e8f03287c51f6b2992c960c487de1b74d64571a590ce84de7aced738516d699c

Resubmissions

25/06/2024, 08:51

240625-kr7l8azcrc 10

Analysis

max time kernel
117s
max time network
114s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25/06/2024, 08:51

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

RY94HT.docx
Size

78KB
MD5

8a9fa85139fa2d1703b9e829194386e3
SHA1

c806f09a1e941406ffc8172d85c2e811d77a2666
SHA256

e8f03287c51f6b2992c960c487de1b74d64571a590ce84de7aced738516d699c
SHA512

d354c017a0d5873e1fea65048cc1454f944badf8a6d742ec5081f44bae65e08e448c3d27ebf4b274d920aa6a9a5d45bac83705179f6b2f072aad7f504590ee96
SSDEEP

1536:qYsWvkcezR1I/qpzVAG3yFqmlkxDvRwuThQgkMf5wzwrI2TafagDiGlOyS+n5cJ8:lXe912Gz3qlOvRxQgrfy92qagDiGloJ8

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	808	2168	MsoSync.exe	80

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	MsoSync.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	MsoSync.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MsoSync.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	MsoSync.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	MsoSync.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	MsoSync.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2168	WINWORD.EXE
2168	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeAuditPrivilege	2168	WINWORD.EXE
Token: SeAuditPrivilege	808	MsoSync.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
808	MsoSync.exe
808	MsoSync.exe
808	MsoSync.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
808	MsoSync.exe
808	MsoSync.exe
808	MsoSync.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2168	WINWORD.EXE
2168	WINWORD.EXE
2168	WINWORD.EXE
2168	WINWORD.EXE
2168	WINWORD.EXE
2168	WINWORD.EXE
2168	WINWORD.EXE
808	MsoSync.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2168 wrote to memory of 808	2168	WINWORD.EXE	90
PID 2168 wrote to memory of 808	2168	WINWORD.EXE	90

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\RY94HT.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe
  "C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe"
  2⤵
  - Process spawned unexpected child process
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.accdb

Filesize
512KB

MD5
3b04e219cd582f0ade3fef3177471bf4

SHA1
82e25f9667dbaebd9eb173d2f4389e5380b6ed3f

SHA256
7f3359cab6002f5d4ae5213910bc7c2171c1d0383095c70af0b2a8f6d9bd5aff

SHA512
00026d874db5bb029bd2c595f3f41ffaae5abb417d23b86dc3f9473b7f5742fc11ca1e2a868d7e9cb5c1024634406be0d7dcb6781a66566266550823c3a9497f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.laccdb

Filesize
128B

MD5
93613f092b43447e50c65482aaa83cc0

SHA1
cc159612a0a4f7406cb9454beac572821a62e725

SHA256
7af07a3503b5c736e99c982e468b2c42a90b8f8eb990f00ff17f45f76a9ec427

SHA512
193043f2968c2ef0b62427e77306873c20ab270409bf37adc758f4b770d1908584ef9b48f07d0c0804e042a764e4c2ce644935e3ac855d41b264257af35ff023

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\73629CB8.emf

Filesize
1.4MB

MD5
476c7c2f309c957f6428d04e94c4f64a

SHA1
f1b0fa252babfb7002dc87069a436ad71bda532f

SHA256
c0da66b866cc999aee20456c2eee3eefc05046b8f5df3755f95fecb85f9f8be5

SHA512
c941fbacc6c98b556ea742538b2f2c61a66be677aa5f97457dfe07ea9652e17fe545ac05740f8ed20b1449fdcf38e97c49fe73ff8d53220a4e8d3e6e3615854e

Download Submit
memory/808-65-0x00007FF9D4690000-0x00007FF9D46A0000-memory.dmp

Filesize
64KB

Download
memory/808-64-0x00007FF9D4690000-0x00007FF9D46A0000-memory.dmp

Filesize
64KB

Download
memory/808-62-0x00007FF9D4690000-0x00007FF9D46A0000-memory.dmp

Filesize
64KB

Download
memory/808-58-0x00007FFA14610000-0x00007FFA14805000-memory.dmp

Filesize
2.0MB

Download
memory/808-63-0x00007FF9D4690000-0x00007FF9D46A0000-memory.dmp

Filesize
64KB

Download
memory/808-66-0x00007FFA14610000-0x00007FFA14805000-memory.dmp

Filesize
2.0MB

Download
memory/808-52-0x00007FFA14610000-0x00007FFA14805000-memory.dmp

Filesize
2.0MB

Download
memory/808-51-0x00007FF9D4690000-0x00007FF9D46A0000-memory.dmp

Filesize
64KB

Download
memory/808-50-0x00007FFA14610000-0x00007FFA14805000-memory.dmp

Filesize
2.0MB

Download
memory/808-49-0x00007FF9D4690000-0x00007FF9D46A0000-memory.dmp

Filesize
64KB

Download
memory/808-46-0x00007FF9D4690000-0x00007FF9D46A0000-memory.dmp

Filesize
64KB

Download
memory/808-47-0x00007FF9D4690000-0x00007FF9D46A0000-memory.dmp

Filesize
64KB

Download
memory/808-48-0x00007FFA14610000-0x00007FFA14805000-memory.dmp

Filesize
2.0MB

Download
memory/2168-10-0x00007FFA14610000-0x00007FFA14805000-memory.dmp

Filesize
2.0MB

Download
memory/2168-0-0x00007FF9D4690000-0x00007FF9D46A0000-memory.dmp

Filesize
64KB

Download
memory/2168-15-0x00007FFA14610000-0x00007FFA14805000-memory.dmp

Filesize
2.0MB

Download
memory/2168-21-0x00007FFA14610000-0x00007FFA14805000-memory.dmp

Filesize
2.0MB

Download
memory/2168-20-0x00007FFA14610000-0x00007FFA14805000-memory.dmp

Filesize
2.0MB

Download
memory/2168-13-0x00007FFA14610000-0x00007FFA14805000-memory.dmp

Filesize
2.0MB

Download
memory/2168-33-0x00007FFA14610000-0x00007FFA14805000-memory.dmp

Filesize
2.0MB

Download
memory/2168-17-0x00007FFA14610000-0x00007FFA14805000-memory.dmp

Filesize
2.0MB

Download
memory/2168-19-0x00007FFA14610000-0x00007FFA14805000-memory.dmp

Filesize
2.0MB

Download
memory/2168-18-0x00007FF9D2410000-0x00007FF9D2420000-memory.dmp

Filesize
64KB

Download
memory/2168-14-0x00007FFA14610000-0x00007FFA14805000-memory.dmp

Filesize
2.0MB

Download
memory/2168-11-0x00007FFA14610000-0x00007FFA14805000-memory.dmp

Filesize
2.0MB

Download
memory/2168-12-0x00007FF9D2410000-0x00007FF9D2420000-memory.dmp

Filesize
64KB

Download
memory/2168-16-0x00007FFA14610000-0x00007FFA14805000-memory.dmp

Filesize
2.0MB

Download
memory/2168-7-0x00007FFA14610000-0x00007FFA14805000-memory.dmp

Filesize
2.0MB

Download
memory/2168-9-0x00007FFA14610000-0x00007FFA14805000-memory.dmp

Filesize
2.0MB

Download
memory/2168-8-0x00007FFA14610000-0x00007FFA14805000-memory.dmp

Filesize
2.0MB

Download
memory/2168-6-0x00007FFA14610000-0x00007FFA14805000-memory.dmp

Filesize
2.0MB

Download
memory/2168-5-0x00007FF9D4690000-0x00007FF9D46A0000-memory.dmp

Filesize
64KB

Download
memory/2168-4-0x00007FFA146AD000-0x00007FFA146AE000-memory.dmp

Filesize
4KB

Download
memory/2168-1-0x00007FF9D4690000-0x00007FF9D46A0000-memory.dmp

Filesize
64KB

Download
memory/2168-3-0x00007FF9D4690000-0x00007FF9D46A0000-memory.dmp

Filesize
64KB

Download
memory/2168-2-0x00007FF9D4690000-0x00007FF9D46A0000-memory.dmp

Filesize
64KB

Download
memory/2168-90-0x00007FF9D4690000-0x00007FF9D46A0000-memory.dmp

Filesize
64KB

Download
memory/2168-89-0x00007FF9D4690000-0x00007FF9D46A0000-memory.dmp

Filesize
64KB

Download
memory/2168-93-0x00007FFA14610000-0x00007FFA14805000-memory.dmp

Filesize
2.0MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads