515d6d969cb2fed6d0c4cd68fefbfce8aaddaf2ac3c6c900a47f17cd940d0ffe

General

Target

7cd7980a655c82a4bdd51ed4010bf4f3.doc
Size

29KB
MD5

7cd7980a655c82a4bdd51ed4010bf4f3
SHA1

d57e1e8010528fd101c0bee5f445ce538fa5b077
SHA256

515d6d969cb2fed6d0c4cd68fefbfce8aaddaf2ac3c6c900a47f17cd940d0ffe
SHA512

74fa7ad461736f9a57c13ad5152a6abb4990de8f86f3a1f14803c26d2f4971131ef7114275af67c00262cfef2d6eddbbace207b5cdcedc1e36f6c60c5803f8d8
SSDEEP

192:AQw2hwUc6nlzVbMjclYKej8XqbFeOOxdqPtVLFb:Pwv6nlzVbMjcluwXqbFeJ8td

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1444	WINWORD.EXE

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\~WRD0000.tmp\:Zone.Identifier:$DATA	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1444	WINWORD.EXE
1444	WINWORD.EXE

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
1444	WINWORD.EXE
1444	WINWORD.EXE
1444	WINWORD.EXE
1444	WINWORD.EXE
1444	WINWORD.EXE
1444	WINWORD.EXE
1444	WINWORD.EXE
1444	WINWORD.EXE
1444	WINWORD.EXE
1444	WINWORD.EXE
1444	WINWORD.EXE
1444	WINWORD.EXE
1444	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\7cd7980a655c82a4bdd51ed4010bf4f3.doc" /o ""
1⤵
- Deletes itself
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~WRD0000.tmp

Filesize
32KB

MD5
fe44cb86c76ac5053d736f200a5479d1

SHA1
6bdc8680673672401662bc5066d311749a7d7d77

SHA256
fc2f31e6d4f4df7e48ad074cca5f64beeea772da999319cf4dde751cdff6cb88

SHA512
c3729b5e46277b7b56ced0c2644024732d16a445b1bbb18d426ec408a2f03e1931eae4b2be20a730051d92dc27cb1ca0b41a90134781acf6859998bcdfcff065

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\~WRD0002.tmp

Filesize
24KB

MD5
9b918b201313849d5639341565295611

SHA1
240e3ff07eedfc9830c41da1e40315fe03945fe5

SHA256
f07efc67d00534762e8c20d96cfbee457da8adc6d03f81a3330c2defb8bb00c4

SHA512
ff572ca3bc0f706513b78cb949bdc5c2a757356f7fab4fc03855208110e42f6f23e638ba15b0dff7caeeb38363de64fe20b7301ccdde3aa762d49bc94e4ab093

Download Submit
memory/1444-18-0x00007FFB1CBF0000-0x00007FFB1CDE5000-memory.dmp

Filesize
2.0MB

Download
memory/1444-19-0x00007FFADA730000-0x00007FFADA740000-memory.dmp

Filesize
64KB

Download
memory/1444-4-0x00007FFADCC70000-0x00007FFADCC80000-memory.dmp

Filesize
64KB

Download
memory/1444-5-0x00007FFB1CBF0000-0x00007FFB1CDE5000-memory.dmp

Filesize
2.0MB

Download
memory/1444-6-0x00007FFADCC70000-0x00007FFADCC80000-memory.dmp

Filesize
64KB

Download
memory/1444-8-0x00007FFB1CBF0000-0x00007FFB1CDE5000-memory.dmp

Filesize
2.0MB

Download
memory/1444-7-0x00007FFB1CBF0000-0x00007FFB1CDE5000-memory.dmp

Filesize
2.0MB

Download
memory/1444-9-0x00007FFB1CBF0000-0x00007FFB1CDE5000-memory.dmp

Filesize
2.0MB

Download
memory/1444-10-0x00007FFB1CBF0000-0x00007FFB1CDE5000-memory.dmp

Filesize
2.0MB

Download
memory/1444-11-0x00007FFB1CBF0000-0x00007FFB1CDE5000-memory.dmp

Filesize
2.0MB

Download
memory/1444-12-0x00007FFB1CBF0000-0x00007FFB1CDE5000-memory.dmp

Filesize
2.0MB

Download
memory/1444-14-0x00007FFADA730000-0x00007FFADA740000-memory.dmp

Filesize
64KB

Download
memory/1444-15-0x00007FFB1CBF0000-0x00007FFB1CDE5000-memory.dmp

Filesize
2.0MB

Download
memory/1444-13-0x00007FFB1CBF0000-0x00007FFB1CDE5000-memory.dmp

Filesize
2.0MB

Download
memory/1444-16-0x00007FFB1CBF0000-0x00007FFB1CDE5000-memory.dmp

Filesize
2.0MB

Download
memory/1444-17-0x00007FFB1CBF0000-0x00007FFB1CDE5000-memory.dmp

Filesize
2.0MB

Download
memory/1444-3-0x00007FFADCC70000-0x00007FFADCC80000-memory.dmp

Filesize
64KB

Download
memory/1444-1-0x00007FFADCC70000-0x00007FFADCC80000-memory.dmp

Filesize
64KB

Download
memory/1444-34-0x00007FFB1CBF0000-0x00007FFB1CDE5000-memory.dmp

Filesize
2.0MB

Download
memory/1444-35-0x00007FFB1CBF0000-0x00007FFB1CDE5000-memory.dmp

Filesize
2.0MB

Download
memory/1444-36-0x00007FFB1CBF0000-0x00007FFB1CDE5000-memory.dmp

Filesize
2.0MB

Download
memory/1444-37-0x00007FFB1CBF0000-0x00007FFB1CDE5000-memory.dmp

Filesize
2.0MB

Download
memory/1444-48-0x0000021472580000-0x0000021473550000-memory.dmp

Filesize
15.8MB

Download
memory/1444-65-0x0000021472580000-0x0000021473550000-memory.dmp

Filesize
15.8MB

Download
memory/1444-66-0x0000021472580000-0x0000021473550000-memory.dmp

Filesize
15.8MB

Download
memory/1444-67-0x0000021472580000-0x0000021473550000-memory.dmp

Filesize
15.8MB

Download
memory/1444-2-0x00007FFB1CBF0000-0x00007FFB1CDE5000-memory.dmp

Filesize
2.0MB

Download
memory/1444-0-0x00007FFADCC70000-0x00007FFADCC80000-memory.dmp

Filesize
64KB

Download
memory/1444-107-0x00007FFADCC70000-0x00007FFADCC80000-memory.dmp

Filesize
64KB

Download
memory/1444-108-0x00007FFADCC70000-0x00007FFADCC80000-memory.dmp

Filesize
64KB

Download
memory/1444-109-0x00007FFADCC70000-0x00007FFADCC80000-memory.dmp

Filesize
64KB

Download
memory/1444-110-0x00007FFADCC70000-0x00007FFADCC80000-memory.dmp

Filesize
64KB

Download
memory/1444-111-0x00007FFB1CBF0000-0x00007FFB1CDE5000-memory.dmp

Filesize
2.0MB

Download
memory/1444-112-0x00007FFB1CBF0000-0x00007FFB1CDE5000-memory.dmp

Filesize
2.0MB

Download
memory/1444-113-0x00007FFB1CBF0000-0x00007FFB1CDE5000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads