7ccfa149c82865c7bef38d83a3cfe955fcbe8aad03a61c05b3281b1a9dd2e858

General

Target

QUOTATION.docx
Size

295KB
MD5

8feb6e9bf1782987b2d83aa5a39ae5d8
SHA1

49b44a52ab776e48377c6d56a4d7b09f717ae555
SHA256

7ccfa149c82865c7bef38d83a3cfe955fcbe8aad03a61c05b3281b1a9dd2e858
SHA512

965c11aabf49e32de333d2b2c76928c74146305174f33bc82bd59f9408800f994cfa5e987fb46122ac7970203de799bb83ee70afadc60aa9bc985476aecbceea
SSDEEP

6144:WGK/46IXgfuFO6S951ndPJ8fUeuCf9fLhCMG8f/W/:WGKgwfu4h1dPifUeuCf9fFZpfs

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1924	WINWORD.EXE
1924	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeAuditPrivilege	1924	WINWORD.EXE

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1924	WINWORD.EXE
1924	WINWORD.EXE
1924	WINWORD.EXE
1924	WINWORD.EXE
1924	WINWORD.EXE
1924	WINWORD.EXE
1924	WINWORD.EXE

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\QUOTATION.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\114A24C3.emf

Filesize
1.4MB

MD5
476c7c2f309c957f6428d04e94c4f64a

SHA1
f1b0fa252babfb7002dc87069a436ad71bda532f

SHA256
c0da66b866cc999aee20456c2eee3eefc05046b8f5df3755f95fecb85f9f8be5

SHA512
c941fbacc6c98b556ea742538b2f2c61a66be677aa5f97457dfe07ea9652e17fe545ac05740f8ed20b1449fdcf38e97c49fe73ff8d53220a4e8d3e6e3615854e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\B91VJWSD\attractivesthingsmusthappenedalwayswithmetogetitbackeverythinggoodforusbeautifuldaystartingwithme___tounderstandhowimporatntitistomeforentirethigs[1].doc

Filesize
73KB

MD5
6792b56004620587542f9e8f36298a7e

SHA1
5a37eb281189d37ce4a4a8d8f125f31926e20897

SHA256
3dfb687e656a50bfb9c1570dee36faf5b5fee99b9c319e1de8daf11b2a3b0cb7

SHA512
afe6e11249548db9e251bdf67cdd76ad9422b420e5e40acb957dd7b92142e6f0baec06922ba9ee4b3c6f1dba4aedc872851cee6608c9e820eb41d6716e74ab43

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCDB81B.tmp\sist02.xsl

Filesize
245KB

MD5
f883b260a8d67082ea895c14bf56dd56

SHA1
7954565c1f243d46ad3b1e2f1baf3281451fc14b

SHA256
ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

SHA512
d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
239B

MD5
2a89417d25eb92498eb51c3a83a0df11

SHA1
0c9105a8d45c55bec9e14d1a18a868b1931df928

SHA256
232c848c506e0c0c3eb15953aea657a414f4abc6be5f6d70e9b2852d74f5bdd7

SHA512
4aa6e5337f632f665a39ed2fb73358b7e2b4b7fc22433a957fc7e3beeaa78a951638abc958379bfb9051726a16e17c130d71281caf713a7a38da39b003a80a06

Download Submit
memory/1924-8-0x00007FF99BAD0000-0x00007FF99BCC5000-memory.dmp

Filesize
2.0MB

Download
memory/1924-17-0x00007FF959A60000-0x00007FF959A70000-memory.dmp

Filesize
64KB

Download
memory/1924-6-0x00007FF99BAD0000-0x00007FF99BCC5000-memory.dmp

Filesize
2.0MB

Download
memory/1924-0-0x00007FF95BB50000-0x00007FF95BB60000-memory.dmp

Filesize
64KB

Download
memory/1924-7-0x00007FF99BAD0000-0x00007FF99BCC5000-memory.dmp

Filesize
2.0MB

Download
memory/1924-11-0x00007FF959A60000-0x00007FF959A70000-memory.dmp

Filesize
64KB

Download
memory/1924-10-0x00007FF99BAD0000-0x00007FF99BCC5000-memory.dmp

Filesize
2.0MB

Download
memory/1924-9-0x00007FF99BAD0000-0x00007FF99BCC5000-memory.dmp

Filesize
2.0MB

Download
memory/1924-12-0x00007FF99BAD0000-0x00007FF99BCC5000-memory.dmp

Filesize
2.0MB

Download
memory/1924-14-0x00007FF99BAD0000-0x00007FF99BCC5000-memory.dmp

Filesize
2.0MB

Download
memory/1924-13-0x00007FF99BAD0000-0x00007FF99BCC5000-memory.dmp

Filesize
2.0MB

Download
memory/1924-16-0x00007FF99BAD0000-0x00007FF99BCC5000-memory.dmp

Filesize
2.0MB

Download
memory/1924-15-0x00007FF99BAD0000-0x00007FF99BCC5000-memory.dmp

Filesize
2.0MB

Download
memory/1924-5-0x00007FF99BB6D000-0x00007FF99BB6E000-memory.dmp

Filesize
4KB

Download
memory/1924-19-0x00007FF99BAD0000-0x00007FF99BCC5000-memory.dmp

Filesize
2.0MB

Download
memory/1924-18-0x00007FF99BAD0000-0x00007FF99BCC5000-memory.dmp

Filesize
2.0MB

Download
memory/1924-1-0x00007FF95BB50000-0x00007FF95BB60000-memory.dmp

Filesize
64KB

Download
memory/1924-4-0x00007FF95BB50000-0x00007FF95BB60000-memory.dmp

Filesize
64KB

Download
memory/1924-3-0x00007FF95BB50000-0x00007FF95BB60000-memory.dmp

Filesize
64KB

Download
memory/1924-176-0x00007FF99BAD0000-0x00007FF99BCC5000-memory.dmp

Filesize
2.0MB

Download
memory/1924-2-0x00007FF95BB50000-0x00007FF95BB60000-memory.dmp

Filesize
64KB

Download
memory/1924-685-0x00007FF95BB50000-0x00007FF95BB60000-memory.dmp

Filesize
64KB

Download
memory/1924-686-0x00007FF95BB50000-0x00007FF95BB60000-memory.dmp

Filesize
64KB

Download
memory/1924-687-0x00007FF95BB50000-0x00007FF95BB60000-memory.dmp

Filesize
64KB

Download
memory/1924-684-0x00007FF95BB50000-0x00007FF95BB60000-memory.dmp

Filesize
64KB

Download
memory/1924-688-0x00007FF99BAD0000-0x00007FF99BCC5000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads