Analysis
-
max time kernel
130s -
max time network
138s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
25-05-2021 11:47
Static task
static1
Behavioral task
behavioral1
Sample
Quote 2405987021.docx
Resource
win7v20210410
Behavioral task
behavioral2
Sample
Quote 2405987021.docx
Resource
win10v20210408
General
-
Target
Quote 2405987021.docx
-
Size
10KB
-
MD5
992acd038fd49f200bd5510c029e74b1
-
SHA1
f1a0abb5f96c21f8a799e4f65c4216bd968c29b7
-
SHA256
5274c7fea16b84e327d5af683b6ef0c3e1fe1649b6cea88399e029ed5deeee6f
-
SHA512
e08e069138e70fc13ce97ccd1f5b99c763d5b23f90773f8248a4ca5b6e3dc3e71ef277f1dd365c71e58b960b221f0ff5479694baf10a66ca6079431ff84eef10
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
MsoSync.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 2600 4656 MsoSync.exe WINWORD.EXE -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MsoSync.exeWINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString MsoSync.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 MsoSync.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MsoSync.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
WINWORD.EXEMsoSync.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS MsoSync.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily MsoSync.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU MsoSync.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 4656 WINWORD.EXE 4656 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
WINWORD.EXEMsoSync.exedescription pid process Token: SeAuditPrivilege 4656 WINWORD.EXE Token: SeAuditPrivilege 2600 MsoSync.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
MsoSync.exepid process 2600 MsoSync.exe 2600 MsoSync.exe 2600 MsoSync.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
MsoSync.exepid process 2600 MsoSync.exe 2600 MsoSync.exe 2600 MsoSync.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEMsoSync.exepid process 4656 WINWORD.EXE 4656 WINWORD.EXE 4656 WINWORD.EXE 4656 WINWORD.EXE 4656 WINWORD.EXE 4656 WINWORD.EXE 2600 MsoSync.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 4656 wrote to memory of 2600 4656 WINWORD.EXE MsoSync.exe PID 4656 wrote to memory of 2600 4656 WINWORD.EXE MsoSync.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Quote 2405987021.docx" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe"C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe"2⤵
- Process spawned unexpected child process
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.accdbMD5
421ece614d1ebe221f99e3d9e8f59773
SHA102877fb6f1e63f1bf48eb2e610cec1bb066ae30e
SHA25674e8ee9b8dd2d81c275e7bb1f641a1ee9555298b9224cc6c8c576d93bb0a6fa0
SHA51230daf5fe0a80e070e1389edf48d5a0ad6ded3f9f790d382d240d80c454d66e0bb61d43fa1e36e4495c9c97f7e68b3cce4e068bd3dc802674f1decc084e25d078
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.laccdbMD5
6a4185d3246b15d5e3fa6f9f59c94ba4
SHA1b500c294fa82165c48ed63903a1572e99fc1a975
SHA256450af3a2b2ec48227df11cf655bcf40d69ea672f1c229687eef193dcd98ae978
SHA512a4d896bc02c91fd0f4d45df010347a353dadcd8517ea516f32bc4969718ba023c285f7a2ee36f6a49754074b9278b0741790c149957d051095c451fd53ba3746
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.laccdbMD5
6a4185d3246b15d5e3fa6f9f59c94ba4
SHA1b500c294fa82165c48ed63903a1572e99fc1a975
SHA256450af3a2b2ec48227df11cf655bcf40d69ea672f1c229687eef193dcd98ae978
SHA512a4d896bc02c91fd0f4d45df010347a353dadcd8517ea516f32bc4969718ba023c285f7a2ee36f6a49754074b9278b0741790c149957d051095c451fd53ba3746
-
memory/2600-179-0x0000000000000000-mapping.dmp
-
memory/2600-182-0x00007FFA38500000-0x00007FFA38510000-memory.dmpFilesize
64KB
-
memory/4656-117-0x00007FFA38500000-0x00007FFA38510000-memory.dmpFilesize
64KB
-
memory/4656-122-0x00007FFA54150000-0x00007FFA5523E000-memory.dmpFilesize
16.9MB
-
memory/4656-123-0x00007FFA52250000-0x00007FFA54145000-memory.dmpFilesize
31.0MB
-
memory/4656-118-0x00007FFA592C0000-0x00007FFA5BDE3000-memory.dmpFilesize
43.1MB
-
memory/4656-119-0x00007FFA38500000-0x00007FFA38510000-memory.dmpFilesize
64KB
-
memory/4656-114-0x00007FFA38500000-0x00007FFA38510000-memory.dmpFilesize
64KB
-
memory/4656-116-0x00007FFA38500000-0x00007FFA38510000-memory.dmpFilesize
64KB
-
memory/4656-115-0x00007FFA38500000-0x00007FFA38510000-memory.dmpFilesize
64KB