954aea6dfdc84a1fc4ae0ec1aba073c2d25e84587348c7df8abd77dbfee0b0a1

General

Target

954aea6dfdc84a1fc4ae0ec1aba073c2d25e84587348c7df8abd77dbfee0b0a1.docm
Size

123KB
MD5

e6cdf2ab43cec436a8e63c1bcebdc68f
SHA1

4e5fede8de660098fd33beb4f65cf9af36fcf0d2
SHA256

954aea6dfdc84a1fc4ae0ec1aba073c2d25e84587348c7df8abd77dbfee0b0a1
SHA512

b41003a39eb45f1261fe8bb758c672e408e4aa65db84b9138ae5608be731246dc66795d74ba6f6e5f0866d8bd7ec37fb62825968798659ad649b1a5dca68074e

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	4396	1964	WScript.exe	79

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1964	WINWORD.EXE
1964	WINWORD.EXE

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1964	WINWORD.EXE
1964	WINWORD.EXE
1964	WINWORD.EXE
1964	WINWORD.EXE
1964	WINWORD.EXE
1964	WINWORD.EXE
1964	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 4396	1964	WINWORD.EXE	82
PID 1964 wrote to memory of 4396	1964	WINWORD.EXE	82

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\954aea6dfdc84a1fc4ae0ec1aba073c2d25e84587348c7df8abd77dbfee0b0a1.docm" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\0.7055475.jse"
  2⤵
  - Process spawned unexpected child process
  PID:4396

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\0.7055475.jse

Filesize
29KB

MD5
428bb5eb41277bf98dca217eb4fdcf6a

SHA1
d74c30a2be4279392f9f16b6ee5e2335372e3742

SHA256
ca3ffca140fbc0ad5a01150f8e84e48aa07cd1547146bd987a3672c394f701ec

SHA512
c7f373efd3b1dc6e82c19a7a70abb9d7da089f7f7c8d07d311b3d571f64b565cdac2dabd95c8c207519344db9e90bb770f7bac1cdf375eeaafe059385c3167ae

Download Submit
memory/1964-138-0x0000016675F94000-0x0000016675F96000-memory.dmp

Filesize
8KB

Download
memory/1964-142-0x0000016675F94000-0x0000016675F96000-memory.dmp

Filesize
8KB

Download
memory/1964-133-0x00007FFDED470000-0x00007FFDED480000-memory.dmp

Filesize
64KB

Download
memory/1964-134-0x00007FFDED470000-0x00007FFDED480000-memory.dmp

Filesize
64KB

Download
memory/1964-135-0x00007FFDEADC0000-0x00007FFDEADD0000-memory.dmp

Filesize
64KB

Download
memory/1964-136-0x00007FFDEADC0000-0x00007FFDEADD0000-memory.dmp

Filesize
64KB

Download
memory/1964-132-0x00007FFDED470000-0x00007FFDED480000-memory.dmp

Filesize
64KB

Download
memory/1964-147-0x00007FFDED470000-0x00007FFDED480000-memory.dmp

Filesize
64KB

Download
memory/1964-137-0x00000166770E0000-0x00000166770E4000-memory.dmp

Filesize
16KB

Download
memory/1964-131-0x00007FFDED470000-0x00007FFDED480000-memory.dmp

Filesize
64KB

Download
memory/1964-130-0x00007FFDED470000-0x00007FFDED480000-memory.dmp

Filesize
64KB

Download
memory/1964-144-0x00007FFDED470000-0x00007FFDED480000-memory.dmp

Filesize
64KB

Download
memory/1964-145-0x00007FFDED470000-0x00007FFDED480000-memory.dmp

Filesize
64KB

Download
memory/1964-146-0x00007FFDED470000-0x00007FFDED480000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads