72b07835503273dc7f135f14dfe3a5ae6eae19675f19f2e3147a89123018464b

General

Target

72b07835503273dc7f135f14dfe3a5ae6eae19675f19f2e3147a89123018464b.rtf
Size

2.7MB
MD5

5d455092970ee2f4a00ac451ca4d4903
SHA1

3912ec755f8a40400ffb684991d2f75cb104cec6
SHA256

72b07835503273dc7f135f14dfe3a5ae6eae19675f19f2e3147a89123018464b
SHA512

0f0b442d9e51df7573b847418be5aea84b940b9d45010c3c23821ff7b8daec1408e9da2d1f4caca868f5aa76bb9448ecedd339c7892f8db3f9554a3a01fc7b23

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 9 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEexcelcnv.exeWINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	excelcnv.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEEXCEL.EXEexcelcnv.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	excelcnv.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	excelcnv.exe

NTFS ADS 1 IoCs

Processes:

WINWORD.EXE

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\{BE7937F5-3211-42FE-BEA7-B964C1F605DE}\A.X:Zone.Identifier	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

1820 WINWORD.EXE
1820 WINWORD.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

WINWORD.EXEEXCEL.EXEexcelcnv.exe

pid	process
1820	WINWORD.EXE
1820	WINWORD.EXE
1820	WINWORD.EXE
3440	EXCEL.EXE
3440	EXCEL.EXE
3440	EXCEL.EXE
3440	EXCEL.EXE
2224	excelcnv.exe
1820	WINWORD.EXE
1820	WINWORD.EXE
1820	WINWORD.EXE
1820	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\72b07835503273dc7f135f14dfe3a5ae6eae19675f19f2e3147a89123018464b.rtf" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1820

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:3440

C:\Program Files\Microsoft Office\Root\Office16\excelcnv.exe
"C:\Program Files\Microsoft Office\Root\Office16\excelcnv.exe" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:2224

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177
Filesize
471B

MD5
98194ef3188aac75deaa2e16f4a43eb7

SHA1
31958ae66572514ca49b43082f085813591328b1

SHA256
2b8d1f010f6492e8fc6d3432ff8d0a1213adc644046515d2ddabf674876323bc

SHA512
186e9b12701b4bcdd02ff0335a3107c9731ec1eb2fbf4d72a7a038fae23a06d1b1f6c6e2a9ad9e4937147a8ff5ba4d740311c6cd9e7a72a2518ae6d2418632c3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177
Filesize
442B

MD5
84686e3a5d69c4cedfe10394eebbb173

SHA1
22759a15b37e7049cfb7a6b7d34a986d2ed8c41a

SHA256
b1022323cbbbc6929fbe0c9d70fc48b503f52d37831a3bdfe1c4acffbfe540b0

SHA512
63732252788384d0c61efff04683a7517def2c0ee561b7608156dedf32a3af3fb3fabd7c9920c25e95bb4ee31652eaef61c760064546a4c87e438e41db6d0cf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\54B8D47B-AAB5-4AB8-82FC-1617ED222888
Filesize
147KB

MD5
00ac1c4d3377520ad51f78f35cabe62e

SHA1
b11534cef95ef2c0578256702688da70c7d153e1

SHA256
11c310e2104db8fe0669f4376ac84a75c19ce08bcc1c173a656f232938b1058f

SHA512
c08d0429df9c65e4b7f8679afc2cdf4d05f2f94c6b4f03e22e65bf85aa07619f376cdc2a916828e5c44ae356f8166bbc43fed0773b3a654c6510b160c7002d78

Download Submit
memory/1820-130-0x00007FFE58890000-0x00007FFE588A0000-memory.dmp

Filesize
64KB

Download
memory/1820-131-0x00007FFE58890000-0x00007FFE588A0000-memory.dmp

Filesize
64KB

Download
memory/1820-132-0x00007FFE58890000-0x00007FFE588A0000-memory.dmp

Filesize
64KB

Download
memory/1820-133-0x00007FFE58890000-0x00007FFE588A0000-memory.dmp

Filesize
64KB

Download
memory/1820-134-0x00007FFE58890000-0x00007FFE588A0000-memory.dmp

Filesize
64KB

Download
memory/1820-135-0x00007FFE563C0000-0x00007FFE563D0000-memory.dmp

Filesize
64KB

Download
memory/1820-136-0x00007FFE563C0000-0x00007FFE563D0000-memory.dmp

Filesize
64KB

Download
memory/2224-149-0x00007FFE58890000-0x00007FFE588A0000-memory.dmp

Filesize
64KB

Download
memory/2224-150-0x00007FFE58890000-0x00007FFE588A0000-memory.dmp

Filesize
64KB

Download
memory/2224-151-0x00007FFE58890000-0x00007FFE588A0000-memory.dmp

Filesize
64KB

Download
memory/2224-148-0x00007FFE58890000-0x00007FFE588A0000-memory.dmp

Filesize
64KB

Download
memory/2224-160-0x00007FFE58890000-0x00007FFE588A0000-memory.dmp

Filesize
64KB

Download
memory/2224-161-0x00007FFE58890000-0x00007FFE588A0000-memory.dmp

Filesize
64KB

Download
memory/3440-155-0x00007FFE58890000-0x00007FFE588A0000-memory.dmp

Filesize
64KB

Download
memory/3440-156-0x00007FFE58890000-0x00007FFE588A0000-memory.dmp

Filesize
64KB

Download
memory/3440-157-0x00007FFE58890000-0x00007FFE588A0000-memory.dmp

Filesize
64KB

Download
memory/3440-158-0x00007FFE58890000-0x00007FFE588A0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads