee10b35eb1efe8
SHA1

d41872cf3b63ef4b2292c3aed946e8515d2b9dda
SHA256

ff71526ee8d92ee36f36e5daa68bfc81e64a71931b2baf14b350a38d25ac5f10
SHA512

cc23a244487612e9c317e4b9d07b73e1315f25257aa60f6b9bb84bc9dbf3c4c16e59e561a0301c3dd4376a314abde733f212d43fde0c2c924e047a8b1ac65e2f

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

MsoSync.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	4068	672	MsoSync.exe	WINWORD.EXE

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MsoSync.exeWINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	MsoSync.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MsoSync.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	MsoSync.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEMsoSync.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	MsoSync.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	MsoSync.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	MsoSync.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

672 WINWORD.EXE
672 WINWORD.EXE
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

WINWORD.EXEMsoSync.exe

description pid process

Token: SeAuditPrivilege 672 WINWORD.EXE
Token: SeAuditPrivilege 4068 MsoSync.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

MsoSync.exe

pid process

4068 MsoSync.exe
4068 MsoSync.exe
4068 MsoSync.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

MsoSync.exe

pid process

4068 MsoSync.exe
4068 MsoSync.exe
4068 MsoSync.exe

description	pid	process
Token: SeAuditPrivilege	672	WINWORD.EXE
Token: SeAuditPrivilege	4068	MsoSync.exe

pid	process
4068	MsoSync.exe
4068	MsoSync.exe
4068	MsoSync.exe

pid	process
4068	MsoSync.exe
4068	MsoSync.exe
4068	MsoSync.exe

Suspicious use of SetWindowsHookEx 17 IoCs

Processes:

WINWORD.EXEMsoSync.exe

pid	process
672	WINWORD.EXE
672	WINWORD.EXE
672	WINWORD.EXE
672	WINWORD.EXE
672	WINWORD.EXE
672	WINWORD.EXE
672	WINWORD.EXE
672	WINWORD.EXE
672	WINWORD.EXE
672	WINWORD.EXE
672	WINWORD.EXE
672	WINWORD.EXE
672	WINWORD.EXE
672	WINWORD.EXE
672	WINWORD.EXE
672	WINWORD.EXE
4068	MsoSync.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

WINWORD.EXE

description pid process target process

PID 672 wrote to memory of 4068 672 WINWORD.EXE MsoSync.exe
PID 672 wrote to memory of 4068 672 WINWORD.EXE MsoSync.exe

description	pid	process	target process
PID 672 wrote to memory of 4068	672	WINWORD.EXE	MsoSync.exe
PID 672 wrote to memory of 4068	672	WINWORD.EXE	MsoSync.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\ecb02fbc_by_Libranalysis.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:672

C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe
"C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe"
2⤵
- Process spawned unexpected child process
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4068

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.accdb
MD5
2c32b74a6192a8f6e5357c3239164ddb

SHA1
52b986f7e5dba0a6d84c557ae1badb96c4900bba

SHA256
8ff6ef2e6a7575e2027c8a5f6a5b8547569ff371106f092d4264b2e04a562433

SHA512
b7a80490552325c4fb26a730b9f0781c8cd875e8c4bf19a7df582ae4bc21768bec1ec00a62312eae498b45cac733f94b078a0b1966f860be74da49ca5fd0c580

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.laccdb
MD5
6a4185d3246b15d5e3fa6f9f59c94ba4

SHA1
b500c294fa82165c48ed63903a1572e99fc1a975

SHA256
450af3a2b2ec48227df11cf655bcf40d69ea672f1c229687eef193dcd98ae978

SHA512
a4d896bc02c91fd0f4d45df010347a353dadcd8517ea516f32bc4969718ba023c285f7a2ee36f6a49754074b9278b0741790c149957d051095c451fd53ba3746

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.laccdb
MD5
6a4185d3246b15d5e3fa6f9f59c94ba4

SHA1
b500c294fa82165c48ed63903a1572e99fc1a975

SHA256
450af3a2b2ec48227df11cf655bcf40d69ea672f1c229687eef193dcd98ae978

SHA512
a4d896bc02c91fd0f4d45df010347a353dadcd8517ea516f32bc4969718ba023c285f7a2ee36f6a49754074b9278b0741790c149957d051095c451fd53ba3746

Download Submit
memory/672-117-0x00007FF8ACF90000-0x00007FF8ACFA0000-memory.dmp

Filesize
64KB

Download
memory/672-119-0x00007FF8ACF90000-0x00007FF8ACFA0000-memory.dmp

Filesize
64KB

Download
memory/672-118-0x00007FF8CDC40000-0x00007FF8D0763000-memory.dmp

Filesize
43.1MB

Download
memory/672-122-0x00007FF8C9130000-0x00007FF8CA21E000-memory.dmp

Filesize
16.9MB

Download
memory/672-123-0x00007FF8C6780000-0x00007FF8C8675000-memory.dmp

Filesize
31.0MB

Download
memory/672-114-0x00007FF8ACF90000-0x00007FF8ACFA0000-memory.dmp

Filesize
64KB

Download
memory/672-116-0x00007FF8ACF90000-0x00007FF8ACFA0000-memory.dmp

Filesize
64KB

Download
memory/672-115-0x00007FF8ACF90000-0x00007FF8ACFA0000-memory.dmp

Filesize
64KB

Download
memory/4068-179-0x0000000000000000-mapping.dmp

Download
memory/4068-180-0x00007FF8ACF90000-0x00007FF8ACFA0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads