b6e5c0406badcddf9a446933f51fddb70f6c2291fe08eb71d258d5457d67dbee

General

Target

b6e5c0406badcddf9a446933f51fddb70f6c2291fe08eb71d258d5457d67dbee_JC.docm
Size

4.7MB
MD5

b390e6672f4d4f66f78bf3f3719dff20
SHA1

0da29451486a4472552ee2bb8cb00e9545416b4e
SHA256

b6e5c0406badcddf9a446933f51fddb70f6c2291fe08eb71d258d5457d67dbee
SHA512

26a8fe666ae66684dc6b0585a699871c47f7c16fbd932d02e07b8ec2dccfa843a8691b958dad713c242af15b81da723d5a2dd9b64b824a948b243399fef2f4b5
SSDEEP

98304:Kyd5l3bFoQVdeG25i/GVQH5y79JXe/8cV+wFsV7b+cMKBR9UXzhFoHfx6Zw:FRoQGieVQH5yhNK8cV+wFslycvBROjcn

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3020	WINWORD.EXE
3020	WINWORD.EXE

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3020	WINWORD.EXE
3020	WINWORD.EXE
3020	WINWORD.EXE
3020	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\b6e5c0406badcddf9a446933f51fddb70f6c2291fe08eb71d258d5457d67dbee_JC.docm" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3020-0-0x00007FF854170000-0x00007FF854180000-memory.dmp

Filesize
64KB

Download
memory/3020-1-0x00007FF8940F0000-0x00007FF8942E5000-memory.dmp

Filesize
2.0MB

Download
memory/3020-3-0x00007FF8940F0000-0x00007FF8942E5000-memory.dmp

Filesize
2.0MB

Download
memory/3020-2-0x00007FF854170000-0x00007FF854180000-memory.dmp

Filesize
64KB

Download
memory/3020-5-0x00007FF8940F0000-0x00007FF8942E5000-memory.dmp

Filesize
2.0MB

Download
memory/3020-4-0x00007FF854170000-0x00007FF854180000-memory.dmp

Filesize
64KB

Download
memory/3020-7-0x00007FF8940F0000-0x00007FF8942E5000-memory.dmp

Filesize
2.0MB

Download
memory/3020-6-0x00007FF854170000-0x00007FF854180000-memory.dmp

Filesize
64KB

Download
memory/3020-8-0x00007FF854170000-0x00007FF854180000-memory.dmp

Filesize
64KB

Download
memory/3020-9-0x00007FF8940F0000-0x00007FF8942E5000-memory.dmp

Filesize
2.0MB

Download
memory/3020-10-0x00007FF8940F0000-0x00007FF8942E5000-memory.dmp

Filesize
2.0MB

Download
memory/3020-11-0x00007FF8940F0000-0x00007FF8942E5000-memory.dmp

Filesize
2.0MB

Download
memory/3020-12-0x00007FF8940F0000-0x00007FF8942E5000-memory.dmp

Filesize
2.0MB

Download
memory/3020-13-0x00007FF8940F0000-0x00007FF8942E5000-memory.dmp

Filesize
2.0MB

Download
memory/3020-14-0x00007FF8940F0000-0x00007FF8942E5000-memory.dmp

Filesize
2.0MB

Download
memory/3020-16-0x00007FF851D90000-0x00007FF851DA0000-memory.dmp

Filesize
64KB

Download
memory/3020-17-0x00007FF8940F0000-0x00007FF8942E5000-memory.dmp

Filesize
2.0MB

Download
memory/3020-15-0x00007FF8940F0000-0x00007FF8942E5000-memory.dmp

Filesize
2.0MB

Download
memory/3020-18-0x00007FF851D90000-0x00007FF851DA0000-memory.dmp

Filesize
64KB

Download
memory/3020-22-0x00007FF8940F0000-0x00007FF8942E5000-memory.dmp

Filesize
2.0MB

Download
memory/3020-23-0x00007FF8940F0000-0x00007FF8942E5000-memory.dmp

Filesize
2.0MB

Download
memory/3020-36-0x000001255D160000-0x000001255E130000-memory.dmp

Filesize
15.8MB

Download
memory/3020-37-0x000001255D160000-0x000001255E130000-memory.dmp

Filesize
15.8MB

Download
memory/3020-38-0x000001255D160000-0x000001255E130000-memory.dmp

Filesize
15.8MB

Download
memory/3020-39-0x000001255D160000-0x000001255E130000-memory.dmp

Filesize
15.8MB

Download
memory/3020-40-0x000001255D160000-0x000001255E130000-memory.dmp

Filesize
15.8MB

Download
memory/3020-44-0x0000012563630000-0x0000012564600000-memory.dmp

Filesize
15.8MB

Download
memory/3020-45-0x000001255D160000-0x000001255E130000-memory.dmp

Filesize
15.8MB

Download
memory/3020-46-0x0000012563630000-0x0000012564600000-memory.dmp

Filesize
15.8MB

Download
memory/3020-47-0x000001255D160000-0x000001255E130000-memory.dmp

Filesize
15.8MB

Download
memory/3020-48-0x000001255D160000-0x000001255E130000-memory.dmp

Filesize
15.8MB

Download
memory/3020-49-0x000001255D160000-0x000001255E130000-memory.dmp

Filesize
15.8MB

Download
memory/3020-50-0x000001255D160000-0x000001255E130000-memory.dmp

Filesize
15.8MB

Download
memory/3020-51-0x0000012563630000-0x0000012564600000-memory.dmp

Filesize
15.8MB

Download
memory/3020-52-0x0000012563630000-0x0000012564600000-memory.dmp

Filesize
15.8MB

Download
memory/3020-53-0x000001255D160000-0x000001255E130000-memory.dmp

Filesize
15.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads