e9d8f145cf7e0745a6eb448fe68cb774fb5549440218fae3be937600b7b1bc96

General

Target

e9d8f145cf7e0745a6eb448fe68cb774fb5549440218fae3be937600b7b1bc96.docx
Size

37KB
MD5

6de35c22ca3f026a6a645fc9fda40565
SHA1

252a6d49a0d9096e8c48c11d7c9a934681e55f6a
SHA256

e9d8f145cf7e0745a6eb448fe68cb774fb5549440218fae3be937600b7b1bc96
SHA512

b872b0509756ca5e5dc8ce14eb83b6c5eb354093a62702a70caceb8ed0ce9d1fb854a55a99302d1e329635891174a525c14e8b036cc7bb18afab1589d2b29f28
SSDEEP

768:lJH2e8oUg8OALyuki2cDsNNP+vB2ZmwVbMLAVYAS50zhR:PWe8XtTLLZ2cDsNNP+vB2ZmwVbtVY8zz

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

MsoSync.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	456	1372	MsoSync.exe	WINWORD.EXE

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

1372 WINWORD.EXE
1372 WINWORD.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WINWORD.EXE

description pid process

Token: SeAuditPrivilege 1372 WINWORD.EXE
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

WINWORD.EXE

pid process

1372 WINWORD.EXE
1372 WINWORD.EXE
1372 WINWORD.EXE
1372 WINWORD.EXE
1372 WINWORD.EXE
1372 WINWORD.EXE
1372 WINWORD.EXE

pid	process
1372	WINWORD.EXE
1372	WINWORD.EXE

description	pid	process
Token: SeAuditPrivilege	1372	WINWORD.EXE

pid	process
1372	WINWORD.EXE
1372	WINWORD.EXE
1372	WINWORD.EXE
1372	WINWORD.EXE
1372	WINWORD.EXE
1372	WINWORD.EXE
1372	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 1372 wrote to memory of 456	1372	WINWORD.EXE	MsoSync.exe
PID 1372 wrote to memory of 456	1372	WINWORD.EXE	MsoSync.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\e9d8f145cf7e0745a6eb448fe68cb774fb5549440218fae3be937600b7b1bc96.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1372

C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe
"C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe"
2⤵
- Process spawned unexpected child process
PID:456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\BD5F6B41.emf

Filesize
7KB

MD5
7e996b534a3324631882ffd86897ce3c

SHA1
6f74be38140b3e5c4d3ff32e1a02baa4d393a2aa

SHA256
e1a781642c3618141f217d23ab95d00fa9a1b59090b78414f92be441c533a40f

SHA512
a89a8ecbc4414e809dd6cdaf0567a3bbaddb73db1a103d48ab816cd743d116e627f051376c586462b6948caaf694c30d1b62d65a771a17b631516c599474e45e

Download Submit
memory/456-54-0x00007FF9537B0000-0x00007FF9539A5000-memory.dmp

Filesize
2.0MB

Download
memory/456-53-0x00007FF913830000-0x00007FF913840000-memory.dmp

Filesize
64KB

Download
memory/456-52-0x00007FF951400000-0x00007FF9516C9000-memory.dmp

Filesize
2.8MB

Download
memory/456-51-0x00007FF9537B0000-0x00007FF9539A5000-memory.dmp

Filesize
2.0MB

Download
memory/456-50-0x00007FF9537B0000-0x00007FF9539A5000-memory.dmp

Filesize
2.0MB

Download
memory/456-49-0x00007FF9537B0000-0x00007FF9539A5000-memory.dmp

Filesize
2.0MB

Download
memory/1372-8-0x00007FF9537B0000-0x00007FF9539A5000-memory.dmp

Filesize
2.0MB

Download
memory/1372-28-0x00007FF9537B0000-0x00007FF9539A5000-memory.dmp

Filesize
2.0MB

Download
memory/1372-0-0x00007FF913830000-0x00007FF913840000-memory.dmp

Filesize
64KB

Download
memory/1372-10-0x00007FF9537B0000-0x00007FF9539A5000-memory.dmp

Filesize
2.0MB

Download
memory/1372-11-0x00007FF9537B0000-0x00007FF9539A5000-memory.dmp

Filesize
2.0MB

Download
memory/1372-12-0x00007FF9537B0000-0x00007FF9539A5000-memory.dmp

Filesize
2.0MB

Download
memory/1372-13-0x00007FF911030000-0x00007FF911040000-memory.dmp

Filesize
64KB

Download
memory/1372-14-0x00007FF9537B0000-0x00007FF9539A5000-memory.dmp

Filesize
2.0MB

Download
memory/1372-15-0x00007FF9537B0000-0x00007FF9539A5000-memory.dmp

Filesize
2.0MB

Download
memory/1372-16-0x00007FF9537B0000-0x00007FF9539A5000-memory.dmp

Filesize
2.0MB

Download
memory/1372-17-0x00007FF9537B0000-0x00007FF9539A5000-memory.dmp

Filesize
2.0MB

Download
memory/1372-18-0x00007FF9537B0000-0x00007FF9539A5000-memory.dmp

Filesize
2.0MB

Download
memory/1372-19-0x00007FF9537B0000-0x00007FF9539A5000-memory.dmp

Filesize
2.0MB

Download
memory/1372-20-0x00007FF9537B0000-0x00007FF9539A5000-memory.dmp

Filesize
2.0MB

Download
memory/1372-21-0x00007FF9537B0000-0x00007FF9539A5000-memory.dmp

Filesize
2.0MB

Download
memory/1372-9-0x00007FF911030000-0x00007FF911040000-memory.dmp

Filesize
64KB

Download
memory/1372-29-0x00007FF9537B0000-0x00007FF9539A5000-memory.dmp

Filesize
2.0MB

Download
memory/1372-7-0x00007FF9537B0000-0x00007FF9539A5000-memory.dmp

Filesize
2.0MB

Download
memory/1372-47-0x00007FF9537B0000-0x00007FF9539A5000-memory.dmp

Filesize
2.0MB

Download
memory/1372-6-0x00007FF9537B0000-0x00007FF9539A5000-memory.dmp

Filesize
2.0MB

Download
memory/1372-2-0x00007FF913830000-0x00007FF913840000-memory.dmp

Filesize
64KB

Download
memory/1372-4-0x00007FF913830000-0x00007FF913840000-memory.dmp

Filesize
64KB

Download
memory/1372-5-0x00007FF913830000-0x00007FF913840000-memory.dmp

Filesize
64KB

Download
memory/1372-3-0x00007FF9537B0000-0x00007FF9539A5000-memory.dmp

Filesize
2.0MB

Download
memory/1372-1-0x00007FF913830000-0x00007FF913840000-memory.dmp

Filesize
64KB

Download
memory/1372-78-0x00007FF913830000-0x00007FF913840000-memory.dmp

Filesize
64KB

Download
memory/1372-79-0x00007FF913830000-0x00007FF913840000-memory.dmp

Filesize
64KB

Download
memory/1372-80-0x00007FF913830000-0x00007FF913840000-memory.dmp

Filesize
64KB

Download
memory/1372-81-0x00007FF913830000-0x00007FF913840000-memory.dmp

Filesize
64KB

Download
memory/1372-82-0x00007FF9537B0000-0x00007FF9539A5000-memory.dmp

Filesize
2.0MB

Download
memory/1372-83-0x00007FF9537B0000-0x00007FF9539A5000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads