d9b52e89476da47de66a850e82e35c63b142633dee8585d6901d6c41dd2ffddd

General

Target

1799c8fcda056ec1bb545f7cca3743c2.doc
Size

51KB
MD5

1799c8fcda056ec1bb545f7cca3743c2
SHA1

9cbd3ef55ec0044e27ed1f2356990cc766b89ffc
SHA256

d9b52e89476da47de66a850e82e35c63b142633dee8585d6901d6c41dd2ffddd
SHA512

525cc38c6aad0329a3a4d261c94201c53cd62adeb4b80045e30946a0d0a48f91cb87406a17bc2a9889a7a8048429596561ea654554589b32a644939b83c4810c
SSDEEP

384:7+yatEi1aUf5D4YrDzsfyGcSxwAjLWarHOj6eX0jdoutQxOm:Cb9aa58YrDwNfRrI31

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

3484 WINWORD.EXE
3484 WINWORD.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

svchost.exe

description pid process

Token: SeManageVolumePrivilege 4156 svchost.exe

description	pid	process
Token: SeManageVolumePrivilege	4156	svchost.exe

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

WINWORD.EXE

pid	process
3484	WINWORD.EXE
3484	WINWORD.EXE
3484	WINWORD.EXE
3484	WINWORD.EXE
3484	WINWORD.EXE
3484	WINWORD.EXE
3484	WINWORD.EXE
3484	WINWORD.EXE
3484	WINWORD.EXE
3484	WINWORD.EXE
3484	WINWORD.EXE
3484	WINWORD.EXE
3484	WINWORD.EXE
3484	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\1799c8fcda056ec1bb545f7cca3743c2.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3484

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:1468

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4156

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\~WRD0000.tmp

Filesize
24KB

MD5
896f5fe46407a03df480f9a95c9e6f18

SHA1
c1a95f23094fce0f53be7361cf598c1d14350f14

SHA256
4971299b609c32e71b7f4ba591f16543270e1cbead0aafe60e225d0401508250

SHA512
6f81760986c55a9a531841c8999cc18ae620d99f220a3d33cc5794f46deaad0e27dfc1b6e93926139fb6ad1132195b3a5a1ede80c4b9f24bf06bf4b143c04bac

Download Submit
C:\VBEB80.tmp

Filesize
2KB

MD5
05b3d2c64f145c0e2438c84c793b31b0

SHA1
6aac20d4a2f53e9c8a0f645ce0678e37873bcc01

SHA256
223796b180da68d58816744f241ff1db184f4a165ec0ac62130ff7c8a1783739

SHA512
a90d3fa228b22ef3f84484652118c06f90c9fd10733e361cf2b5d197b1e4bd269139e3cbea457dc339791c117be43d20edb0bb72f54244b4a337b29021607138

Download Submit
C:\temp.tmp

Filesize
2KB

MD5
bdd652f6ded4b7b168ab1cb5b88b4c67

SHA1
fd307f0a241f7b5caa19d119f2263a6fac93a494

SHA256
cee88242c9ab9eb1e846fc7697e58434bc9587c7639a27ee1a8cf8d95c3a4c8f

SHA512
0ee6c3061db540abed71aad37f3b8aa5f212bb8a785ca302ff15966e2debaadc908b5dc0ceb9442f23dd2d7d45492e2192bd0ecd84c2aec4153a94b2375848e8

Download Submit
C:\temp.tmp

Filesize
225B

MD5
519755378e58a854e2bd4652f7195193

SHA1
eca94844a06772a58cafa8bb4fccb054cdb450c0

SHA256
b5aa96f3f7930aced20f57e7f4fe5957e37be0f504fb2f49606f80b19e79bf20

SHA512
b1e3a0dc5562e558bb8542c4f9288ce4493ddc9c5c533fff9a07e008a6acef0fbacfc03d867d5ff54fb602e9f3148fa073bb93a1ca386ea42f88b063f0726d52

Download Submit
memory/3484-138-0x00007FF8EED50000-0x00007FF8EED60000-memory.dmp

Filesize
64KB

Download
memory/3484-372-0x00007FF8F0DB0000-0x00007FF8F0DC0000-memory.dmp

Filesize
64KB

Download
memory/3484-139-0x00007FF8EED50000-0x00007FF8EED60000-memory.dmp

Filesize
64KB

Download
memory/3484-137-0x00007FF8F0DB0000-0x00007FF8F0DC0000-memory.dmp

Filesize
64KB

Download
memory/3484-136-0x00007FF8F0DB0000-0x00007FF8F0DC0000-memory.dmp

Filesize
64KB

Download
memory/3484-135-0x00007FF8F0DB0000-0x00007FF8F0DC0000-memory.dmp

Filesize
64KB

Download
memory/3484-134-0x00007FF8F0DB0000-0x00007FF8F0DC0000-memory.dmp

Filesize
64KB

Download
memory/3484-369-0x00007FF8F0DB0000-0x00007FF8F0DC0000-memory.dmp

Filesize
64KB

Download
memory/3484-370-0x00007FF8F0DB0000-0x00007FF8F0DC0000-memory.dmp

Filesize
64KB

Download
memory/3484-133-0x00007FF8F0DB0000-0x00007FF8F0DC0000-memory.dmp

Filesize
64KB

Download
memory/3484-371-0x00007FF8F0DB0000-0x00007FF8F0DC0000-memory.dmp

Filesize
64KB

Download
memory/4156-373-0x0000027D1F940000-0x0000027D1F950000-memory.dmp

Filesize
64KB

Download
memory/4156-389-0x0000027D1FA40000-0x0000027D1FA50000-memory.dmp

Filesize
64KB

Download
memory/4156-405-0x0000027D27D40000-0x0000027D27D41000-memory.dmp

Filesize
4KB

Download
memory/4156-407-0x0000027D27D70000-0x0000027D27D71000-memory.dmp

Filesize
4KB

Download
memory/4156-408-0x0000027D27D70000-0x0000027D27D71000-memory.dmp

Filesize
4KB

Download
memory/4156-409-0x0000027D27E80000-0x0000027D27E81000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads