9c3557c82143354e46734497c9237af055f29f8335460e26867e2662ca38926c

Analysis

max time kernel
101s
max time network
135s
platform
windows10_x64
resource
win10v20210410
submitted
18-06-2021 14:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

legal paper-06.18.2021.doc
Size

45KB
MD5

431c63dfcdbee4be13b948b6340382ce
SHA1

f60de0bd4c89c99fc385f72636f50135387a3121
SHA256

9c3557c82143354e46734497c9237af055f29f8335460e26867e2662ca38926c
SHA512

f6471d7b7393dd2b5febbdde0b0ae4bf86fa3418afcb7443e906e0ca717d8700cbb86fcc0995cdd8667a87f349706f02956f1906033a3fe68644eced092f5b41

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	1548	4276	regsvr32.exe	WINWORD.EXE

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEWINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEWINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 3 IoCs

Processes:

WINWORD.EXEWINWORD.EXE

pid process

4440 WINWORD.EXE
4440 WINWORD.EXE
4276 WINWORD.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

WINWORD.EXE

pid process

4440 WINWORD.EXE
4440 WINWORD.EXE

Suspicious use of SetWindowsHookEx 29 IoCs

Processes:

WINWORD.EXEWINWORD.EXE

pid	process
4440	WINWORD.EXE
4440	WINWORD.EXE
4440	WINWORD.EXE
4440	WINWORD.EXE
4440	WINWORD.EXE
4440	WINWORD.EXE
4440	WINWORD.EXE
4440	WINWORD.EXE
4440	WINWORD.EXE
4440	WINWORD.EXE
4440	WINWORD.EXE
4440	WINWORD.EXE
4440	WINWORD.EXE
4440	WINWORD.EXE
4276	WINWORD.EXE
4276	WINWORD.EXE
4276	WINWORD.EXE
4276	WINWORD.EXE
4276	WINWORD.EXE
4276	WINWORD.EXE
4276	WINWORD.EXE
4276	WINWORD.EXE
4276	WINWORD.EXE
4276	WINWORD.EXE
4440	WINWORD.EXE
4440	WINWORD.EXE
4440	WINWORD.EXE
4440	WINWORD.EXE
4440	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 4276 wrote to memory of 1548	4276	WINWORD.EXE	regsvr32.exe
PID 4276 wrote to memory of 1548	4276	WINWORD.EXE	regsvr32.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\legal paper-06.18.2021.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4440

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4276

C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe c:\programdata\pasteTmpRequest.jpg
2⤵
- Process spawned unexpected child process
PID:1548

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868
MD5
1df8c47949f9b5d4ab72a4e5a16040d4

SHA1
725e67a98b4014bae66504e2395b9dc02a7dff04

SHA256
8ed73c477b6049fbe8aeb72ef139701fbec7798766d506a9dd20c9f00cac52ed

SHA512
ef9711bb4ca26bd7055371ee4e7052aac99709350cdb854d0d7c9f89a25a51e833b58aba6261a5a2519cbffe1d25071f8d9e5a994dc92d2346ee58587d507520

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868
MD5
3f886044a19982b09721a4a63cbf8f9f

SHA1
f79a5c9e80b52866db6cc3ac944c00cfed419756

SHA256
4c603c0b1ef11be8d6559869a26dd6c02b7f49e86a2597c7cf2e29e1a383a30b

SHA512
31ad04193dc89bbd599916aba39e79dca0d526e2eaf0e0852885a951a6935a403e2ecab6558e573e06ca2a6f6c92752af24d675826fcc782cc5d45779b5a8b33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.json
MD5
f1b59332b953b3c99b3c95a44249c0d2

SHA1
1b16a2ca32bf8481e18ff8b7365229b598908991

SHA256
138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c

SHA512
3c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.json
MD5
c56ff60fbd601e84edd5a0ff1010d584

SHA1
342abb130dabeacde1d8ced806d67a3aef00a749

SHA256
200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c

SHA512
acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.json
MD5
e4e83f8123e9740b8aa3c3dfa77c1c04

SHA1
5281eae96efde7b0e16a1d977f005f0d3bd7aad0

SHA256
6034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31

SHA512
bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyEventActivityStats.json
MD5
6ca4960355e4951c72aa5f6364e459d5

SHA1
2fd90b4ec32804dff7a41b6e63c8b0a40b592113

SHA256
88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3

SHA512
8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyHistoryStats.json
MD5
6ca4960355e4951c72aa5f6364e459d5

SHA1
2fd90b4ec32804dff7a41b6e63c8b0a40b592113

SHA256
88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3

SHA512
8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\A3EE8126-A558-4E77-B9B7-32DA02DAFC95
MD5
b443367fdc2ade2f6cf404c18c46fd7e

SHA1
3798f6527910cbfa111ea4305ce8ea09fa2908dc

SHA256
18e2a411a9843bcd5fa87ba8bdfa093e8630d654bb8ecf8dd4373567db0db22a

SHA512
6f385d50072072e2176334625bedcf5140077a8ff84fa8c17bbced1d21dde315a95730d9807c8b48091c36b76c20a8ec2784028f6850045906c6a023dbdfbd4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-wal
MD5
4ace3566654ea7d2005eed3c9498a32b

SHA1
ff9adfbb3b8b4f2d4f7eee078ce39aacc867b8cb

SHA256
a4c60865114c522bcc4d2763c4b4a8815ceb7340c796e7f2db2d1dea9cb03235

SHA512
1e5fe5a635a19f4046a587011994b9de7206d6913c62dba702e4e17d3c33622ad33e062acbfa71040bf200fcff8b51c033f6073bf771fb8ca33222735ba9b3e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-wal
MD5
4ace3566654ea7d2005eed3c9498a32b

SHA1
ff9adfbb3b8b4f2d4f7eee078ce39aacc867b8cb

SHA256
a4c60865114c522bcc4d2763c4b4a8815ceb7340c796e7f2db2d1dea9cb03235

SHA512
1e5fe5a635a19f4046a587011994b9de7206d6913c62dba702e4e17d3c33622ad33e062acbfa71040bf200fcff8b51c033f6073bf771fb8ca33222735ba9b3e0

Download Submit
\??\c:\programdata\pasteTmpRequest.jpg
MD5
95af0fb82b086b3cef9afb2041ad75a9

SHA1
2cffd9e7fd781db32dc21bf1a9a6e0aa3ec035c8

SHA256
849f1a525e10f73dc7b0d0f9b8b71d9b8578b9f73506f78056fdd52e10966ca6

SHA512
de528ca04d5aec116ee375f6de93a2214aee33c413d87ec286211e90b16a4265b2e4854a346b412fb8563c45a1de95f6830650d26204cd77c9c72dd4bd7b2012

Download Submit
memory/1548-181-0x0000000000000000-mapping.dmp

Download
memory/4440-114-0x00007FF9B3A10000-0x00007FF9B3A20000-memory.dmp

Filesize
64KB

Download
memory/4440-123-0x00007FF9CD2D0000-0x00007FF9CF1C5000-memory.dmp

Filesize
31.0MB

Download
memory/4440-122-0x00007FF9D0590000-0x00007FF9D167E000-memory.dmp

Filesize
16.9MB

Download
memory/4440-118-0x00007FF9D5390000-0x00007FF9D7EB3000-memory.dmp

Filesize
43.1MB

Download
memory/4440-119-0x00007FF9B3A10000-0x00007FF9B3A20000-memory.dmp

Filesize
64KB

Download
memory/4440-117-0x00007FF9B3A10000-0x00007FF9B3A20000-memory.dmp

Filesize
64KB

Download
memory/4440-116-0x00007FF9B3A10000-0x00007FF9B3A20000-memory.dmp

Filesize
64KB

Download
memory/4440-115-0x00007FF9B3A10000-0x00007FF9B3A20000-memory.dmp

Filesize
64KB

Download