9b808789a88144a32f8fd036138403a7235c834f3b3bf5ebbcd22ac4610d32cf

General

Target

9b808789a88144a32f8fd036138403a7235c834f3b3bf5ebbcd22ac4610d32cf.doc
Size

2.8MB
MD5

3fd6aaed6aa4fd6fae42ffc02d4fe52a
SHA1

642c92a15fb9b0e9a82d15fdd52c2c92270a4eeb
SHA256

9b808789a88144a32f8fd036138403a7235c834f3b3bf5ebbcd22ac4610d32cf
SHA512

be44cf715020c3f0e0a78dcec45038b4743e3f9e0b48fc4b9c583c06f93d975e0f52a0781c4722194145528f991f338c4056dea8106ea1c45412349b24d790be
SSDEEP

3072:ic8fJkkgynfEv91qh2g4PPHy/q/4mJ9cYNxtE1CeNIyZg1HFZr:iNJkkgo264PPHNjJWSMTGyZaH7r

Score

10^/10

evasion

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

Explorer.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	3596	644	Explorer.exe	WINWORD.EXE

Sets file to hidden 1 TTPs 3 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exeattrib.exe

pid process

2156 attrib.exe
4044 attrib.exe
1492 attrib.exe

pid	process
2156	attrib.exe
4044	attrib.exe
1492	attrib.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4920 schtasks.exe
5076 schtasks.exe

pid	process
4920	schtasks.exe
5076	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

644 WINWORD.EXE
644 WINWORD.EXE
Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

WINWORD.EXE

pid process

644 WINWORD.EXE
644 WINWORD.EXE
644 WINWORD.EXE
644 WINWORD.EXE
644 WINWORD.EXE
644 WINWORD.EXE
644 WINWORD.EXE
644 WINWORD.EXE

pid	process
644	WINWORD.EXE
644	WINWORD.EXE

pid	process
644	WINWORD.EXE
644	WINWORD.EXE
644	WINWORD.EXE
644	WINWORD.EXE
644	WINWORD.EXE
644	WINWORD.EXE
644	WINWORD.EXE
644	WINWORD.EXE

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

WINWORD.EXEexplorer.execmd.exe

description	pid	process	target process
PID 644 wrote to memory of 3596	644	WINWORD.EXE	Explorer.exe
PID 644 wrote to memory of 3596	644	WINWORD.EXE	Explorer.exe
PID 4368 wrote to memory of 4860	4368	explorer.exe	cmd.exe
PID 4368 wrote to memory of 4860	4368	explorer.exe	cmd.exe
PID 4860 wrote to memory of 2156	4860	cmd.exe	attrib.exe
PID 4860 wrote to memory of 2156	4860	cmd.exe	attrib.exe
PID 4860 wrote to memory of 4044	4860	cmd.exe	attrib.exe
PID 4860 wrote to memory of 4044	4860	cmd.exe	attrib.exe
PID 4860 wrote to memory of 1492	4860	cmd.exe	attrib.exe
PID 4860 wrote to memory of 1492	4860	cmd.exe	attrib.exe
PID 4860 wrote to memory of 4920	4860	cmd.exe	schtasks.exe
PID 4860 wrote to memory of 4920	4860	cmd.exe	schtasks.exe
PID 4860 wrote to memory of 5076	4860	cmd.exe	schtasks.exe
PID 4860 wrote to memory of 5076	4860	cmd.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Views/modifies file attributes 1 TTPs 3 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exeattrib.exe

pid process

1492 attrib.exe
2156 attrib.exe
4044 attrib.exe

pid	process
1492	attrib.exe
2156	attrib.exe
4044	attrib.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\9b808789a88144a32f8fd036138403a7235c834f3b3bf5ebbcd22ac4610d32cf.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:644
- C:\Windows\Explorer.exe
  Explorer.exe C:\Users\Admin\sat.bat
  2⤵
  - Process spawned unexpected child process
  PID:3596

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:4368
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\sat.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4860
- - C:\Windows\system32\attrib.exe
    attrib +a +h +s "C:\Users\Admin\intel"
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:2156
- - C:\Windows\system32\attrib.exe
    attrib +a +h +s "C:\Users\Public\music\lin"
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:4044
- - C:\Windows\system32\attrib.exe
    attrib +a +h +s "C:\Users\Admin\random"
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:1492
- - C:\Windows\system32\schtasks.exe
    schtasks /create /sc minute /mo 6 /f /tn UpdateSvcv /tr "'C:\Users\Admin\solv.exe'"
    3⤵
    - Creates scheduled task(s)
    PID:4920
- - C:\Windows\system32\schtasks.exe
    schtasks /create /sc minute /mo 3 /f /tn UpdateSvch /tr "'C:\Users\Public\Music\lin\van.exe'"
    3⤵
    - Creates scheduled task(s)
    PID:5076

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Hidden Files and Directories

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Hidden Files and Directories

2

T1158

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\pcp.vflsm

Filesize
427KB

MD5
946b1e600af4a73713e3781ffac58fe5

SHA1
c6f76cbd47d7899b50fffe241dfdbd9398a8665a

SHA256
59aac8be9dbb07d17651c93cb96ed1846f19cd515c636a232bae458175c94892

SHA512
488b2123d61e0c6349ee167c3c10319ca88bfa7740c1a65fed6e332889dc9198376277f93a271fa2d49ed5c3c12d4e4abfe632503e8af5a73b2e44462e85bc17

Download Submit
C:\Users\Admin\sat.bat

Filesize
457B

MD5
8e11de9b490ed9805458a16d0a17b716

SHA1
d83cd2b1b06f397c2a9e77b83221fd4a334df009

SHA256
03ad52ad1444f2385c1e2a1fe0c79a5fca3c907bc9dd115fa746eb466873d4c8

SHA512
f64c9dad040dc7589ae8eebb4480ff00b4f9afcd40f97d43091bd24f454c2d8f44e4472c416f136548e851f0082c3556af287e9e2bd76fa70d76129023d0cef5

Download Submit
memory/644-178-0x0000024244560000-0x0000024244760000-memory.dmp

Filesize
2.0MB

Download
memory/644-137-0x00007FF8CF230000-0x00007FF8CF240000-memory.dmp

Filesize
64KB

Download
memory/644-138-0x00007FF8CD1D0000-0x00007FF8CD1E0000-memory.dmp

Filesize
64KB

Download
memory/644-139-0x00007FF8CD1D0000-0x00007FF8CD1E0000-memory.dmp

Filesize
64KB

Download
memory/644-146-0x0000024244560000-0x0000024244760000-memory.dmp

Filesize
2.0MB

Download
memory/644-133-0x00007FF8CF230000-0x00007FF8CF240000-memory.dmp

Filesize
64KB

Download
memory/644-136-0x00007FF8CF230000-0x00007FF8CF240000-memory.dmp

Filesize
64KB

Download
memory/644-134-0x00007FF8CF230000-0x00007FF8CF240000-memory.dmp

Filesize
64KB

Download
memory/644-135-0x00007FF8CF230000-0x00007FF8CF240000-memory.dmp

Filesize
64KB

Download
memory/644-218-0x00007FF8CF230000-0x00007FF8CF240000-memory.dmp

Filesize
64KB

Download
memory/644-219-0x00007FF8CF230000-0x00007FF8CF240000-memory.dmp

Filesize
64KB

Download
memory/644-220-0x00007FF8CF230000-0x00007FF8CF240000-memory.dmp

Filesize
64KB

Download
memory/644-221-0x00007FF8CF230000-0x00007FF8CF240000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads