766ede751889be8bb93ea6c77f338c584a3febb380268c6dcdb63cb87f582944

General

Target

moodle.ymca-nitra.sk_pluginfile.php_333_mod_resource_content_1_pronouns.doc
Size

98KB
MD5

e7bd3e11e4f17c564bfa6c60dfb95c1f
SHA1

f21d0de207d736eb0d283b2f0b713f7ab70c0815
SHA256

766ede751889be8bb93ea6c77f338c584a3febb380268c6dcdb63cb87f582944
SHA512

6b75e1ab0123095b2fae3bfcfd1f4bf1586e6812ea036cd87987e864efd860fdc59d65d973966f1d7936fe33373ed19fb51b0e47a159d73f40a1f440c28cbe80
SSDEEP

1536:NFJtKeEa+kGGyUZd+suHRew5555555axAAVLD563+c3uGXq:NFJ2npUY0w5555555aAAVWeU

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1080	WINWORD.EXE
1080	WINWORD.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1080	WINWORD.EXE
1080	WINWORD.EXE

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
1080	WINWORD.EXE
1080	WINWORD.EXE
1080	WINWORD.EXE
1080	WINWORD.EXE
1080	WINWORD.EXE
1080	WINWORD.EXE
1080	WINWORD.EXE
1080	WINWORD.EXE
1080	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1080 wrote to memory of 4880	1080	WINWORD.EXE	88
PID 1080 wrote to memory of 4880	1080	WINWORD.EXE	88

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\moodle.ymca-nitra.sk_pluginfile.php_333_mod_resource_content_1_pronouns.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1080
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:4880

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\564A25EE.wmf

Filesize
370B

MD5
a2b08beeab45d562456e9eb4955231bb

SHA1
6ec82930385ffdc8b713425d22f37491d1aa344d

SHA256
25ffa656a6b7bc9f76dc0bb2127d111cd1340cba04e199025f80799e9310f4de

SHA512
1e1edf345cc753e39d18b6064743eb22e9c8c11b5efbe47180ff62518408ec1a8929a921242f7bffe015f1d4eb38a4e5804f750b934a7811dc3c9163aaa74c3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\5FF01238.wmf

Filesize
370B

MD5
f054e149b8d458b3296328eaa2fcaaa0

SHA1
8589e72a940b89de2cf17ab1e32fac73b7ac4872

SHA256
91ee9a077a4fc9d5ad006b19d6883c8ae7ed88f9ede5eba273cfef1d3bd6551d

SHA512
5bdc21a1303311f7b8d0fa90fa6b87388e8e0615b2fc22196c38a8c37a950e2a2f78fd6e6827c85dc5d6c7e4db5d72bb39dd3bcafcbe7f8338af1fba74e72de3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\6CD12AEA.wmf

Filesize
370B

MD5
e773a6e1c38c92d4241e3cfe642ae0c5

SHA1
9b9fedb49006d36fd0b7c882ca75ccef21c4e06e

SHA256
f902e928d003e34f43d03d21c0ab48c638107bdd17108658a2b39c0bf399ab5c

SHA512
a63951d392912f95bd6bc814433a1c90cafa9888fa96cecd3c9c08b0c1b111607d238e118cbe548fefb58985c3d417a0f4b899ef80be32015ca95559ba5611fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\91BCC454.wmf

Filesize
370B

MD5
271d85431b6b680813e35000305ddd89

SHA1
b943a11edf9612f9feca7d91985afb473191ebc5

SHA256
041186bc3112af22e8608a6db5ffbc11ea061eb66aa095d902bf2e30d482c032

SHA512
700308335934104e86fe47c8dbcb0b7d9e1864b1c8acd524505258440bb2d2734696a03447d8f0822e042c3156b6e0b580dfc2f36342f2e5d946a32773268b19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\FF043DA7.wmf

Filesize
370B

MD5
89b4a06c750babc43691c564765fd2e9

SHA1
266e87f092eb148d26a2b942ccd9cee0b33539f9

SHA256
4c20a253f9d1a25ddc283838db80b94ef72e547ea87c01e0838ef1e10c0e1ff5

SHA512
7ec980cde6c6d09ee87c9a8a8313520483eded587b67dfec17f1e2d49e33de1ad9c02310919035aa6c7c225de84000d02199fb0733e3c76112ff8c2cc612c50f

Download Submit
memory/1080-134-0x00007FF9B72F0000-0x00007FF9B7300000-memory.dmp

Filesize
64KB

Download
memory/1080-139-0x00007FF9B5290000-0x00007FF9B52A0000-memory.dmp

Filesize
64KB

Download
memory/1080-147-0x000001E763D90000-0x000001E763F90000-memory.dmp

Filesize
2.0MB

Download
memory/1080-133-0x00007FF9B72F0000-0x00007FF9B7300000-memory.dmp

Filesize
64KB

Download
memory/1080-137-0x00007FF9B72F0000-0x00007FF9B7300000-memory.dmp

Filesize
64KB

Download
memory/1080-136-0x00007FF9B72F0000-0x00007FF9B7300000-memory.dmp

Filesize
64KB

Download
memory/1080-138-0x00007FF9B5290000-0x00007FF9B52A0000-memory.dmp

Filesize
64KB

Download
memory/1080-135-0x00007FF9B72F0000-0x00007FF9B7300000-memory.dmp

Filesize
64KB

Download
memory/1080-299-0x000001E763D90000-0x000001E763F90000-memory.dmp

Filesize
2.0MB

Download
memory/1080-336-0x00007FF9B72F0000-0x00007FF9B7300000-memory.dmp

Filesize
64KB

Download
memory/1080-337-0x00007FF9B72F0000-0x00007FF9B7300000-memory.dmp

Filesize
64KB

Download
memory/1080-338-0x00007FF9B72F0000-0x00007FF9B7300000-memory.dmp

Filesize
64KB

Download
memory/1080-339-0x00007FF9B72F0000-0x00007FF9B7300000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads