2de0dadac54fcdde57770c596f3ae4975e3936b40acd35cf23b9ac6727e0b51b

Analysis

max time kernel
118s
max time network
116s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11/06/2024, 01:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

SWIFT Transfer MT103.docx
Size

9KB
MD5

9c5c3fe57b90731b2edd19ffef40c114
SHA1

56b601d50b943d8ab4d0cd7a70ba3126c83f1611
SHA256

0c56b70fdb81c54cca777e7225783ccf71986a796b0b10521d048e48a694be01
SHA512

5f511a26e15b3bf7566a5306e2658381534efc459c675947f006ad706db857a39fda3de66cf243c4b0d0487a07d21fd066b905407f04ac56bb9f42cfd319aec7
SSDEEP

192:G0cSPQt7WOF1MyMtWNhYVk0mqQTnhr5OhCQT1QSYP55h4OybFTB8GoA6ajzokWS3:rjPMlQyMtiq4LOoQT1QXD+xdcgmS

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	2164	2636	MsoSync.exe	80

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	MsoSync.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	MsoSync.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MsoSync.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	MsoSync.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	MsoSync.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	MsoSync.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\http:\v20068.dh.net.ua\doc\akwu001.doc	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2636	WINWORD.EXE
2636	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeAuditPrivilege	2636	WINWORD.EXE
Token: SeAuditPrivilege	2164	MsoSync.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2164	MsoSync.exe
2164	MsoSync.exe
2164	MsoSync.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2164	MsoSync.exe
2164	MsoSync.exe
2164	MsoSync.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2636	WINWORD.EXE
2636	WINWORD.EXE
2636	WINWORD.EXE
2636	WINWORD.EXE
2636	WINWORD.EXE
2636	WINWORD.EXE
2636	WINWORD.EXE
2164	MsoSync.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2636 wrote to memory of 2164	2636	WINWORD.EXE	94
PID 2636 wrote to memory of 2164	2636	WINWORD.EXE	94

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\SWIFT Transfer MT103.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2636
- C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe
  "C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe"
  2⤵
  - Process spawned unexpected child process
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.accdb

Filesize
512KB

MD5
b4c3a0f2a8f295088c962c94a478079b

SHA1
e514e5e7b5f1954f5a398e3390e4eac6b884810e

SHA256
0b1e4dd330d84c9276f3023c1f189618ec62cc6721d8f56cf3b35627a92ecb9b

SHA512
1f6511ed1ee77ac7f70b3ab8a60fc8591d32da953083ff95baaf72a5fbfcbe5c70dbfcfc4b5e327b22da2f0757efde376640abe9628fba4a5a50fe2ffc447580

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.laccdb

Filesize
128B

MD5
703dce4cafdd99bac14105fd93fc809f

SHA1
5d84a655db4b948f8ad633fcca2ccd85f4e03d2b

SHA256
4c2569915713d021561011b9da94574dcc3d13911df90ce492ef5217183c0733

SHA512
7ce082a4ec1b97756ffec15fd249e3887dda87a63d7ce683fe0785c66d5c8a7fedaa35ab67da47e9cce4b2a0ef1330beb24f1d1d7e990485fa7194bb85a0dbf9

Download Submit
memory/2164-50-0x00007FFF0C170000-0x00007FFF0C365000-memory.dmp

Filesize
2.0MB

Download
memory/2164-57-0x00007FFECC1F0000-0x00007FFECC200000-memory.dmp

Filesize
64KB

Download
memory/2164-56-0x00007FFECC1F0000-0x00007FFECC200000-memory.dmp

Filesize
64KB

Download
memory/2164-54-0x00007FFECC1F0000-0x00007FFECC200000-memory.dmp

Filesize
64KB

Download
memory/2164-42-0x00007FFF0C170000-0x00007FFF0C365000-memory.dmp

Filesize
2.0MB

Download
memory/2164-55-0x00007FFECC1F0000-0x00007FFECC200000-memory.dmp

Filesize
64KB

Download
memory/2164-58-0x00007FFF0C170000-0x00007FFF0C365000-memory.dmp

Filesize
2.0MB

Download
memory/2164-39-0x00007FFECC1F0000-0x00007FFECC200000-memory.dmp

Filesize
64KB

Download
memory/2164-40-0x00007FFECC1F0000-0x00007FFECC200000-memory.dmp

Filesize
64KB

Download
memory/2164-38-0x00007FFF0C170000-0x00007FFF0C365000-memory.dmp

Filesize
2.0MB

Download
memory/2164-43-0x00007FFECC1F0000-0x00007FFECC200000-memory.dmp

Filesize
64KB

Download
memory/2164-44-0x00007FFF0C170000-0x00007FFF0C365000-memory.dmp

Filesize
2.0MB

Download
memory/2164-41-0x00007FFECC1F0000-0x00007FFECC200000-memory.dmp

Filesize
64KB

Download
memory/2636-14-0x00007FFECA160000-0x00007FFECA170000-memory.dmp

Filesize
64KB

Download
memory/2636-10-0x00007FFF0C170000-0x00007FFF0C365000-memory.dmp

Filesize
2.0MB

Download
memory/2636-19-0x00007FFF0C170000-0x00007FFF0C365000-memory.dmp

Filesize
2.0MB

Download
memory/2636-20-0x00007FFF0C170000-0x00007FFF0C365000-memory.dmp

Filesize
2.0MB

Download
memory/2636-22-0x00007FFF0C170000-0x00007FFF0C365000-memory.dmp

Filesize
2.0MB

Download
memory/2636-21-0x00007FFF0C170000-0x00007FFF0C365000-memory.dmp

Filesize
2.0MB

Download
memory/2636-18-0x00007FFF0C170000-0x00007FFF0C365000-memory.dmp

Filesize
2.0MB

Download
memory/2636-17-0x00007FFF0C170000-0x00007FFF0C365000-memory.dmp

Filesize
2.0MB

Download
memory/2636-34-0x00007FFF0C170000-0x00007FFF0C365000-memory.dmp

Filesize
2.0MB

Download
memory/2636-15-0x00007FFF0C170000-0x00007FFF0C365000-memory.dmp

Filesize
2.0MB

Download
memory/2636-6-0x00007FFF0C170000-0x00007FFF0C365000-memory.dmp

Filesize
2.0MB

Download
memory/2636-7-0x00007FFF0C170000-0x00007FFF0C365000-memory.dmp

Filesize
2.0MB

Download
memory/2636-9-0x00007FFF0C170000-0x00007FFF0C365000-memory.dmp

Filesize
2.0MB

Download
memory/2636-16-0x00007FFECA160000-0x00007FFECA170000-memory.dmp

Filesize
64KB

Download
memory/2636-0-0x00007FFECC1F0000-0x00007FFECC200000-memory.dmp

Filesize
64KB

Download
memory/2636-11-0x00007FFF0C170000-0x00007FFF0C365000-memory.dmp

Filesize
2.0MB

Download
memory/2636-13-0x00007FFF0C170000-0x00007FFF0C365000-memory.dmp

Filesize
2.0MB

Download
memory/2636-12-0x00007FFF0C170000-0x00007FFF0C365000-memory.dmp

Filesize
2.0MB

Download
memory/2636-8-0x00007FFF0C170000-0x00007FFF0C365000-memory.dmp

Filesize
2.0MB

Download
memory/2636-5-0x00007FFF0C20D000-0x00007FFF0C20E000-memory.dmp

Filesize
4KB

Download
memory/2636-3-0x00007FFECC1F0000-0x00007FFECC200000-memory.dmp

Filesize
64KB

Download
memory/2636-4-0x00007FFECC1F0000-0x00007FFECC200000-memory.dmp

Filesize
64KB

Download
memory/2636-1-0x00007FFECC1F0000-0x00007FFECC200000-memory.dmp

Filesize
64KB

Download
memory/2636-2-0x00007FFECC1F0000-0x00007FFECC200000-memory.dmp

Filesize
64KB

Download
memory/2636-79-0x00007FFECC1F0000-0x00007FFECC200000-memory.dmp

Filesize
64KB

Download
memory/2636-80-0x00007FFECC1F0000-0x00007FFECC200000-memory.dmp

Filesize
64KB

Download
memory/2636-83-0x00007FFF0C170000-0x00007FFF0C365000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads