Behavioral Report

Analysis

max time kernel
124s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
01-02-2023 11:48

Sharing

Copy URL

Twitter E-mail

Report Files Registry Network Processes Mutex Misc

General

Target

TT ADVISE.docx
Size

10KB
MD5

cf3c57e573d8825b2c398b8b187b3ecc
SHA1

e80a459884ec9021de7c4f6a1e0cb8e12637e6bf
SHA256

a2c0610976c72c78927da80bb092501ce8a6f882b6241dc0517d3fa137ab8fe5
SHA512

1662a45eb2bc34b9d558f97be9e05b4d8b4f9e40470d290f4be3528291d30133b1d5ad3f55e8c26c2fdbb365913c14f3032ec8af7776ca2e7594936be8c4ff29
SSDEEP

192:ScIMmtP5hG/b7XN+eOZO+5+5F7Jar/YEChI3wZ:SPXRE7XtOZ7wtar/YECO0

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

MsoSync.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	2600	2228	MsoSync.exe	WINWORD.EXE

Drops file in System32 directory 2 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{5FB3A396-8DD8-4C90-A49C-29E40AEF45B4}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{8A1483EC-9161-41F6-98ED-BBA28A30A366}.catalogItem	svchost.exe

Checks processor information in registry 2 TTPs 9 IoCs

Processor information is often read in order to detect sandboxing environments.

TTPs:

Query Registry System Information Discovery

Processes:

MsoSync.exesvchost.exeWINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	MsoSync.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MsoSync.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	MsoSync.exe

Enumerates system info in registry 2 TTPs 8 IoCs

TTPs:

Query Registry System Information Discovery

Processes:

svchost.exeWINWORD.EXEMsoSync.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	svchost.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	MsoSync.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	MsoSync.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	MsoSync.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

2228 WINWORD.EXE
2228 WINWORD.EXE
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

WINWORD.EXEMsoSync.exe

description pid process

Token: SeAuditPrivilege 2228 WINWORD.EXE
Token: SeAuditPrivilege 2600 MsoSync.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

MsoSync.exe

pid process

2600 MsoSync.exe
2600 MsoSync.exe
2600 MsoSync.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

MsoSync.exe

pid process

2600 MsoSync.exe
2600 MsoSync.exe
2600 MsoSync.exe
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

WINWORD.EXEMsoSync.exe

pid process

2228 WINWORD.EXE
2228 WINWORD.EXE
2228 WINWORD.EXE
2228 WINWORD.EXE
2228 WINWORD.EXE
2228 WINWORD.EXE
2600 MsoSync.exe

pid	process
2228	WINWORD.EXE
2228	WINWORD.EXE

description	pid	process
Token: SeAuditPrivilege	2228	WINWORD.EXE
Token: SeAuditPrivilege	2600	MsoSync.exe

pid	process
2600	MsoSync.exe
2600	MsoSync.exe
2600	MsoSync.exe

pid	process
2600	MsoSync.exe
2600	MsoSync.exe
2600	MsoSync.exe

pid	process
2228	WINWORD.EXE
2228	WINWORD.EXE
2228	WINWORD.EXE
2228	WINWORD.EXE
2228	WINWORD.EXE
2228	WINWORD.EXE
2600	MsoSync.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 2228 wrote to memory of 2600	2228	WINWORD.EXE	MsoSync.exe
PID 2228 wrote to memory of 2600	2228	WINWORD.EXE	MsoSync.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\TT ADVISE.docx" /o ""

Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: AddClipboardFormatListener
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory

PID:2228

C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe

"C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe"

Process spawned unexpected child process
Checks processor information in registry
Enumerates system info in registry
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx

PID:2600

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p

Drops file in System32 directory
Checks processor information in registry
Enumerates system info in registry

PID:2372

MITRE ATT&CK Matrix

Collection

Command and Control

Credential Access

Defense Evasion

Discovery

Query Registry

T1012

System Information Discovery

T1082

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

Replay Monitor

00:00 00:00

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.accdb
Filesize
512KB

MD5
6964824e906a023ba2b00df96d9d9afa

SHA1
7924b14bfd5a888786aed6db00c1c1ab132c2b7a

SHA256
b1b39967e76a695a74944262fbcf1bb7ec7ff6d6939cb79037c089fa43e7298b

SHA512
c26d10d3917fafce7d2ed2bf5445ed800a7812e6f71a1502887f6518ba8035ec93b7ddf40f0203370301471f29ba54dc73d93015d411a0f9efffca37ff639d04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.laccdb
Filesize
128B

MD5
696ea03ec8211de31799314fa9477647

SHA1
9202c78b3ae2b7696eb014569e5a676c8984abcc

SHA256
524d57535745a9299efe7e7076cdc2af4b4a158ffa0d01e88a6966cae5733bd8

SHA512
d3af84d88fa232d26e6782bbd92f5d63270d417ab24a98d3a535e3b425631612bcd7c16b59c2fd6b2614df8cbb627a27f47fc3291971c816b9e7d949e2bbd05d

Download Submit
memory/2228-151-0x00007FFD4B270000-0x00007FFD4B280000-memory.dmp

Filesize
64KB

Download
memory/2228-133-0x00007FFD4B270000-0x00007FFD4B280000-memory.dmp

Filesize
64KB

Download
memory/2228-136-0x00007FFD4B270000-0x00007FFD4B280000-memory.dmp

Filesize
64KB

Download
memory/2228-137-0x00007FFD49000000-0x00007FFD49010000-memory.dmp

Filesize
64KB

Download
memory/2228-138-0x00007FFD49000000-0x00007FFD49010000-memory.dmp

Filesize
64KB

Download
memory/2228-135-0x00007FFD4B270000-0x00007FFD4B280000-memory.dmp

Filesize
64KB

Download
memory/2228-153-0x00007FFD4B270000-0x00007FFD4B280000-memory.dmp

Filesize
64KB

Download
memory/2228-152-0x00007FFD4B270000-0x00007FFD4B280000-memory.dmp

Filesize
64KB

Download
memory/2228-132-0x00007FFD4B270000-0x00007FFD4B280000-memory.dmp

Filesize
64KB

Download
memory/2228-150-0x00007FFD4B270000-0x00007FFD4B280000-memory.dmp

Filesize
64KB

Download
memory/2228-134-0x00007FFD4B270000-0x00007FFD4B280000-memory.dmp

Filesize
64KB

Download
memory/2600-139-0x0000000000000000-mapping.dmp

Download
memory/2600-144-0x00007FFD4B270000-0x00007FFD4B280000-memory.dmp

Filesize
64KB

Download
memory/2600-143-0x00007FFD4B270000-0x00007FFD4B280000-memory.dmp

Filesize
64KB

Download
memory/2600-142-0x00007FFD4B270000-0x00007FFD4B280000-memory.dmp

Filesize
64KB

Download
memory/2600-141-0x00007FFD4B270000-0x00007FFD4B280000-memory.dmp

Filesize
64KB

Download
memory/2600-155-0x00007FFD4B270000-0x00007FFD4B280000-memory.dmp

Filesize
64KB

Download
memory/2600-156-0x00007FFD4B270000-0x00007FFD4B280000-memory.dmp

Filesize
64KB

Download