General
Target

attachment20220623-9352-39vkb5.docx

Filesize

15KB

Completed

23-06-2022 15:06

Task

behavioral2

Score
1/10
MD5

ffb80cb38f5d800f795caa6d680ced91

SHA1

edec203339855f1566b458552ce020555d1ca759

SHA256

8034e9d89e50c54569328c996b351e5a341558f433b4e7e491c3a78ef5de302a

SHA256

241c09eb900243c70c06c341f213471bbbe7f0b64c9dd3006136daf5de66e59f2b857e28c7d6582c0a790a57db4e43462fcafea7a1c2de9e76fc6959b3ad7f80

Malware Config
Signatures 4

Filter: none

Discovery
  • Checks processor information in registry
    WINWORD.EXE

    Description

    Processor information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0WINWORD.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHzWINWORD.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameStringWINWORD.EXE
  • Enumerates system info in registry
    WINWORD.EXE

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\MACHINE\Hardware\Description\System\BIOSWINWORD.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamilyWINWORD.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKUWINWORD.EXE
  • Suspicious behavior: AddClipboardFormatListener
    WINWORD.EXE

    Reported IOCs

    pidprocess
    1372WINWORD.EXE
    1372WINWORD.EXE
  • Suspicious use of SetWindowsHookEx
    WINWORD.EXE

    Reported IOCs

    pidprocess
    1372WINWORD.EXE
    1372WINWORD.EXE
    1372WINWORD.EXE
    1372WINWORD.EXE
    1372WINWORD.EXE
    1372WINWORD.EXE
    1372WINWORD.EXE
Processes 1
  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\attachment20220623-9352-39vkb5.docx" /o ""
    Checks processor information in registry
    Enumerates system info in registry
    Suspicious behavior: AddClipboardFormatListener
    Suspicious use of SetWindowsHookEx
    PID:1372
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                      Privilege Escalation
                        Replay Monitor
                        00:00 00:00
                        Downloads
                        • memory/1372-130-0x00007FFBFB590000-0x00007FFBFB5A0000-memory.dmp

                        • memory/1372-131-0x00007FFBFB590000-0x00007FFBFB5A0000-memory.dmp

                        • memory/1372-132-0x00007FFBFB590000-0x00007FFBFB5A0000-memory.dmp

                        • memory/1372-133-0x00007FFBFB590000-0x00007FFBFB5A0000-memory.dmp

                        • memory/1372-134-0x00007FFBFB590000-0x00007FFBFB5A0000-memory.dmp

                        • memory/1372-135-0x00007FFBF93F0000-0x00007FFBF9400000-memory.dmp

                        • memory/1372-136-0x00007FFBF93F0000-0x00007FFBF9400000-memory.dmp

                        • memory/1372-138-0x00007FFBFB590000-0x00007FFBFB5A0000-memory.dmp

                        • memory/1372-139-0x00007FFBFB590000-0x00007FFBFB5A0000-memory.dmp

                        • memory/1372-140-0x00007FFBFB590000-0x00007FFBFB5A0000-memory.dmp

                        • memory/1372-141-0x00007FFBFB590000-0x00007FFBFB5A0000-memory.dmp