47bd15404d446450fe162c95160352981850a67f3e75c8fb29a0935c295830c9

General

Target

C:\Users\user\AppData\Roaming\Microsoft\Templates\Normal.dotm
Size

22KB
MD5

9d342602e34419e0077daefb12589f2a
SHA1

019205904224c446b09574e43a5fbb0b6e06a7e4
SHA256

47bd15404d446450fe162c95160352981850a67f3e75c8fb29a0935c295830c9
SHA512

2c969edd7c347a323907275f460225fc440d93690001ff95b093042a64f4d7fe8c4bc71ab2f53e7676310f096d936bbd457e435fb159e5bcf543dc061dec725f
SSDEEP

384:C6LZC78S04w/T0VqvWGoB1uGaVQF9p0lhS0wVTnzLizefxY4Waf:Bq8S04w/jFoaQvp0lhS0GzLwefxYq

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

NTFS ADS 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File created C:\Users\user\AppData\Roaming\Microsoft\Templates\~WRD0000.tmp\:Zone.Identifier:$DATA WINWORD.EXE
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

4632 WINWORD.EXE
4632 WINWORD.EXE

description	ioc	process
File created	C:\Users\user\AppData\Roaming\Microsoft\Templates\~WRD0000.tmp\:Zone.Identifier:$DATA	WINWORD.EXE

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

WINWORD.EXE

pid	process
4632	WINWORD.EXE
4632	WINWORD.EXE
4632	WINWORD.EXE
4632	WINWORD.EXE
4632	WINWORD.EXE
4632	WINWORD.EXE
4632	WINWORD.EXE
4632	WINWORD.EXE
4632	WINWORD.EXE
4632	WINWORD.EXE
4632	WINWORD.EXE
4632	WINWORD.EXE
4632	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\user\AppData\Roaming\Microsoft\Templates\Normal.dotm" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4632

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
221B

MD5
1fc0ee0648841396e58ea659c2a36543

SHA1
705b8d428b1b890593e26dc7354f362c30558240

SHA256
b9064efa65ab0bf674570b789c4ba678d7c8bb60ba29cf71435867312ef5e82b

SHA512
bf8da1f7bf750886fef7fbe09bb715e865894d31d3363648bbcaa1d3a69e1a35286930fd46ed7e88f8d9e60d331f4abb3f00e6b409081358b34ba9d371acc485

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
7e3ceefa7ede006c9fcc636bca446ada

SHA1
a5ab5fc1f5846401a6168b609349b19597c207e3

SHA256
d8fc7ecc10c5486601cd807935141e85813865c4c5191d9cc40cc60313fd326b

SHA512
b46803a31773d249a5c6aa5192a007cada1d436f0a01373b9b56837440a1c73d151437570282e07bf25cf1f6d5920d13023ee98e46eaff5b06793eaa3b4a98af

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
4KB

MD5
00255f0714dbf76a7b7b4721dc4fa0fe

SHA1
c23afb21492928e42f685f3d2242ccb07e7028c9

SHA256
bd5b4b0b3455a7a475a09a065f86a0e840efb0778e89f0f8827729035d365d50

SHA512
5463d48cd6dcb71879b89ae594b540d8cec8d0e89248d9fb7b3cdbd65d129c71085c246378c6305b3caf52ed4423647ff843e94a305122ac21312e133c84929c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms~RFe56b76e.TMP

Filesize
4KB

MD5
4adfddac8cd37a80a98c2691a7eac7dc

SHA1
357aa05914052132717eee82ed2fced424b8b6a8

SHA256
958cc7e6d8ee94e1e5654b9da1979e73a89d5dedaee2e52eb5d1b6aa5d1485bb

SHA512
19d545357780d0fffac29111648be65a867c953cc1490f327deaad6f2363ad241184057fe107995ea9c915ea77b87f66c65fea474589865b71a83524b4234ebe

Download Submit
C:\Users\user\AppData\Roaming\Microsoft\Templates\~WRD0000.tmp

Filesize
24KB

MD5
b90a25c8a0cdc3c84a74141e31cdfad3

SHA1
7e86ffae5df9aedb13cb445086b5f7da3c13d5b8

SHA256
b3e8e3ffb7be61d1bf31d1e406214d90df6b1eb5ada6dc602ca1afdc33260163

SHA512
ead56b5b8f5998248364ce1015acb16a6524951e20cc5b317de03add9aa3561000d3958ee61f1b144ed493dc4ea88895223fb9af2ed5169308b1d03ecf0550b4

Download Submit
memory/4632-136-0x00007FFA590B0000-0x00007FFA590C0000-memory.dmp

Filesize
64KB

Download
memory/4632-139-0x00007FFA56FA0000-0x00007FFA56FB0000-memory.dmp

Filesize
64KB

Download
memory/4632-138-0x00007FFA56FA0000-0x00007FFA56FB0000-memory.dmp

Filesize
64KB

Download
memory/4632-133-0x00007FFA590B0000-0x00007FFA590C0000-memory.dmp

Filesize
64KB

Download
memory/4632-137-0x00007FFA590B0000-0x00007FFA590C0000-memory.dmp

Filesize
64KB

Download
memory/4632-135-0x00007FFA590B0000-0x00007FFA590C0000-memory.dmp

Filesize
64KB

Download
memory/4632-134-0x00007FFA590B0000-0x00007FFA590C0000-memory.dmp

Filesize
64KB

Download
memory/4632-239-0x00007FFA590B0000-0x00007FFA590C0000-memory.dmp

Filesize
64KB

Download
memory/4632-240-0x00007FFA590B0000-0x00007FFA590C0000-memory.dmp

Filesize
64KB

Download
memory/4632-241-0x00007FFA590B0000-0x00007FFA590C0000-memory.dmp

Filesize
64KB

Download
memory/4632-242-0x00007FFA590B0000-0x00007FFA590C0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads