943660aff538730507a4e2feb526a1441024ef48e7aaa4515088c80062658f56

Analysis

max time kernel
265s
max time network
267s
platform
windows10_x64
resource
win10v20210408
submitted
18-06-2021 14:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

instruct_06.21.doc
Size

45KB
MD5

b21183bab3178f2dcd753e9d079501d4
SHA1

d4bc00863ed58580f568de4152dade19df2e8a08
SHA256

943660aff538730507a4e2feb526a1441024ef48e7aaa4515088c80062658f56
SHA512

1fff8e91407ed20d885e9d309c72d775295993f0dfc7587d37494ca66c8b6d0fe2343f4972db00ffcec5585a331c18cfcebd2c1082639fe01f696c9f9121a958

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEWINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEWINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 3 IoCs

Processes:

WINWORD.EXEWINWORD.EXE

pid process

3008 WINWORD.EXE
3008 WINWORD.EXE
3952 WINWORD.EXE

Suspicious use of SetWindowsHookEx 30 IoCs

Processes:

WINWORD.EXEWINWORD.EXE

pid	process
3008	WINWORD.EXE
3008	WINWORD.EXE
3008	WINWORD.EXE
3008	WINWORD.EXE
3008	WINWORD.EXE
3008	WINWORD.EXE
3008	WINWORD.EXE
3008	WINWORD.EXE
3008	WINWORD.EXE
3008	WINWORD.EXE
3008	WINWORD.EXE
3008	WINWORD.EXE
3008	WINWORD.EXE
3008	WINWORD.EXE
3952	WINWORD.EXE
3952	WINWORD.EXE
3952	WINWORD.EXE
3952	WINWORD.EXE
3952	WINWORD.EXE
3952	WINWORD.EXE
3952	WINWORD.EXE
3952	WINWORD.EXE
3952	WINWORD.EXE
3952	WINWORD.EXE
3008	WINWORD.EXE
3008	WINWORD.EXE
3008	WINWORD.EXE
3008	WINWORD.EXE
3008	WINWORD.EXE
3008	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\instruct_06.21.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3008

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3952

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868
MD5
1df8c47949f9b5d4ab72a4e5a16040d4

SHA1
725e67a98b4014bae66504e2395b9dc02a7dff04

SHA256
8ed73c477b6049fbe8aeb72ef139701fbec7798766d506a9dd20c9f00cac52ed

SHA512
ef9711bb4ca26bd7055371ee4e7052aac99709350cdb854d0d7c9f89a25a51e833b58aba6261a5a2519cbffe1d25071f8d9e5a994dc92d2346ee58587d507520

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868
MD5
da5c27934ffcdd736323a6c57f5ad8f8

SHA1
2e83e5fe94af7f45c87c36f7d3fa2492d65931c2

SHA256
df4e4d4384c82f7c88c58d71f863f064d49bca10428e791dec5a2fad0bacdeb8

SHA512
d836b972bd5547c3da55d3b4fa44c8f451528fb1023c42e80e7f758f357ac26f90de6218ad442ea387f687fabb551bd1ee683c2e032d5fd1df5bdc26f9c7eec4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.json
MD5
f1b59332b953b3c99b3c95a44249c0d2

SHA1
1b16a2ca32bf8481e18ff8b7365229b598908991

SHA256
138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c

SHA512
3c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.json
MD5
c56ff60fbd601e84edd5a0ff1010d584

SHA1
342abb130dabeacde1d8ced806d67a3aef00a749

SHA256
200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c

SHA512
acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.json
MD5
e4e83f8123e9740b8aa3c3dfa77c1c04

SHA1
5281eae96efde7b0e16a1d977f005f0d3bd7aad0

SHA256
6034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31

SHA512
bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyEventActivityStats.json
MD5
6ca4960355e4951c72aa5f6364e459d5

SHA1
2fd90b4ec32804dff7a41b6e63c8b0a40b592113

SHA256
88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3

SHA512
8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyHistoryStats.json
MD5
6ca4960355e4951c72aa5f6364e459d5

SHA1
2fd90b4ec32804dff7a41b6e63c8b0a40b592113

SHA256
88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3

SHA512
8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-wal
MD5
e780c05fedd0c186661dbbe7bce00a11

SHA1
f617bf626525a50e27b9e648913bcf60d1f553ca

SHA256
ef14ec397377ba4bf8245d35b42ef109d613cc23a25bb6f41adb212b4addd37f

SHA512
e6c88e8aa958f740df68c076eeed5bfe8fd51b74b521b45b0da9dde3bdfbcd38f3b72cddd542972a66aa77ed9e4ab66c1414697a683e4835c8fff86123ade4d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-wal
MD5
e780c05fedd0c186661dbbe7bce00a11

SHA1
f617bf626525a50e27b9e648913bcf60d1f553ca

SHA256
ef14ec397377ba4bf8245d35b42ef109d613cc23a25bb6f41adb212b4addd37f

SHA512
e6c88e8aa958f740df68c076eeed5bfe8fd51b74b521b45b0da9dde3bdfbcd38f3b72cddd542972a66aa77ed9e4ab66c1414697a683e4835c8fff86123ade4d6

Download Submit
memory/3008-118-0x00007FFFDF870000-0x00007FFFE2393000-memory.dmp

Filesize
43.1MB

Download
memory/3008-123-0x00007FFFD7C90000-0x00007FFFD9B85000-memory.dmp

Filesize
31.0MB

Download
memory/3008-122-0x0000028D709B0000-0x0000028D71A9E000-memory.dmp

Filesize
16.9MB

Download
memory/3008-114-0x00007FFFBE230000-0x00007FFFBE240000-memory.dmp

Filesize
64KB

Download
memory/3008-119-0x00007FFFBE230000-0x00007FFFBE240000-memory.dmp

Filesize
64KB

Download
memory/3008-117-0x00007FFFBE230000-0x00007FFFBE240000-memory.dmp

Filesize
64KB

Download
memory/3008-116-0x00007FFFBE230000-0x00007FFFBE240000-memory.dmp

Filesize
64KB

Download
memory/3008-115-0x00007FFFBE230000-0x00007FFFBE240000-memory.dmp

Filesize
64KB

Download
memory/3952-153-0x00007FFFD7C90000-0x00007FFFD9B85000-memory.dmp

Filesize
31.0MB

Download
memory/3952-152-0x00000255D57F0000-0x00000255D68DE000-memory.dmp

Filesize
16.9MB

Download
memory/3952-148-0x00007FFFDF870000-0x00007FFFE2393000-memory.dmp

Filesize
43.1MB

Download