540b8aee7a87730cd824187ea04de1d6cafc7070ff9009d3aa60a8275cd4cdef

General

Target

40HQ of CI PL SC HR210503.docx
Size

10KB
MD5

ffde61c7250f2ad83febb03b28321b4c
SHA1

f37ff229c3e22cb00966eeb76d185a826b134fc1
SHA256

540b8aee7a87730cd824187ea04de1d6cafc7070ff9009d3aa60a8275cd4cdef
SHA512

c7f398a12fe7e27914cfdf45aaf16086dbabb91870ce0249c5122f95eaef432f3b8ea407e342bec8c1476ba6c299b3c630f219955088ee9a4a3091362ea68618

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

MsoSync.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	1548	640	MsoSync.exe	WINWORD.EXE

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEMsoSync.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	MsoSync.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	MsoSync.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MsoSync.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEMsoSync.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	MsoSync.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	MsoSync.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	MsoSync.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

640 WINWORD.EXE
640 WINWORD.EXE
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

WINWORD.EXEMsoSync.exe

description pid process

Token: SeAuditPrivilege 640 WINWORD.EXE
Token: SeAuditPrivilege 1548 MsoSync.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

MsoSync.exe

pid process

1548 MsoSync.exe
1548 MsoSync.exe
1548 MsoSync.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

MsoSync.exe

pid process

1548 MsoSync.exe
1548 MsoSync.exe
1548 MsoSync.exe
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

WINWORD.EXEMsoSync.exe

pid process

640 WINWORD.EXE
640 WINWORD.EXE
640 WINWORD.EXE
640 WINWORD.EXE
640 WINWORD.EXE
640 WINWORD.EXE
1548 MsoSync.exe
Suspicious use of WriteProcessMemory 2 IoCs

Processes:

WINWORD.EXE

description pid process target process

PID 640 wrote to memory of 1548 640 WINWORD.EXE MsoSync.exe
PID 640 wrote to memory of 1548 640 WINWORD.EXE MsoSync.exe

pid	process
640	WINWORD.EXE
640	WINWORD.EXE

description	pid	process
Token: SeAuditPrivilege	640	WINWORD.EXE
Token: SeAuditPrivilege	1548	MsoSync.exe

pid	process
1548	MsoSync.exe
1548	MsoSync.exe
1548	MsoSync.exe

pid	process
1548	MsoSync.exe
1548	MsoSync.exe
1548	MsoSync.exe

pid	process
640	WINWORD.EXE
640	WINWORD.EXE
640	WINWORD.EXE
640	WINWORD.EXE
640	WINWORD.EXE
640	WINWORD.EXE
1548	MsoSync.exe

description	pid	process	target process
PID 640 wrote to memory of 1548	640	WINWORD.EXE	MsoSync.exe
PID 640 wrote to memory of 1548	640	WINWORD.EXE	MsoSync.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\40HQ of CI PL SC HR210503.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:640

C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe
"C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe"
2⤵
- Process spawned unexpected child process
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1548

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.accdb
MD5
2cde2db922cff07e127b5d1d2bc56e2b

SHA1
93aad9de64a9c55ccf050a0f6f58742819267ed5

SHA256
2368df1b5a944dcf585a0b142822f0c6cfaef40cc43aa4fb86c9e11e95ef5127

SHA512
9c51e9fe771fc8cf32d688ee00186cba36f96e18d2e2169de39562681643e5b8af8c458b52793167547d5214ff93363d534e1a01b3bfb5fbf7ac062b4db34dd0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.laccdb
MD5
6a4185d3246b15d5e3fa6f9f59c94ba4

SHA1
b500c294fa82165c48ed63903a1572e99fc1a975

SHA256
450af3a2b2ec48227df11cf655bcf40d69ea672f1c229687eef193dcd98ae978

SHA512
a4d896bc02c91fd0f4d45df010347a353dadcd8517ea516f32bc4969718ba023c285f7a2ee36f6a49754074b9278b0741790c149957d051095c451fd53ba3746

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.laccdb
MD5
6a4185d3246b15d5e3fa6f9f59c94ba4

SHA1
b500c294fa82165c48ed63903a1572e99fc1a975

SHA256
450af3a2b2ec48227df11cf655bcf40d69ea672f1c229687eef193dcd98ae978

SHA512
a4d896bc02c91fd0f4d45df010347a353dadcd8517ea516f32bc4969718ba023c285f7a2ee36f6a49754074b9278b0741790c149957d051095c451fd53ba3746

Download Submit
memory/640-122-0x00007FFDBC340000-0x00007FFDBD42E000-memory.dmp

Filesize
16.9MB

Download
memory/640-119-0x00007FFD9F860000-0x00007FFD9F870000-memory.dmp

Filesize
64KB

Download
memory/640-118-0x00007FFDC06E0000-0x00007FFDC3203000-memory.dmp

Filesize
43.1MB

Download
memory/640-114-0x00007FFD9F860000-0x00007FFD9F870000-memory.dmp

Filesize
64KB

Download
memory/640-123-0x00007FFDBA440000-0x00007FFDBC335000-memory.dmp

Filesize
31.0MB

Download
memory/640-117-0x00007FFD9F860000-0x00007FFD9F870000-memory.dmp

Filesize
64KB

Download
memory/640-116-0x00007FFD9F860000-0x00007FFD9F870000-memory.dmp

Filesize
64KB

Download
memory/640-115-0x00007FFD9F860000-0x00007FFD9F870000-memory.dmp

Filesize
64KB

Download
memory/1548-179-0x0000000000000000-mapping.dmp

Download
memory/1548-180-0x00007FFD9F860000-0x00007FFD9F870000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads