403b71c0ff36ff91bd8102d080b744f811978f4d3017a80b527a7f93f1e6e1ad

General

Target

54deafaa7fbd40b7da5f291d6f6a683d.doc
Size

38KB
MD5

54deafaa7fbd40b7da5f291d6f6a683d
SHA1

5e3fa26bdbc204a26b6ae642b3e8911a2b857b8e
SHA256

403b71c0ff36ff91bd8102d080b744f811978f4d3017a80b527a7f93f1e6e1ad
SHA512

902dfb651f5c9797ca3d14e60d7cbaa8f27f1f33869f52547d331486513f20e9cc9fc9b79804f47ee69a76af730d715f40a4e25e7093049e853386647126ee2b
SSDEEP

384:rzOmycGhgnfLWmihpF2z0zjsxGL6upkqv50Q51:/OmlGhgnDW53NHO1qv50Q5

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4748	WINWORD.EXE

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\~WRD0000.tmp\:Zone.Identifier:$DATA	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4748	WINWORD.EXE
4748	WINWORD.EXE

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
4748	WINWORD.EXE
4748	WINWORD.EXE
4748	WINWORD.EXE
4748	WINWORD.EXE
4748	WINWORD.EXE
4748	WINWORD.EXE
4748	WINWORD.EXE
4748	WINWORD.EXE
4748	WINWORD.EXE
4748	WINWORD.EXE
4748	WINWORD.EXE
4748	WINWORD.EXE
4748	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\54deafaa7fbd40b7da5f291d6f6a683d.doc" /o ""
1⤵
- Deletes itself
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\VB99B0.tmp

Filesize
1KB

MD5
c24a6bc31320ab4de4f004f231419aa8

SHA1
7d9035a54ce4483602369b161fe59a0b1e232b4d

SHA256
5234d340260df439355558f13f446a87dbbe358f4eebbe4d9f42a574d3432dcc

SHA512
be8c35157ee1852b7829c4fc2e6a7209b63284973a30af8a7c732f6b6684de5426d124adc65e87cdf8eeab1a65bcc02a648fa05f9144caf98c6307a4e5d00214

Download Submit
C:\Users\Admin\AppData\Local\Temp\~WRD0000.tmp

Filesize
48KB

MD5
4f0beb6290d780f2bbb31895fa7477a7

SHA1
405c6de2fd1f5ce2470b17d21997feb1ce871f4e

SHA256
84ca764f35b304fd939178e82278638159af7a9fded29e34f3b536037dcf783d

SHA512
292dc0b5611df23077271f3a2a49a40a88f1776a457fb638305b135d06d2d9f97c0438bd7c66d8cb797b60743c17c2aada87797015a1ca340ac22bef35f02780

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\~WRD0002.tmp

Filesize
24KB

MD5
b25c2f921a31c5a44faedb3a946f5c32

SHA1
28192f799f035c016156eddc17454782d61d9215

SHA256
261d093177bc8cc66372bb01c71eb6e838e6d8329ae5bb3e4361d26b75a9a4ce

SHA512
82f838cbc832813dff039c1524874d6bddcdaaf720672adc766f87bd51cb2e2656cfcb74541586e7d572383499bf07b09e3d002ca24fffe4c66b641f12d102af

Download Submit
memory/4748-41-0x0000016078A60000-0x0000016079A30000-memory.dmp

Filesize
15.8MB

Download
memory/4748-61-0x00007FFE26CD0000-0x00007FFE26EC5000-memory.dmp

Filesize
2.0MB

Download
memory/4748-3-0x00007FFDE6D50000-0x00007FFDE6D60000-memory.dmp

Filesize
64KB

Download
memory/4748-2-0x00007FFE26CD0000-0x00007FFE26EC5000-memory.dmp

Filesize
2.0MB

Download
memory/4748-7-0x00007FFE26CD0000-0x00007FFE26EC5000-memory.dmp

Filesize
2.0MB

Download
memory/4748-8-0x00007FFDE6D50000-0x00007FFDE6D60000-memory.dmp

Filesize
64KB

Download
memory/4748-9-0x00007FFE26CD0000-0x00007FFE26EC5000-memory.dmp

Filesize
2.0MB

Download
memory/4748-10-0x00007FFE26CD0000-0x00007FFE26EC5000-memory.dmp

Filesize
2.0MB

Download
memory/4748-55-0x00007FFE26CD0000-0x00007FFE26EC5000-memory.dmp

Filesize
2.0MB

Download
memory/4748-12-0x00007FFDE4700000-0x00007FFDE4710000-memory.dmp

Filesize
64KB

Download
memory/4748-24-0x0000016074B30000-0x0000016075330000-memory.dmp

Filesize
8.0MB

Download
memory/4748-6-0x00007FFDE6D50000-0x00007FFDE6D60000-memory.dmp

Filesize
64KB

Download
memory/4748-38-0x0000016078A60000-0x0000016079A30000-memory.dmp

Filesize
15.8MB

Download
memory/4748-0-0x00007FFDE6D50000-0x00007FFDE6D60000-memory.dmp

Filesize
64KB

Download
memory/4748-5-0x00007FFE26CD0000-0x00007FFE26EC5000-memory.dmp

Filesize
2.0MB

Download
memory/4748-4-0x00007FFE26CD0000-0x00007FFE26EC5000-memory.dmp

Filesize
2.0MB

Download
memory/4748-11-0x00007FFDE4700000-0x00007FFDE4710000-memory.dmp

Filesize
64KB

Download
memory/4748-53-0x0000016078A60000-0x0000016079A30000-memory.dmp

Filesize
15.8MB

Download
memory/4748-62-0x00007FFE26CD0000-0x00007FFE26EC5000-memory.dmp

Filesize
2.0MB

Download
memory/4748-63-0x0000016074B30000-0x0000016075330000-memory.dmp

Filesize
8.0MB

Download
memory/4748-64-0x0000016078A60000-0x0000016079A30000-memory.dmp

Filesize
15.8MB

Download
memory/4748-65-0x0000016078A60000-0x0000016079A30000-memory.dmp

Filesize
15.8MB

Download
memory/4748-66-0x0000016078A60000-0x0000016079A30000-memory.dmp

Filesize
15.8MB

Download
memory/4748-72-0x0000016078A60000-0x0000016079A30000-memory.dmp

Filesize
15.8MB

Download
memory/4748-1-0x00007FFDE6D50000-0x00007FFDE6D60000-memory.dmp

Filesize
64KB

Download
memory/4748-100-0x00007FFDE6D50000-0x00007FFDE6D60000-memory.dmp

Filesize
64KB

Download
memory/4748-101-0x00007FFDE6D50000-0x00007FFDE6D60000-memory.dmp

Filesize
64KB

Download
memory/4748-102-0x00007FFDE6D50000-0x00007FFDE6D60000-memory.dmp

Filesize
64KB

Download
memory/4748-103-0x00007FFDE6D50000-0x00007FFDE6D60000-memory.dmp

Filesize
64KB

Download
memory/4748-104-0x00007FFE26CD0000-0x00007FFE26EC5000-memory.dmp

Filesize
2.0MB

Download
memory/4748-106-0x00007FFE26CD0000-0x00007FFE26EC5000-memory.dmp

Filesize
2.0MB

Download
memory/4748-105-0x00007FFE26CD0000-0x00007FFE26EC5000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads