71d1c282e1d5dda186dc9d47e1b69db04d2d45566e22e8ebaf54c6eb93eac5b9

General

Target

0199459fc1005591eb55d40eaa15c09c.doc
Size

35KB
MD5

0199459fc1005591eb55d40eaa15c09c
SHA1

adde9ea7028f7ec3ff8818c51afb754f77a517d7
SHA256

71d1c282e1d5dda186dc9d47e1b69db04d2d45566e22e8ebaf54c6eb93eac5b9
SHA512

f2e76048d482f1d55256048516a9d98df2a0afd260f2b1aba50be4301836aa4b80e18bc3a04057484bde176a1ca6524d06b4be81435c5ef69506db961a5d3d11
SSDEEP

384:QFBHvflHnbkam/ZMx1lz5vWD+WMjYSAltHE0:QLXurslvq+pE

Score

4^/10

Malware Config

Signatures

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\Root\Office16\Destrib.dll	WINWORD.EXE
File created	C:\Program Files\Microsoft Office\Root\Office16\~$estrib.dll	WINWORD.EXE
File created	C:\Program Files\Microsoft Office\Root\Office16\~WRD0001.tmp	WINWORD.EXE
File opened for modification	C:\Program Files\Microsoft Office\Root\Office16\~WRD0001.tmp	WINWORD.EXE
File opened for modification	C:\Program Files\Microsoft Office\Root\Office16\~WRL0002.tmp	WINWORD.EXE
File created	C:\Program Files\Microsoft Office\Root\Office16\~WRD0000.tmp	WINWORD.EXE

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1724	WINWORD.EXE
1724	WINWORD.EXE

Suspicious use of SetWindowsHookEx 19 IoCs

pid	Process
1724	WINWORD.EXE
1724	WINWORD.EXE
1724	WINWORD.EXE
1724	WINWORD.EXE
1724	WINWORD.EXE
1724	WINWORD.EXE
1724	WINWORD.EXE
1724	WINWORD.EXE
1724	WINWORD.EXE
1724	WINWORD.EXE
1724	WINWORD.EXE
1724	WINWORD.EXE
1724	WINWORD.EXE
1724	WINWORD.EXE
1724	WINWORD.EXE
1724	WINWORD.EXE
1724	WINWORD.EXE
1724	WINWORD.EXE
1724	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\0199459fc1005591eb55d40eaa15c09c.doc" /o ""
1⤵
- Drops file in Program Files directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\root\Office16\Destrib.dll

Filesize
11KB

MD5
5108311ccab956896b13f83130fc0fab

SHA1
78e62c438c0f49776f8c75bd5ab850e4d22276e5

SHA256
ea1974df5d618eef17eff8cdde106fa1231f457aa1556f56cddb27fd90fadb4c

SHA512
7d6ca91a91ca676de82219d7465de3c7b21437abb70823f24680ffaf621bfcfb6747dcf36b1bd38d30e40bd6ad0626be4270b5c622662a95e96bf88a9333f144

Download Submit
C:\Program Files\Microsoft Office\root\Office16\~WRD0001.tmp

Filesize
11KB

MD5
f2f58829b407fa46ede690fad7310465

SHA1
4755460535217c65d6d0eec381446e6f78549028

SHA256
2569c0a106ec2c9bcef55f15e15d407b7224cd53f796aa6815bbc4d526cf265c

SHA512
ec67e7fa3cc85b3efeef3e0fb02abe13229f4eec6b2c37c37faeb92f3c0e2068bad7c9d4927ed3326b4fb0530a3001d68699117751353c222fe4bf679e23c428

Download Submit
C:\Users\Admin\AppData\Local\Temp\VBC1E8.tmp

Filesize
1KB

MD5
f9c84746b4e5ea3543321c0fb6aa99d8

SHA1
7bdab973c7b4e382cb4baaff4a826d8f28d3b62a

SHA256
a81d157daff43e979dc23a9d117f39a51a9d5df614728dc8e22068c501a1b1f7

SHA512
190c7165e2bf21e7281efa0c537b88905b16cacbc645134d5a90e7a58f943287c628d07015059a2d6612e0b384468f54290bc04b8910430f6aaa98bd91c1143a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
267B

MD5
63580fe839f6ae2d58d115b502f5d73c

SHA1
b6285d35dd6c1023b43e50dac32f468aa2293438

SHA256
8ffd99a924652ee62eea4e16a8a364b8dc81cb9ae23ae8e3bc2851786eed21ff

SHA512
9f9d105b53b47b187c340ac836fa001d3918922debf3c6c09c02daa114618799ba7dc067f089303e53ec48450d1e95ec0ef40ba14a60d9bb1237cb02eaeb8020

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\~WRD0003.tmp

Filesize
24KB

MD5
bf672e076cb8efe10f9b0acce11dfbec

SHA1
a1f221f1077daed8bc6bb9add6dec893aac7a2e4

SHA256
425da99f7f017f8d36a673670e9588c4555efcaf57afb7d4264dae99d1a63d2b

SHA512
fe5dc056355562fb215c0531f908bf8a0b0f89b0279d2025511115f8c6b5273734bf2e70278548686c3251d0dc85012674b211b89bba930d003087c89aede473

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
adddb11e5def8fc5e547d0bf748f284e

SHA1
ed4601d1a0320202037e474d2661a0aaed858806

SHA256
a85d53c06ada024dc48369bca459100672d04fde9e3c3bca15a1d0421db92bcf

SHA512
4d30bbfe513f16582c6dd8c103c6845af3de7dff318307a494421077610b08a6c8385b42b2c1658370a6d27b8664c6968c4af92190ccc4cc4fed3b5b8002d917

Download Submit
memory/1724-10-0x00007FFC4B490000-0x00007FFC4B4A0000-memory.dmp

Filesize
64KB

Download
memory/1724-4-0x00007FFC8DC70000-0x00007FFC8DE65000-memory.dmp

Filesize
2.0MB

Download
memory/1724-1-0x00007FFC4DCF0000-0x00007FFC4DD00000-memory.dmp

Filesize
64KB

Download
memory/1724-0-0x00007FFC4DCF0000-0x00007FFC4DD00000-memory.dmp

Filesize
64KB

Download
memory/1724-2-0x00007FFC4DCF0000-0x00007FFC4DD00000-memory.dmp

Filesize
64KB

Download
memory/1724-11-0x00007FFC4B490000-0x00007FFC4B4A0000-memory.dmp

Filesize
64KB

Download
memory/1724-22-0x000001EC8E9F0000-0x000001EC8F1F0000-memory.dmp

Filesize
8.0MB

Download
memory/1724-35-0x000001EC8E9F0000-0x000001EC8F1F0000-memory.dmp

Filesize
8.0MB

Download
memory/1724-36-0x000001EC92920000-0x000001EC938F0000-memory.dmp

Filesize
15.8MB

Download
memory/1724-9-0x00007FFC8DC70000-0x00007FFC8DE65000-memory.dmp

Filesize
2.0MB

Download
memory/1724-44-0x000001EC92920000-0x000001EC938F0000-memory.dmp

Filesize
15.8MB

Download
memory/1724-49-0x000001EC92920000-0x000001EC938F0000-memory.dmp

Filesize
15.8MB

Download
memory/1724-7-0x00007FFC8DC70000-0x00007FFC8DE65000-memory.dmp

Filesize
2.0MB

Download
memory/1724-8-0x00007FFC8DC70000-0x00007FFC8DE65000-memory.dmp

Filesize
2.0MB

Download
memory/1724-3-0x00007FFC4DCF0000-0x00007FFC4DD00000-memory.dmp

Filesize
64KB

Download
memory/1724-188-0x00007FFC8DC70000-0x00007FFC8DE65000-memory.dmp

Filesize
2.0MB

Download
memory/1724-189-0x00007FFC8DC70000-0x00007FFC8DE65000-memory.dmp

Filesize
2.0MB

Download
memory/1724-6-0x00007FFC8DC70000-0x00007FFC8DE65000-memory.dmp

Filesize
2.0MB

Download
memory/1724-201-0x000001EC8E9F0000-0x000001EC8F1F0000-memory.dmp

Filesize
8.0MB

Download
memory/1724-202-0x000001EC8E9F0000-0x000001EC8F1F0000-memory.dmp

Filesize
8.0MB

Download
memory/1724-203-0x000001EC92920000-0x000001EC938F0000-memory.dmp

Filesize
15.8MB

Download
memory/1724-204-0x000001EC92920000-0x000001EC938F0000-memory.dmp

Filesize
15.8MB

Download
memory/1724-205-0x000001EC92920000-0x000001EC938F0000-memory.dmp

Filesize
15.8MB

Download
memory/1724-214-0x000001EC8E9F0000-0x000001EC8F1F0000-memory.dmp

Filesize
8.0MB

Download
memory/1724-215-0x000001EC92920000-0x000001EC938F0000-memory.dmp

Filesize
15.8MB

Download
memory/1724-218-0x000001EC92920000-0x000001EC938F0000-memory.dmp

Filesize
15.8MB

Download
memory/1724-5-0x00007FFC4DCF0000-0x00007FFC4DD00000-memory.dmp

Filesize
64KB

Download
memory/1724-245-0x00007FFC4DCF0000-0x00007FFC4DD00000-memory.dmp

Filesize
64KB

Download
memory/1724-244-0x00007FFC4DCF0000-0x00007FFC4DD00000-memory.dmp

Filesize
64KB

Download
memory/1724-247-0x00007FFC8DC70000-0x00007FFC8DE65000-memory.dmp

Filesize
2.0MB

Download
memory/1724-246-0x00007FFC4DCF0000-0x00007FFC4DD00000-memory.dmp

Filesize
64KB

Download
memory/1724-248-0x00007FFC8DC70000-0x00007FFC8DE65000-memory.dmp

Filesize
2.0MB

Download
memory/1724-249-0x00007FFC8DC70000-0x00007FFC8DE65000-memory.dmp

Filesize
2.0MB

Download
memory/1724-243-0x00007FFC4DCF0000-0x00007FFC4DD00000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads