f8cd4a33eda9a85b62efa976b8ab19439064247858796405e4fb1cc1c3443b8c

General

Target

f8cd4a33eda9a85b62efa976b8ab19439064247858796405e4fb1cc1c3443b8c.rtf
Size

2.7MB
MD5

1d5e6ffddf61cdd7d45facea5170b492
SHA1

3329bc4cfbfd1c89a20624385cec7f6dc75eedfd
SHA256

f8cd4a33eda9a85b62efa976b8ab19439064247858796405e4fb1cc1c3443b8c
SHA512

e40a143845422c9702519c8c13f45c55cf8a7fa1bad5d0a7ae38c752146be1ec7b35019f258f3ecc1dffaf8e8313d1070f6589752a50ae772bf13ee24967ddf3

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 9 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEexcelcnv.exeWINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	excelcnv.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	excelcnv.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEEXCEL.EXEexcelcnv.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	excelcnv.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

NTFS ADS 1 IoCs

Processes:

WINWORD.EXE

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\{8B067F4F-5421-4E29-A1C7-02CDCA3BA495}\A.X:Zone.Identifier	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

4740 WINWORD.EXE
4740 WINWORD.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

WINWORD.EXEEXCEL.EXEexcelcnv.exe

pid	process
4740	WINWORD.EXE
4740	WINWORD.EXE
4740	WINWORD.EXE
3948	EXCEL.EXE
3948	EXCEL.EXE
3948	EXCEL.EXE
3948	EXCEL.EXE
1476	excelcnv.exe
4740	WINWORD.EXE
4740	WINWORD.EXE
4740	WINWORD.EXE
4740	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\f8cd4a33eda9a85b62efa976b8ab19439064247858796405e4fb1cc1c3443b8c.rtf" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4740

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:3948

C:\Program Files\Microsoft Office\Root\Office16\excelcnv.exe
"C:\Program Files\Microsoft Office\Root\Office16\excelcnv.exe" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:1476

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
Filesize
471B

MD5
70290ce8fd1849e8ae1db80d69b0f692

SHA1
5108716ac4195f33d65b0bdd974ead6f0f193365

SHA256
1347ab96e5fa080b35192928c05e3bc07d5d319fdfe7328e6b0334e09c1f69d4

SHA512
394b9310eb7fa7b12b7703105faf9dec9660c9296a946d1e400e0fec78dd60e9565af1876821123bc66b24de667f07b848ffae6446b417e223ba2107bd350b39

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
Filesize
442B

MD5
865ee77bea70c83a2f12a01dfac13732

SHA1
f7d8d86db28d271f0b9bb2d856d3b43f8e5a165e

SHA256
aaf60e8f07336292ac861494bcfd394e194817288fd096379063eaaa764659a3

SHA512
806ab28ec3bcdba80e9ec5a52d61a4485068f0f4113f1bc9cb3995db82f69692d207a608eacde82cd1bbf574389e6df721e094c49856326065a63bc89737b283

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\EA63496D-1C3D-43F4-B430-0490AEB7F53A
Filesize
146KB

MD5
9efecd9bf42cbbe0e5fce0575d046fa8

SHA1
e55786c45f71c3d7f7f68f7f07a45ca9a650c96b

SHA256
245be707a245bbeceda4ca9205c06f9a60f847c9a4328d05264bcb669bcab0a3

SHA512
0c9608268ad7765cd85ea18e5de07ac665cdb7ef4b1ee974de8853a27616bf58f7e6157994e948d4b76ddbe5bc57457cbea4995ffed301d9464113ff2a088a90

Download Submit
memory/1476-148-0x00007FFA91870000-0x00007FFA91880000-memory.dmp

Filesize
64KB

Download
memory/1476-159-0x00007FFA91870000-0x00007FFA91880000-memory.dmp

Filesize
64KB

Download
memory/1476-158-0x00007FFA91870000-0x00007FFA91880000-memory.dmp

Filesize
64KB

Download
memory/1476-150-0x00007FFA91870000-0x00007FFA91880000-memory.dmp

Filesize
64KB

Download
memory/1476-149-0x00007FFA91870000-0x00007FFA91880000-memory.dmp

Filesize
64KB

Download
memory/1476-147-0x00007FFA91870000-0x00007FFA91880000-memory.dmp

Filesize
64KB

Download
memory/3948-156-0x00007FFA91870000-0x00007FFA91880000-memory.dmp

Filesize
64KB

Download
memory/3948-154-0x00007FFA91870000-0x00007FFA91880000-memory.dmp

Filesize
64KB

Download
memory/3948-153-0x00007FFA91870000-0x00007FFA91880000-memory.dmp

Filesize
64KB

Download
memory/3948-155-0x00007FFA91870000-0x00007FFA91880000-memory.dmp

Filesize
64KB

Download
memory/4740-136-0x00007FFA8F1E0000-0x00007FFA8F1F0000-memory.dmp

Filesize
64KB

Download
memory/4740-135-0x00007FFA8F1E0000-0x00007FFA8F1F0000-memory.dmp

Filesize
64KB

Download
memory/4740-130-0x00007FFA91870000-0x00007FFA91880000-memory.dmp

Filesize
64KB

Download
memory/4740-134-0x00007FFA91870000-0x00007FFA91880000-memory.dmp

Filesize
64KB

Download
memory/4740-133-0x00007FFA91870000-0x00007FFA91880000-memory.dmp

Filesize
64KB

Download
memory/4740-132-0x00007FFA91870000-0x00007FFA91880000-memory.dmp

Filesize
64KB

Download
memory/4740-131-0x00007FFA91870000-0x00007FFA91880000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads