General
Target

Zakaz na pokupku 21-10-2021.doc

Filesize

4KB

Completed

21-10-2021 18:01

Task

behavioral2

Score
1/10
MD5

e205f10f887754bd65281f14c25c0f21

SHA1

b356aab56ba5eb993326e4ede7e254e7181aa165

SHA256

5d77fcbee204c6b9fea6ec4bda5216714e2e46f4247f673956e64e36a9c3424d

SHA256

cd43d1cb4193ef5aa4f77a290e186a4e87d55f42a61b502cbc2beeb2044613855e82553effca9f6bcda5cd4174c8c0ce6989774530c3b68c7a612ba26c2ef0a2

Malware Config
Signatures 4

Filter: none

Discovery
  • Checks processor information in registry
    WINWORD.EXE

    Description

    Processor information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0WINWORD.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHzWINWORD.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameStringWINWORD.EXE
  • Enumerates system info in registry
    WINWORD.EXE

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\MACHINE\Hardware\Description\System\BIOSWINWORD.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamilyWINWORD.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKUWINWORD.EXE
  • Suspicious behavior: AddClipboardFormatListener
    WINWORD.EXE

    Reported IOCs

    pidprocess
    4080WINWORD.EXE
    4080WINWORD.EXE
  • Suspicious use of SetWindowsHookEx
    WINWORD.EXE

    Reported IOCs

    pidprocess
    4080WINWORD.EXE
    4080WINWORD.EXE
    4080WINWORD.EXE
    4080WINWORD.EXE
    4080WINWORD.EXE
    4080WINWORD.EXE
    4080WINWORD.EXE
Processes 1
  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Zakaz na pokupku 21-10-2021.doc" /o ""
    Checks processor information in registry
    Enumerates system info in registry
    Suspicious behavior: AddClipboardFormatListener
    Suspicious use of SetWindowsHookEx
    PID:4080
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                      Privilege Escalation
                        Replay Monitor
                        00:00 00:00
                        Downloads
                        • memory/4080-115-0x00007FFEF14B0000-0x00007FFEF14C0000-memory.dmp

                        • memory/4080-116-0x00007FFEF14B0000-0x00007FFEF14C0000-memory.dmp

                        • memory/4080-117-0x00007FFEF14B0000-0x00007FFEF14C0000-memory.dmp

                        • memory/4080-118-0x00007FFEF14B0000-0x00007FFEF14C0000-memory.dmp

                        • memory/4080-119-0x00007FFEF14B0000-0x00007FFEF14C0000-memory.dmp

                        • memory/4080-121-0x00000189CA3E0000-0x00000189CA3E2000-memory.dmp

                        • memory/4080-120-0x00000189CA3E0000-0x00000189CA3E2000-memory.dmp

                        • memory/4080-122-0x00000189CA3E0000-0x00000189CA3E2000-memory.dmp