2eefe681da33a0ef3f740fcf5d5b8ee34286f4ac738dde57cf0b048f0959d339

General

Target

77bea19bf75d96e47af382454c414708e92c3e89273fb8f71590a1c9f5a80c21.rtf
Size

355KB
MD5

c8dd6964b7d481e52f8aef6b5af2c66c
SHA1

be89c5ba35edc8ec4d39f9967276dc77eb751ed9
SHA256

77bea19bf75d96e47af382454c414708e92c3e89273fb8f71590a1c9f5a80c21
SHA512

56184cdc3e201ba2c318baf72733413c688e099572d970a56507c3091056ab0704bd8769cdba2a21cb58bcb7171015569863bc226cafc3bcfffdb1b730305abd
SSDEEP

1536:uVPJM5JT77dHkTupkn/T2ivHWg55xi+qLO8YPE+oS1V9a:4K5J5H8upQ/yiPWgxi+qLOvoS

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
5072	WINWORD.EXE
5072	WINWORD.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
5072	WINWORD.EXE
5072	WINWORD.EXE

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
5072	WINWORD.EXE
5072	WINWORD.EXE
5072	WINWORD.EXE
5072	WINWORD.EXE
5072	WINWORD.EXE
5072	WINWORD.EXE
5072	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 5072 wrote to memory of 3484	5072	WINWORD.EXE	85
PID 5072 wrote to memory of 3484	5072	WINWORD.EXE	85

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\77bea19bf75d96e47af382454c414708e92c3e89273fb8f71590a1c9f5a80c21.rtf" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5072
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:3484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\2414336A.wmf

Filesize
642B

MD5
4f03b86e4d6631c26ff5fffc7332be1d

SHA1
14952a78ea51df67d5b5b6c6b4de3d96ba7935bd

SHA256
83f4ea26254d69825486bffd1d400217aac7245c5c48fe5acc3ccdea173c4851

SHA512
4bed29b66444d826e89589b55dd786758ff68fcd2daf8296703d4443edb991fffce563e20db22bfb34fdb488638bbb43252392b6c105d12e721329adc2774632

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCD864D.tmp\iso690.xsl

Filesize
263KB

MD5
ff0e07eff1333cdf9fc2523d323dd654

SHA1
77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

SHA256
3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

SHA512
b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

Download Submit
memory/5072-6-0x00007FFCD70D0000-0x00007FFCD72C5000-memory.dmp

Filesize
2.0MB

Download
memory/5072-13-0x00007FFCD70D0000-0x00007FFCD72C5000-memory.dmp

Filesize
2.0MB

Download
memory/5072-5-0x00007FFC97150000-0x00007FFC97160000-memory.dmp

Filesize
64KB

Download
memory/5072-4-0x00007FFC97150000-0x00007FFC97160000-memory.dmp

Filesize
64KB

Download
memory/5072-2-0x00007FFC97150000-0x00007FFC97160000-memory.dmp

Filesize
64KB

Download
memory/5072-9-0x00007FFCD70D0000-0x00007FFCD72C5000-memory.dmp

Filesize
2.0MB

Download
memory/5072-10-0x00007FFCD70D0000-0x00007FFCD72C5000-memory.dmp

Filesize
2.0MB

Download
memory/5072-8-0x00007FFCD70D0000-0x00007FFCD72C5000-memory.dmp

Filesize
2.0MB

Download
memory/5072-11-0x00007FFCD70D0000-0x00007FFCD72C5000-memory.dmp

Filesize
2.0MB

Download
memory/5072-15-0x00007FFC94F90000-0x00007FFC94FA0000-memory.dmp

Filesize
64KB

Download
memory/5072-3-0x00007FFCD716D000-0x00007FFCD716E000-memory.dmp

Filesize
4KB

Download
memory/5072-12-0x00007FFCD70D0000-0x00007FFCD72C5000-memory.dmp

Filesize
2.0MB

Download
memory/5072-14-0x00007FFCD70D0000-0x00007FFCD72C5000-memory.dmp

Filesize
2.0MB

Download
memory/5072-7-0x00007FFCD70D0000-0x00007FFCD72C5000-memory.dmp

Filesize
2.0MB

Download
memory/5072-16-0x00007FFC94F90000-0x00007FFC94FA0000-memory.dmp

Filesize
64KB

Download
memory/5072-0-0x00007FFC97150000-0x00007FFC97160000-memory.dmp

Filesize
64KB

Download
memory/5072-1-0x00007FFC97150000-0x00007FFC97160000-memory.dmp

Filesize
64KB

Download
memory/5072-521-0x00007FFCD70D0000-0x00007FFCD72C5000-memory.dmp

Filesize
2.0MB

Download
memory/5072-548-0x00007FFC97150000-0x00007FFC97160000-memory.dmp

Filesize
64KB

Download
memory/5072-549-0x00007FFC97150000-0x00007FFC97160000-memory.dmp

Filesize
64KB

Download
memory/5072-550-0x00007FFC97150000-0x00007FFC97160000-memory.dmp

Filesize
64KB

Download
memory/5072-551-0x00007FFC97150000-0x00007FFC97160000-memory.dmp

Filesize
64KB

Download
memory/5072-552-0x00007FFCD70D0000-0x00007FFCD72C5000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads