bc9d4eb09711f92e4e260efcf7e48906dca6bf239841e976972fd74dac412e2f

General

Target

bc9d4eb09711f92e4e260efcf7e48906dca6bf239841e976972fd74dac412e2f.docx
Size

36KB
MD5

3b853ae547346befe5f3d06290635cf6
SHA1

dbdc7073a29e53aa16340d0c3da22680168aea94
SHA256

bc9d4eb09711f92e4e260efcf7e48906dca6bf239841e976972fd74dac412e2f
SHA512

716fa2bf5017c03a664cc300951a546c5a198334d7f36a68e541bc8dbdb408b9a49cf6bb4a738b036da77149e617c0079cb095107a4b96be90444e7d2ab6991a
SSDEEP

768:gXs7D7R7l3Dkd+d5pCM1OpoeySh3uJvPtKzggQpw6DF0v66vJDE/i6I1:R175AcHpSoeySVG3ggN/Y6RiZ

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\https:\paknavy-gov-pk.downld.net\14578\1\6277\2\0\0\0\m\files-75dc2b1e\file.rtf	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3776	WINWORD.EXE
3776	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeAuditPrivilege	3776	WINWORD.EXE

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
3776	WINWORD.EXE
3776	WINWORD.EXE
3776	WINWORD.EXE
3776	WINWORD.EXE
3776	WINWORD.EXE
3776	WINWORD.EXE
3776	WINWORD.EXE
3776	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\bc9d4eb09711f92e4e260efcf7e48906dca6bf239841e976972fd74dac412e2f.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\7FA5055B.emf

Filesize
52B

MD5
912ff26ac760112b12167f902f17ecfd

SHA1
ac2d2544f0607a40d2255a04aede580ac91f4673

SHA256
1833637d2bb49186e0667ae0896ecc4d5b00b3383529f74edb75cad8748cd9b3

SHA512
e837e4ee45800980d4001a80988224641538fd2f26a18bb5e9a68ebbea7a97f47aacc5b81fe9105931cda6dd2a721d5f7de880417560096c1e779eaf5c6d82f7

Download Submit
memory/3776-14-0x00007FF8C0580000-0x00007FF8C0590000-memory.dmp

Filesize
64KB

Download
memory/3776-54-0x00007FF902D70000-0x00007FF902F65000-memory.dmp

Filesize
2.0MB

Download
memory/3776-1-0x00007FF8C2DF0000-0x00007FF8C2E00000-memory.dmp

Filesize
64KB

Download
memory/3776-4-0x00007FF902D70000-0x00007FF902F65000-memory.dmp

Filesize
2.0MB

Download
memory/3776-5-0x00007FF8C2DF0000-0x00007FF8C2E00000-memory.dmp

Filesize
64KB

Download
memory/3776-6-0x00007FF8C2DF0000-0x00007FF8C2E00000-memory.dmp

Filesize
64KB

Download
memory/3776-7-0x00007FF902D70000-0x00007FF902F65000-memory.dmp

Filesize
2.0MB

Download
memory/3776-8-0x00007FF902D70000-0x00007FF902F65000-memory.dmp

Filesize
2.0MB

Download
memory/3776-9-0x00007FF902D70000-0x00007FF902F65000-memory.dmp

Filesize
2.0MB

Download
memory/3776-10-0x00007FF8C0580000-0x00007FF8C0590000-memory.dmp

Filesize
64KB

Download
memory/3776-11-0x00007FF902D70000-0x00007FF902F65000-memory.dmp

Filesize
2.0MB

Download
memory/3776-12-0x00007FF902D70000-0x00007FF902F65000-memory.dmp

Filesize
2.0MB

Download
memory/3776-15-0x00007FF902D70000-0x00007FF902F65000-memory.dmp

Filesize
2.0MB

Download
memory/3776-0-0x00007FF8C2DF0000-0x00007FF8C2E00000-memory.dmp

Filesize
64KB

Download
memory/3776-2-0x00007FF902D70000-0x00007FF902F65000-memory.dmp

Filesize
2.0MB

Download
memory/3776-13-0x00007FF902D70000-0x00007FF902F65000-memory.dmp

Filesize
2.0MB

Download
memory/3776-56-0x00007FF902D70000-0x00007FF902F65000-memory.dmp

Filesize
2.0MB

Download
memory/3776-18-0x00007FF902D70000-0x00007FF902F65000-memory.dmp

Filesize
2.0MB

Download
memory/3776-19-0x00007FF902D70000-0x00007FF902F65000-memory.dmp

Filesize
2.0MB

Download
memory/3776-3-0x00007FF8C2DF0000-0x00007FF8C2E00000-memory.dmp

Filesize
64KB

Download
memory/3776-16-0x00007FF902D70000-0x00007FF902F65000-memory.dmp

Filesize
2.0MB

Download
memory/3776-55-0x00007FF902D70000-0x00007FF902F65000-memory.dmp

Filesize
2.0MB

Download
memory/3776-17-0x00007FF902D70000-0x00007FF902F65000-memory.dmp

Filesize
2.0MB

Download
memory/3776-89-0x00007FF8C2DF0000-0x00007FF8C2E00000-memory.dmp

Filesize
64KB

Download
memory/3776-90-0x00007FF8C2DF0000-0x00007FF8C2E00000-memory.dmp

Filesize
64KB

Download
memory/3776-91-0x00007FF8C2DF0000-0x00007FF8C2E00000-memory.dmp

Filesize
64KB

Download
memory/3776-93-0x00007FF902D70000-0x00007FF902F65000-memory.dmp

Filesize
2.0MB

Download
memory/3776-92-0x00007FF8C2DF0000-0x00007FF8C2E00000-memory.dmp

Filesize
64KB

Download
memory/3776-94-0x00007FF902D70000-0x00007FF902F65000-memory.dmp

Filesize
2.0MB

Download
memory/3776-95-0x00007FF902D70000-0x00007FF902F65000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads