47bd15404d446450fe162c95160352981850a67f3e75c8fb29a0935c295830c9

General

Target

C:\Users\user\AppData\Roaming\Microsoft\Templates\Normal.dotm
Size

22KB
MD5

9d342602e34419e0077daefb12589f2a
SHA1

019205904224c446b09574e43a5fbb0b6e06a7e4
SHA256

47bd15404d446450fe162c95160352981850a67f3e75c8fb29a0935c295830c9
SHA512

2c969edd7c347a323907275f460225fc440d93690001ff95b093042a64f4d7fe8c4bc71ab2f53e7676310f096d936bbd457e435fb159e5bcf543dc061dec725f
SSDEEP

384:C6LZC78S04w/T0VqvWGoB1uGaVQF9p0lhS0wVTnzLizefxY4Waf:Bq8S04w/jFoaQvp0lhS0GzLwefxYq

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\user\AppData\Roaming\Microsoft\Templates\~WRD0000.tmp\:Zone.Identifier:$DATA	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4632	WINWORD.EXE
4632	WINWORD.EXE

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
4632	WINWORD.EXE
4632	WINWORD.EXE
4632	WINWORD.EXE
4632	WINWORD.EXE
4632	WINWORD.EXE
4632	WINWORD.EXE
4632	WINWORD.EXE
4632	WINWORD.EXE
4632	WINWORD.EXE
4632	WINWORD.EXE
4632	WINWORD.EXE
4632	WINWORD.EXE
4632	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\user\AppData\Roaming\Microsoft\Templates\Normal.dotm" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4632

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
221B

MD5
1fc0ee0648841396e58ea659c2a36543

SHA1
705b8d428b1b890593e26dc7354f362c30558240

SHA256
b9064efa65ab0bf674570b789c4ba678d7c8bb60ba29cf71435867312ef5e82b

SHA512
bf8da1f7bf750886fef7fbe09bb715e865894d31d3363648bbcaa1d3a69e1a35286930fd46ed7e88f8d9e60d331f4abb3f00e6b409081358b34ba9d371acc485

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
7e3ceefa7ede006c9fcc636bca446ada

SHA1
a5ab5fc1f5846401a6168b609349b19597c207e3

SHA256
d8fc7ecc10c5486601cd807935141e85813865c4c5191d9cc40cc60313fd326b

SHA512
b46803a31773d249a5c6aa5192a007cada1d436f0a01373b9b56837440a1c73d151437570282e07bf25cf1f6d5920d13023ee98e46eaff5b06793eaa3b4a98af

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
4KB

MD5
00255f0714dbf76a7b7b4721dc4fa0fe

SHA1
c23afb21492928e42f685f3d2242ccb07e7028c9

SHA256
bd5b4b0b3455a7a475a09a065f86a0e840efb0778e89f0f8827729035d365d50

SHA512
5463d48cd6dcb71879b89ae594b540d8cec8d0e89248d9fb7b3cdbd65d129c71085c246378c6305b3caf52ed4423647ff843e94a305122ac21312e133c84929c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms~RFe56b76e.TMP

Filesize
4KB

MD5
4adfddac8cd37a80a98c2691a7eac7dc

SHA1
357aa05914052132717eee82ed2fced424b8b6a8

SHA256
958cc7e6d8ee94e1e5654b9da1979e73a89d5dedaee2e52eb5d1b6aa5d1485bb

SHA512
19d545357780d0fffac29111648be65a867c953cc1490f327deaad6f2363ad241184057fe107995ea9c915ea77b87f66c65fea474589865b71a83524b4234ebe

Download Submit
C:\Users\user\AppData\Roaming\Microsoft\Templates\~WRD0000.tmp

Filesize
24KB

MD5
b90a25c8a0cdc3c84a74141e31cdfad3

SHA1
7e86ffae5df9aedb13cb445086b5f7da3c13d5b8

SHA256
b3e8e3ffb7be61d1bf31d1e406214d90df6b1eb5ada6dc602ca1afdc33260163

SHA512
ead56b5b8f5998248364ce1015acb16a6524951e20cc5b317de03add9aa3561000d3958ee61f1b144ed493dc4ea88895223fb9af2ed5169308b1d03ecf0550b4

Download Submit
memory/4632-136-0x00007FFA590B0000-0x00007FFA590C0000-memory.dmp

Filesize
64KB

Download
memory/4632-139-0x00007FFA56FA0000-0x00007FFA56FB0000-memory.dmp

Filesize
64KB

Download
memory/4632-138-0x00007FFA56FA0000-0x00007FFA56FB0000-memory.dmp

Filesize
64KB

Download
memory/4632-133-0x00007FFA590B0000-0x00007FFA590C0000-memory.dmp

Filesize
64KB

Download
memory/4632-137-0x00007FFA590B0000-0x00007FFA590C0000-memory.dmp

Filesize
64KB

Download
memory/4632-135-0x00007FFA590B0000-0x00007FFA590C0000-memory.dmp

Filesize
64KB

Download
memory/4632-134-0x00007FFA590B0000-0x00007FFA590C0000-memory.dmp

Filesize
64KB

Download
memory/4632-239-0x00007FFA590B0000-0x00007FFA590C0000-memory.dmp

Filesize
64KB

Download
memory/4632-240-0x00007FFA590B0000-0x00007FFA590C0000-memory.dmp

Filesize
64KB

Download
memory/4632-241-0x00007FFA590B0000-0x00007FFA590C0000-memory.dmp

Filesize
64KB

Download
memory/4632-242-0x00007FFA590B0000-0x00007FFA590C0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads