6eba626c90591ad1975900edf0553731f619c4f60ed635a0d81a354443fa2935

General

Target

static.wpe.au.syrahost.com_var_m_b_be_be8_39900_367035-apricot_20_20ginger_20jam.doc_download.doc
Size

43KB
MD5

8311b9a9b1e95f909c18f3dabde85bdf
SHA1

4fff32ca0977f640ee30141cc0aa0dceebf16e3a
SHA256

6eba626c90591ad1975900edf0553731f619c4f60ed635a0d81a354443fa2935
SHA512

4cc484e8b5e11cc58218cea354495e9c96b04fea9883cc9a3eadd52792ab4301d9a5fa7396965975c7c7ffe436198f7a933c5ad7111ff18283e0c2a8d5153231
SSDEEP

384:6p1bR/DiMzg6qh5fqrDm8sNkp3PCCCGsb3TSE0j2RtNEdRyGcS2rdj3:4t/DiMc5fqsNiCHb3Tvlpaur

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

5064 WINWORD.EXE
5064 WINWORD.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

WINWORD.EXE

pid process

5064 WINWORD.EXE
5064 WINWORD.EXE
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

WINWORD.EXE

pid process

5064 WINWORD.EXE
5064 WINWORD.EXE
5064 WINWORD.EXE
5064 WINWORD.EXE
5064 WINWORD.EXE
5064 WINWORD.EXE
5064 WINWORD.EXE

pid	process
5064	WINWORD.EXE
5064	WINWORD.EXE

pid	process
5064	WINWORD.EXE
5064	WINWORD.EXE

pid	process
5064	WINWORD.EXE
5064	WINWORD.EXE
5064	WINWORD.EXE
5064	WINWORD.EXE
5064	WINWORD.EXE
5064	WINWORD.EXE
5064	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 5064 wrote to memory of 1836	5064	WINWORD.EXE	splwow64.exe
PID 5064 wrote to memory of 1836	5064	WINWORD.EXE	splwow64.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\static.wpe.au.syrahost.com_var_m_b_be_be8_39900_367035-apricot_20_20ginger_20jam.doc_download.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5064

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1836

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:720

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\225A6AC3.wmf
Filesize
508B

MD5
8119bb50d0fdebf8c68516af8801ae38

SHA1
bb853b5f29cfca8b843f11125f94fcb08a19eda4

SHA256
14e72e727d8f7a7b192a0dde9715c470c17b5c14534666f65faab03ccad7f17c

SHA512
8b2c01943d37485ab66c9de998e5a645e884b9d0d2ffd33143d6905e1a71056b1b243b18b82e22d93e138aefe652e9ff8e008f4f2eea8ed0dda3ba75a992d33e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\314C8440.wmf
Filesize
558B

MD5
17ae7341f470816b9dca70bc22ee59b2

SHA1
00338f4957099bdcef9295cdc235a934489db89f

SHA256
cc51c00ce416aab87c51cdf39a17a258d4e9fc92d6066467b0eaa1519373d304

SHA512
2f0ecccc437664edaf48d749f4733d3978cf672e294b0700babebaff895b30ef2dc21ab4b2143b7ca214a0214777c4d5440e88df060d415607f37632dfccb2e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\4B3C15B4.wmf
Filesize
490B

MD5
897ae1d30a6b875d032a2372db435446

SHA1
7096c3ba5384f3e97a688a0d8fcd970032b41e29

SHA256
065ec64e4c3aa0e4b7615e7da1aff8c6cfe94e94b4633cfd34f7f0f29353e397

SHA512
f182e49782594033a470c4342adad6e69bab8a5c0e3459744c5c339b079f047715c14ec63be41306cf71f13a49457bca09b996a1bcb2e71358bee7a30ebe681d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\5CB88436.wmf
Filesize
484B

MD5
9302d198d8344913f32de0a1a668c65e

SHA1
a0f4dd5e860f1209a2a10fa40967f99aabb59972

SHA256
86630debdb20fd6931ff33f0c9120b97e81b4e339ee3a88d7241d5e9e17c88d0

SHA512
0974d7abaf9d98420aaf5cac446df740dece9f2ddd3663fb2dfa3cfa673f970cf2730ae6e041fd602106634fa9c856df6da824ece0334874649dffacee861268

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\6A06D74A.wmf
Filesize
508B

MD5
f4f6046ad40d94e18563009682bb5da1

SHA1
f7e7713f01f50ee15510e865f91e9e95290594d5

SHA256
9e75715bf36e29668f51664ef633f8c9620fbe7bd4aa9941b1befb9349b15e53

SHA512
1a4fcffbf0ff5ff9fdf0aaecae2f3687fb709e275d53f72128e8f78d03c35d5f72bf6f890a265e3eb7675aab51969ec9fdb260d20c1495b1e1bd97b93ae0fb34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\76776C7B.wmf
Filesize
558B

MD5
c85f96b0048d0e8e4d85bc70a2785e0c

SHA1
b5beefcbde14f344093406d290b47b9479346079

SHA256
18a8a1c95cfdfee6f7a1e2f8e499c351f2983ddbddeadc82590795661f953dfd

SHA512
4b5efae581598ff00d9dddd1049ee350aae18be88b9ffcc1fa6077cdfc68c96647bbf06cf86afc2f386f82c201dd9e9ea22aff9d0aed69fcd90d4c5d0e6d8a39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\BCFF4C9.wmf
Filesize
484B

MD5
d7bb7076edc6f543368f490d7abc57a3

SHA1
a2275115ee21efe253334ca05e1e74e646302597

SHA256
5488b8336b37d18538cddae0b89c49b8e1b1c71743a9168215b1c04dcfd34097

SHA512
ddf41617fffabc750e852a9890d335ed69de8b30579daa2e5218d338aa2502a37fba30edf3b029e27e55b3893d035938bd1451f3f22f3b88f2e766c89d059147

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\E146D225.wmf
Filesize
490B

MD5
9e6902eff54e6f3ad6708f6eddfc3545

SHA1
d7c4e0e4470e507f77b5b11d17fdbabe7bff5a54

SHA256
f2c04532e82c4415e6be58dc37dd55864ccde56aa64b15d87ebceb11efdee78a

SHA512
70323f75aa798ea07f1cc3e33ac11160fcb23a9f8d7a6228d5d22f7a485a19678aca5c418893a6d7f4e4186bb3be22057a2db3af9caa59b1d01448a3364c5cde

Download Submit
memory/5064-177-0x00000189442A0000-0x00000189444A0000-memory.dmp

Filesize
2.0MB

Download
memory/5064-137-0x00007FFEED4D0000-0x00007FFEED4E0000-memory.dmp

Filesize
64KB

Download
memory/5064-133-0x00007FFEED4D0000-0x00007FFEED4E0000-memory.dmp

Filesize
64KB

Download
memory/5064-136-0x00007FFEED4D0000-0x00007FFEED4E0000-memory.dmp

Filesize
64KB

Download
memory/5064-138-0x00007FFEEAC00000-0x00007FFEEAC10000-memory.dmp

Filesize
64KB

Download
memory/5064-139-0x00007FFEEAC00000-0x00007FFEEAC10000-memory.dmp

Filesize
64KB

Download
memory/5064-135-0x00007FFEED4D0000-0x00007FFEED4E0000-memory.dmp

Filesize
64KB

Download
memory/5064-134-0x00007FFEED4D0000-0x00007FFEED4E0000-memory.dmp

Filesize
64KB

Download
memory/5064-201-0x00000189442A0000-0x00000189444A0000-memory.dmp

Filesize
2.0MB

Download
memory/5064-245-0x00007FFEED4D0000-0x00007FFEED4E0000-memory.dmp

Filesize
64KB

Download
memory/5064-246-0x00007FFEED4D0000-0x00007FFEED4E0000-memory.dmp

Filesize
64KB

Download
memory/5064-247-0x00007FFEED4D0000-0x00007FFEED4E0000-memory.dmp

Filesize
64KB

Download
memory/5064-248-0x00007FFEED4D0000-0x00007FFEED4E0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads