Analysis Overview
SHA256
3e7e321ca46b1337d69b9d39ad4dc1b268abb33c9331c06ad07fbb93f29fab89
Threat Level: Known bad
The file Счёт на оплату.docm was found to be: Known bad.
Malicious Activity Summary
MetaSploit
Suspicious Office macro
Process spawned suspicious child process
Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-04 07:17
Signatures
Suspicious Office macro
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-04 07:17
Reported
2024-07-04 07:18
Platform
win10v2004-20240611-en
Max time kernel
34s
Max time network
36s
Command Line
Signatures
MetaSploit
Process spawned suspicious child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process | N/A | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\system32\dwwin.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\dwwin.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\dwwin.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\system32\dwwin.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\dwwin.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2864 wrote to memory of 5060 | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE |
| PID 2864 wrote to memory of 5060 | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE |
| PID 5060 wrote to memory of 1764 | N/A | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE | C:\Windows\system32\dwwin.exe |
| PID 5060 wrote to memory of 1764 | N/A | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE | C:\Windows\system32\dwwin.exe |
Processes
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Счёт на оплату.docm" /o ""
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE
"C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE" -x -s 4552
C:\Windows\system32\dwwin.exe
C:\Windows\system32\dwwin.exe -x -s 4552
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | roaming.officeapps.live.com | udp |
| GB | 52.109.28.47:443 | roaming.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 46.28.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 47.28.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| GB | 184.28.176.75:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.176.28.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.58.20.217.in-addr.arpa | udp |
Files
memory/2864-0-0x00007FF9D0B70000-0x00007FF9D0B80000-memory.dmp
memory/2864-2-0x00007FF9D0B70000-0x00007FF9D0B80000-memory.dmp
memory/2864-1-0x00007FF9D0B70000-0x00007FF9D0B80000-memory.dmp
memory/2864-3-0x00007FF9D0B70000-0x00007FF9D0B80000-memory.dmp
memory/2864-4-0x00007FF9D0B70000-0x00007FF9D0B80000-memory.dmp
memory/2864-5-0x00007FFA10B8D000-0x00007FFA10B8E000-memory.dmp
memory/2864-6-0x00007FFA10AF0000-0x00007FFA10CE5000-memory.dmp
memory/2864-8-0x00007FFA10AF0000-0x00007FFA10CE5000-memory.dmp
memory/2864-10-0x00007FFA10AF0000-0x00007FFA10CE5000-memory.dmp
memory/2864-9-0x00007FFA10AF0000-0x00007FFA10CE5000-memory.dmp
memory/2864-12-0x00007FFA10AF0000-0x00007FFA10CE5000-memory.dmp
memory/2864-13-0x00007FF9CE470000-0x00007FF9CE480000-memory.dmp
memory/2864-11-0x00007FFA10AF0000-0x00007FFA10CE5000-memory.dmp
memory/2864-7-0x00007FFA10AF0000-0x00007FFA10CE5000-memory.dmp
memory/2864-16-0x00007FFA10AF0000-0x00007FFA10CE5000-memory.dmp
memory/2864-15-0x00007FFA10AF0000-0x00007FFA10CE5000-memory.dmp
memory/2864-14-0x00007FFA10AF0000-0x00007FFA10CE5000-memory.dmp
memory/2864-17-0x00007FF9CE470000-0x00007FF9CE480000-memory.dmp
memory/2864-31-0x00000152DAD90000-0x00000152DAD91000-memory.dmp
memory/2864-33-0x00007FFA10AF0000-0x00007FFA10CE5000-memory.dmp
memory/2864-32-0x00007FFA10AF0000-0x00007FFA10CE5000-memory.dmp
memory/2864-34-0x00007FFA10AF0000-0x00007FFA10CE5000-memory.dmp
memory/5060-40-0x00007FFA10AF0000-0x00007FFA10CE5000-memory.dmp
memory/5060-42-0x00007FFA10AF0000-0x00007FFA10CE5000-memory.dmp
memory/5060-41-0x00007FFA10AF0000-0x00007FFA10CE5000-memory.dmp
memory/5060-61-0x00007FF9D0B70000-0x00007FF9D0B80000-memory.dmp
memory/5060-60-0x00007FF9D0B70000-0x00007FF9D0B80000-memory.dmp
memory/5060-59-0x00007FF9D0B70000-0x00007FF9D0B80000-memory.dmp
memory/5060-58-0x00007FF9D0B70000-0x00007FF9D0B80000-memory.dmp
memory/5060-62-0x00007FFA10AF0000-0x00007FFA10CE5000-memory.dmp
memory/2864-64-0x00007FFA10AF0000-0x00007FFA10CE5000-memory.dmp