ac8919a58389e1fdb5a8fde14d9451c589ed01d6e84dd8a2e48fe5ba9bd261db

Resubmissions

12-07-2023 11:10

230712-m933vsdh3s 10

12-07-2023 11:08

230712-m8v1vsdh21 8

Analysis

max time kernel
53s
max time network
60s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
12-07-2023 11:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sysrar.doc
Size

36KB
MD5

7f447856ffce83300397a38af2fafb09
SHA1

308af1464252d8a3274d1d5ee3fde0decf321728
SHA256

903eda2289b5fccc26aaf44a2b7ffbcf1b48ba3b81f7095698a7a42f208c7984
SHA512

c9f79f23ebd0abab989678fa5b2ab94f444b536001be4d687e4360631d4a7f3938d20fbc17d1995a8b90599b004fd77e40b73de5887f3eb7cc1b14e79d9a3809
SSDEEP

384:JDU1iSX3mSBqEIXxsjkev1a8MD32suJcXNBB3Su0jijm:5uqzBs4evozD32JJcXLEud

Score

8^/10

macro macro_on_action

Malware Config

Signatures

Office macro that triggers on suspicious action 2 IoCs

Office document macro which triggers in special circumstances - often malicious.

macro macro_on_action

resource	yara_rule
behavioral1/files/0x000400000001a5bf-287.dat	office_macro_on_action
behavioral1/files/0x000400000001a5bf-440.dat	office_macro_on_action

Suspicious Office macro 1 IoCs

Office document equipped with macros.

macro

resource
behavioral1/files/0x000400000001a5bf-440.dat

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 4 IoCs

pid	Process
3656	WINWORD.EXE
3656	WINWORD.EXE
4312	WINWORD.EXE
4312	WINWORD.EXE

Suspicious use of SetWindowsHookEx 26 IoCs

pid	Process
3656	WINWORD.EXE
3656	WINWORD.EXE
3656	WINWORD.EXE
3656	WINWORD.EXE
3656	WINWORD.EXE
3656	WINWORD.EXE
3656	WINWORD.EXE
3656	WINWORD.EXE
3656	WINWORD.EXE
3656	WINWORD.EXE
3656	WINWORD.EXE
3656	WINWORD.EXE
3656	WINWORD.EXE
4312	WINWORD.EXE
4312	WINWORD.EXE
4312	WINWORD.EXE
4312	WINWORD.EXE
4312	WINWORD.EXE
4312	WINWORD.EXE
4312	WINWORD.EXE
4312	WINWORD.EXE
4312	WINWORD.EXE
4312	WINWORD.EXE
4312	WINWORD.EXE
4312	WINWORD.EXE
4312	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\sysrar.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3656

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sysrar.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4312

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53

Filesize
471B

MD5
376f18f8ab4b6965e6801953bdd750e9

SHA1
a5e9b015a20fa58e84db2d6bc7878da851b45064

SHA256
9f06c17a43365679e4ff8a64477b0028932ad22c51f107d071d8bb83cfb5ddb1

SHA512
deae60133d659031fcac9d96e264186b11f368ceeca5feed304af9ecce906337b8dfb1e1e6122feb220dfc30b2ecc08fc2e4428953765d773beeae216f410cd1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53

Filesize
412B

MD5
b0088267247a790699a45bb22a622a3c

SHA1
4e882aeae92c2855846fed1235a8cc0828ae4d50

SHA256
dd1b8fb8c68b760306ac1ca64e2f6be6946e9e53d46c5330b19a9d2ac417aa1b

SHA512
b4342d4b112c04298aae1d0747b96969e786821a7a77700186ae5b68aa0214f74b77276f4b7f858d7ad3831ff42cfa49d51337bad2f0c909447d07c1c455e97c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.json

Filesize
21B

MD5
f1b59332b953b3c99b3c95a44249c0d2

SHA1
1b16a2ca32bf8481e18ff8b7365229b598908991

SHA256
138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c

SHA512
3c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.json

Filesize
417B

MD5
c56ff60fbd601e84edd5a0ff1010d584

SHA1
342abb130dabeacde1d8ced806d67a3aef00a749

SHA256
200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c

SHA512
acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.json

Filesize
87B

MD5
e4e83f8123e9740b8aa3c3dfa77c1c04

SHA1
5281eae96efde7b0e16a1d977f005f0d3bd7aad0

SHA256
6034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31

SHA512
bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyEventActivityStats.json

Filesize
14B

MD5
6ca4960355e4951c72aa5f6364e459d5

SHA1
2fd90b4ec32804dff7a41b6e63c8b0a40b592113

SHA256
88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3

SHA512
8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyHistoryStats.json

Filesize
14B

MD5
6ca4960355e4951c72aa5f6364e459d5

SHA1
2fd90b4ec32804dff7a41b6e63c8b0a40b592113

SHA256
88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3

SHA512
8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\TenantInfo.xml

Filesize
76B

MD5
0f8eb2423d2bf6cb5b8bdb44cb170ca3

SHA1
242755226012b4449a49b45491c0b1538ebf6410

SHA256
385347c0cbacdd3c61d2635fbd390e0095a008fd75eeb23af2f14f975c083944

SHA512
a9f23a42340b83a2f59df930d7563e8abd669b9f0955562cd3c2872e2e081f26d6d8b26357972b6d0423af05b2392bddbb46da769788e77fd169b3264ff53886

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db

Filesize
24KB

MD5
b00f3f56c104c94e03cd2ad8452c14e7

SHA1
51b78e45015e0d9d62fbdf31b75a22535a107204

SHA256
ba2b669020334ff01a85bfc900ea4371ea557bd315f154875d9bdfdc16ae8b50

SHA512
93e1609be5bbb414c285f37432ce93294c3d1583ef46c7c6c570c122f0b166c34b0ad87de708005c8af97dee27923ba53395a34c2563cdadf3c0a708848b3525

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
249B

MD5
20774f3a8470aac51e167b5eb9aa0372

SHA1
47a228e24478a7f6a8fc5dcc082e44a480a3cbf2

SHA256
0ed8b3007a486301e771abd239ea8c3084995922437832a8ff33bc4e1c9a58f0

SHA512
c11fece4791092f455f0f3ad53c66a3a20e5edb70c3cdc7a9ffeb1382759d6da96fb36e268a590aeb9a7a92ac4d9fff30ac365067e6755c5bb0e7e7600098d1b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
271B

MD5
79ad914d2929d80190f8cd81f001944e

SHA1
fc71e40c84dbca4609cff1b0ac933c1f642e07d9

SHA256
602873e0e6bbc1215f224fa4b329ccff79233db8c8f21fde3e1b08ab48dee915

SHA512
717d98d42b89d74da260b906a8048e4ec00da0a548ce6d6e82667e1534b6abeadc3d198d7e79a08e3a1a96f625c4e90a7f79527ae6b4d2d991c4c3d05886cda7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
271B

MD5
79ad914d2929d80190f8cd81f001944e

SHA1
fc71e40c84dbca4609cff1b0ac933c1f642e07d9

SHA256
602873e0e6bbc1215f224fa4b329ccff79233db8c8f21fde3e1b08ab48dee915

SHA512
717d98d42b89d74da260b906a8048e4ec00da0a548ce6d6e82667e1534b6abeadc3d198d7e79a08e3a1a96f625c4e90a7f79527ae6b4d2d991c4c3d05886cda7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
271B

MD5
aeaf95a02ad3944ed6ccbbb195cec851

SHA1
d2d7f308633d47f1779d3db987880a214fd7ccc4

SHA256
fa98bc7e0f0261b71ae37cebd5c7e7a625606fabaa0fdae9c95aec329e4a0825

SHA512
4ba45511f0a48449ab6cbde810bdadc36fe047d8af2ed248bf0f4d5f68a184bf57d53c00140185207471a2ee8c3a84f893cbc2dcabe2fb499e9599e1aca86b27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\sysrar.doc (2).LNK

Filesize
1KB

MD5
0f9e2ef50ad1eeb7d732e51fee224839

SHA1
5fa8d7222d7be5edb101e6b05319de2c2846a756

SHA256
ce53f77f2cd3afcb9e725c2fcd64ba2c2853bbf8c5e6710e01996a55e1593d62

SHA512
558c643c24af27cf1f66d137d72abb4fdcc4e89f0a63c39c41ae6ffca6d91715f083f8e1f3d1ef0f6e794675fbb97777bf7b0ec4e888185903e88bf8af387115

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
4KB

MD5
6dd44992223a6532647d34646118643f

SHA1
0b27f618ec8cdb0e28b7b66449180f4a3484a115

SHA256
038ef8c52c285f5482e1804db9d3e017edbba49a36a7416a6869041d0ef848d0

SHA512
bae93b9d6f54e019e46ca837e3e9dc3f93e6b692557c2cc02296527489627bf3dfd342e921bf02cfb70c5939ee3d0835b563a818c24952e18f4e199d92a32c5c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
286dc4d1aea0c631fa3a0d2ebe4899c5

SHA1
d353d93dd727f81db35edbd1f77ac4ec84117560

SHA256
5b4c29ce04b89d33071ec3f02d75fe54cae4bbb7c07000d4d688cb942dd3d4fd

SHA512
ec68b263545d2f0d37ff764d93ced169188f442e6bbefa77a318e7642b2f27d729f32eb83a36cf2da63913c1a76504a7b53a05437ae0b5227de91668e032d71f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
286dc4d1aea0c631fa3a0d2ebe4899c5

SHA1
d353d93dd727f81db35edbd1f77ac4ec84117560

SHA256
5b4c29ce04b89d33071ec3f02d75fe54cae4bbb7c07000d4d688cb942dd3d4fd

SHA512
ec68b263545d2f0d37ff764d93ced169188f442e6bbefa77a318e7642b2f27d729f32eb83a36cf2da63913c1a76504a7b53a05437ae0b5227de91668e032d71f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
4KB

MD5
61aef4cb7cc876187b4263cb133b6f26

SHA1
450228e05e70902b7605788c4acfe77063f786ea

SHA256
8f3df2ab0eb0a0a1478bd3f3fa1b0f031897ccee9a652fda767171b774562019

SHA512
eef515344b2ee509e283398a19a5711a62946824bec790b34c2c60ebadd55146ac38965027129b2d9af6c2b63af7efa30b4b70c400ea010d6cdb7ccd1adc2e0c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sysrar.doc

Filesize
36KB

MD5
22d44c7465d44b6720d2132f508043fd

SHA1
446d6430d48702d0af309bfa425693ee4aeb3754

SHA256
cb4330562cfa3aa89c1f58b9ac28e5ef093dedcfc1b03bac33d45ce51ddf6ffb

SHA512
2bb2c9b9c38ebd150ba481a1fd643d6673ce09b7933d593d8a2badd3c4a5a3dcd885d8aad5856a6f98729970b8d76f53bd1702eb82e7c45178d6dc26f0270cde

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sysrar.doc

Filesize
36KB

MD5
22d44c7465d44b6720d2132f508043fd

SHA1
446d6430d48702d0af309bfa425693ee4aeb3754

SHA256
cb4330562cfa3aa89c1f58b9ac28e5ef093dedcfc1b03bac33d45ce51ddf6ffb

SHA512
2bb2c9b9c38ebd150ba481a1fd643d6673ce09b7933d593d8a2badd3c4a5a3dcd885d8aad5856a6f98729970b8d76f53bd1702eb82e7c45178d6dc26f0270cde

Download Submit
memory/3656-117-0x00007FFBC0CA0000-0x00007FFBC0CB0000-memory.dmp

Filesize
64KB

Download
memory/3656-119-0x00007FFBC0CA0000-0x00007FFBC0CB0000-memory.dmp

Filesize
64KB

Download
memory/3656-124-0x00007FFBBDA80000-0x00007FFBBDA90000-memory.dmp

Filesize
64KB

Download
memory/3656-123-0x00007FFBBDA80000-0x00007FFBBDA90000-memory.dmp

Filesize
64KB

Download
memory/3656-118-0x00007FFBC0CA0000-0x00007FFBC0CB0000-memory.dmp

Filesize
64KB

Download
memory/3656-412-0x00007FFBC0CA0000-0x00007FFBC0CB0000-memory.dmp

Filesize
64KB

Download
memory/3656-120-0x00007FFBC0CA0000-0x00007FFBC0CB0000-memory.dmp

Filesize
64KB

Download
memory/3656-414-0x00007FFBC0CA0000-0x00007FFBC0CB0000-memory.dmp

Filesize
64KB

Download
memory/3656-413-0x00007FFBC0CA0000-0x00007FFBC0CB0000-memory.dmp

Filesize
64KB

Download
memory/3656-415-0x00007FFBC0CA0000-0x00007FFBC0CB0000-memory.dmp

Filesize
64KB

Download
memory/4312-416-0x00007FFBC0CA0000-0x00007FFBC0CB0000-memory.dmp

Filesize
64KB

Download
memory/4312-417-0x00007FFBC0CA0000-0x00007FFBC0CB0000-memory.dmp

Filesize
64KB

Download
memory/4312-418-0x00007FFBC0CA0000-0x00007FFBC0CB0000-memory.dmp

Filesize
64KB

Download
memory/4312-422-0x00007FFBBDA80000-0x00007FFBBDA90000-memory.dmp

Filesize
64KB

Download
memory/4312-419-0x00007FFBC0CA0000-0x00007FFBC0CB0000-memory.dmp

Filesize
64KB

Download
memory/4312-423-0x00007FFBBDA80000-0x00007FFBBDA90000-memory.dmp

Filesize
64KB

Download
memory/4312-714-0x00007FFBC0CA0000-0x00007FFBC0CB0000-memory.dmp

Filesize
64KB

Download
memory/4312-716-0x00007FFBC0CA0000-0x00007FFBC0CB0000-memory.dmp

Filesize
64KB

Download
memory/4312-715-0x00007FFBC0CA0000-0x00007FFBC0CB0000-memory.dmp

Filesize
64KB

Download
memory/4312-713-0x00007FFBC0CA0000-0x00007FFBC0CB0000-memory.dmp

Filesize
64KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads