65dc9f50ea56438fb056a7d5c6a3f0d60f746562a41cb036ce2e34de44039de2

General

Target

adjure.04.30.2021.docm
Size

76KB
MD5

9749a2caec0f624162f5face69dee4b6
SHA1

fb2135c7ca8b93a84a5e42fe4d6b844c21b7936c
SHA256

b3dbdf013c494dc354374a50e95635d53d2dabfc59527a17a5f104e8deb07554
SHA512

29ac52a776927704ca72e5c26d1dbfce9bc8218371efb30f847b94714460816bcd8953d141dfdeaa9f31a6d2a879a302f2498edfb4aad2adcd927571bdb744c0
SSDEEP

1536:jTcpJQrigxDjV+l0rM81NCGCPisEHOAq4eyO6i1itW7YUvOMkksCLlg33h:jyJQe6nnrxRCPdYZuyL3t5UmMkkoHh

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEWINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEWINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 3 IoCs

Processes:

WINWORD.EXEWINWORD.EXE

pid process

2944 WINWORD.EXE
2944 WINWORD.EXE
4548 WINWORD.EXE

Suspicious use of SetWindowsHookEx 18 IoCs

Processes:

WINWORD.EXEWINWORD.EXE

pid	process
2944	WINWORD.EXE
2944	WINWORD.EXE
2944	WINWORD.EXE
2944	WINWORD.EXE
4548	WINWORD.EXE
4548	WINWORD.EXE
4548	WINWORD.EXE
4548	WINWORD.EXE
4548	WINWORD.EXE
4548	WINWORD.EXE
4548	WINWORD.EXE
4548	WINWORD.EXE
4548	WINWORD.EXE
4548	WINWORD.EXE
2944	WINWORD.EXE
2944	WINWORD.EXE
2944	WINWORD.EXE
2944	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\adjure.04.30.2021.docm" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2944

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4548

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.json
Filesize
502B

MD5
79a1dd7c95eb88fb22b9d41f6cb69910

SHA1
6e63431e41c7fa471bd70385450e206eca9c6a3d

SHA256
76bec9b563c212492089a7715c37ed363d7bacf875d2545af62703a9234143c4

SHA512
ad939e2b838530e75b996fe5d7ae5259da48fc821fc88e004ddba53717d2fcc64ea61fe36b2a70736730de9b41d9d76258177181ffc6fa4f713cb5c0a55b3437

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.json
Filesize
417B

MD5
c56ff60fbd601e84edd5a0ff1010d584

SHA1
342abb130dabeacde1d8ced806d67a3aef00a749

SHA256
200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c

SHA512
acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.json
Filesize
87B

MD5
e4e83f8123e9740b8aa3c3dfa77c1c04

SHA1
5281eae96efde7b0e16a1d977f005f0d3bd7aad0

SHA256
6034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31

SHA512
bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyEventActivityStats.json
Filesize
14B

MD5
6ca4960355e4951c72aa5f6364e459d5

SHA1
2fd90b4ec32804dff7a41b6e63c8b0a40b592113

SHA256
88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3

SHA512
8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-wal
Filesize
329KB

MD5
1d2b9f6cfd19efb2dd296b8a3d30a2c3

SHA1
c3c09151ce5be5bcdcc99480de5f8d39ad308e88

SHA256
c23e9d89cb75d603330a5466d3c558ad46566e50f99b53575a7a2c9083a2f8bf

SHA512
0cc2fc1ebcd9d76665185104b65273886c7a7cba6be7deabeb35972b04983ef4684448e9f709d2a57ad8871a46c96c0e33e3d26354c7f86e24b894d235be52f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-wal
Filesize
8KB

MD5
2dcd9bbe606f4d2a088d62ef2ce157e4

SHA1
508ae8a0fc5ed6a9a1bc777ae3dce95f31f8596a

SHA256
fb72a489733aefe972857ddf5d675c6dbf62a20ee0a9357f57fbddf90cad124b

SHA512
432eea162ff4c5c991cdf9e5f433eadd5960900e41d510f1f6a7b905f7674b41bc98d8e42c0488c273152649f92ae537a1352b128ca0d1e6d8c0e1ff2477d0c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize
2KB

MD5
ecf0543b61e80636d7c5cca56e4e4232

SHA1
69a1a331c0c608162d71f2676eaecd7707ecd1fa

SHA256
a1d3b7d0b0a1e7c8d88fa4b88bbb99ae3fe7d93b82ebdb6c7206ea53d2fcdb99

SHA512
ebf24b47e411ceff0f74d698b0d7d34ff6d795dedf63121960fb14e6bab7bc6de819c8f767c3412411e26bb7745673e417e866d630e28198d797fbe747be5d4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize
2KB

MD5
d495d37ecf2e7b2513cf9bfb0dd7bc8e

SHA1
25ac2b5b957a8c5acc64623ad405654d9d6a338a

SHA256
2cb5e5ff9f6030df7228bb2b54b760ba2a4ba6e9d775b9016159400408f0b1a6

SHA512
282c4e3132f159cefb65b3e2fed29cef9aac5089537d8604ffb74c32c30361a209fd40628785a78906acd624ec66b95b04396fe39ec87a9cacc97fe2d1cd36e6

Download Submit
memory/2944-8-0x00007FFAD5530000-0x00007FFAD5725000-memory.dmp

Filesize
2.0MB

Download
memory/2944-35-0x0000015762D90000-0x0000015763D60000-memory.dmp

Filesize
15.8MB

Download
memory/2944-7-0x00007FFAD5530000-0x00007FFAD5725000-memory.dmp

Filesize
2.0MB

Download
memory/2944-105-0x00007FFAD5530000-0x00007FFAD5725000-memory.dmp

Filesize
2.0MB

Download
memory/2944-9-0x00007FFAD5530000-0x00007FFAD5725000-memory.dmp

Filesize
2.0MB

Download
memory/2944-10-0x00007FFAD5530000-0x00007FFAD5725000-memory.dmp

Filesize
2.0MB

Download
memory/2944-11-0x00007FFAD5530000-0x00007FFAD5725000-memory.dmp

Filesize
2.0MB

Download
memory/2944-12-0x00007FFAD5530000-0x00007FFAD5725000-memory.dmp

Filesize
2.0MB

Download
memory/2944-13-0x00007FFAD5530000-0x00007FFAD5725000-memory.dmp

Filesize
2.0MB

Download
memory/2944-14-0x00007FFAD5530000-0x00007FFAD5725000-memory.dmp

Filesize
2.0MB

Download
memory/2944-16-0x00007FFA932C0000-0x00007FFA932D0000-memory.dmp

Filesize
64KB

Download
memory/2944-17-0x00007FFAD5530000-0x00007FFAD5725000-memory.dmp

Filesize
2.0MB

Download
memory/2944-18-0x00007FFAD5530000-0x00007FFAD5725000-memory.dmp

Filesize
2.0MB

Download
memory/2944-15-0x00007FFAD5530000-0x00007FFAD5725000-memory.dmp

Filesize
2.0MB

Download
memory/2944-19-0x00007FFAD5530000-0x00007FFAD5725000-memory.dmp

Filesize
2.0MB

Download
memory/2944-20-0x00007FFAD5530000-0x00007FFAD5725000-memory.dmp

Filesize
2.0MB

Download
memory/2944-21-0x00007FFA932C0000-0x00007FFA932D0000-memory.dmp

Filesize
64KB

Download
memory/2944-26-0x0000015762D90000-0x0000015763D60000-memory.dmp

Filesize
15.8MB

Download
memory/2944-28-0x0000015763F40000-0x0000015764140000-memory.dmp

Filesize
2.0MB

Download
memory/2944-4-0x00007FFA955B0000-0x00007FFA955C0000-memory.dmp

Filesize
64KB

Download
memory/2944-38-0x0000015762D90000-0x0000015763D60000-memory.dmp

Filesize
15.8MB

Download
memory/2944-61-0x0000015762D90000-0x0000015763D60000-memory.dmp

Filesize
15.8MB

Download
memory/2944-99-0x00007FFAD5530000-0x00007FFAD5725000-memory.dmp

Filesize
2.0MB

Download
memory/2944-148-0x00007FFAD5530000-0x00007FFAD5725000-memory.dmp

Filesize
2.0MB

Download
memory/2944-149-0x00007FFAD5530000-0x00007FFAD5725000-memory.dmp

Filesize
2.0MB

Download
memory/2944-6-0x00007FFA955B0000-0x00007FFA955C0000-memory.dmp

Filesize
64KB

Download
memory/2944-5-0x00007FFAD5530000-0x00007FFAD5725000-memory.dmp

Filesize
2.0MB

Download
memory/2944-3-0x00007FFA955B0000-0x00007FFA955C0000-memory.dmp

Filesize
64KB

Download
memory/2944-2-0x00007FFA955B0000-0x00007FFA955C0000-memory.dmp

Filesize
64KB

Download
memory/2944-1-0x00007FFAD5530000-0x00007FFAD5725000-memory.dmp

Filesize
2.0MB

Download
memory/2944-0-0x00007FFA955B0000-0x00007FFA955C0000-memory.dmp

Filesize
64KB

Download
memory/2944-117-0x0000015762D90000-0x0000015763D60000-memory.dmp

Filesize
15.8MB

Download
memory/2944-116-0x0000015762D90000-0x0000015763D60000-memory.dmp

Filesize
15.8MB

Download
memory/2944-115-0x0000015762D90000-0x0000015763D60000-memory.dmp

Filesize
15.8MB

Download
memory/2944-114-0x0000015763F40000-0x0000015764140000-memory.dmp

Filesize
2.0MB

Download
memory/2944-113-0x0000015762D90000-0x0000015763D60000-memory.dmp

Filesize
15.8MB

Download
memory/2944-112-0x00007FFAD5530000-0x00007FFAD5725000-memory.dmp

Filesize
2.0MB

Download
memory/4548-45-0x00007FFAD5530000-0x00007FFAD5725000-memory.dmp

Filesize
2.0MB

Download
memory/4548-60-0x00007FFAD5530000-0x00007FFAD5725000-memory.dmp

Filesize
2.0MB

Download
memory/4548-76-0x0000022D5DDA0000-0x0000022D5E5A0000-memory.dmp

Filesize
8.0MB

Download
memory/4548-82-0x0000022D5DDA0000-0x0000022D5E5A0000-memory.dmp

Filesize
8.0MB

Download
memory/4548-103-0x00007FFA955B0000-0x00007FFA955C0000-memory.dmp

Filesize
64KB

Download
memory/4548-104-0x00007FFA955B0000-0x00007FFA955C0000-memory.dmp

Filesize
64KB

Download
memory/4548-102-0x00007FFA955B0000-0x00007FFA955C0000-memory.dmp

Filesize
64KB

Download
memory/4548-101-0x00007FFA955B0000-0x00007FFA955C0000-memory.dmp

Filesize
64KB

Download
memory/4548-59-0x00007FFAD5530000-0x00007FFAD5725000-memory.dmp

Filesize
2.0MB

Download
memory/4548-106-0x00007FFAD5530000-0x00007FFAD5725000-memory.dmp

Filesize
2.0MB

Download
memory/4548-55-0x00007FFAD5530000-0x00007FFAD5725000-memory.dmp

Filesize
2.0MB

Download
memory/4548-54-0x00007FFAD5530000-0x00007FFAD5725000-memory.dmp

Filesize
2.0MB

Download
memory/4548-53-0x00007FFAD5530000-0x00007FFAD5725000-memory.dmp

Filesize
2.0MB

Download
memory/4548-51-0x00007FFAD5530000-0x00007FFAD5725000-memory.dmp

Filesize
2.0MB

Download
memory/4548-50-0x00007FFAD5530000-0x00007FFAD5725000-memory.dmp

Filesize
2.0MB

Download
memory/4548-49-0x00007FFAD5530000-0x00007FFAD5725000-memory.dmp

Filesize
2.0MB

Download
memory/4548-48-0x00007FFAD5530000-0x00007FFAD5725000-memory.dmp

Filesize
2.0MB

Download
memory/4548-44-0x00007FFAD5530000-0x00007FFAD5725000-memory.dmp

Filesize
2.0MB

Download
memory/4548-46-0x00007FFAD5530000-0x00007FFAD5725000-memory.dmp

Filesize
2.0MB

Download
memory/4548-47-0x00007FFAD5530000-0x00007FFAD5725000-memory.dmp

Filesize
2.0MB

Download
memory/4548-40-0x00007FFAD5530000-0x00007FFAD5725000-memory.dmp

Filesize
2.0MB

Download
memory/4548-42-0x00007FFAD5530000-0x00007FFAD5725000-memory.dmp

Filesize
2.0MB

Download
memory/4548-41-0x00007FFAD5530000-0x00007FFAD5725000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads