e5cd6145ccc4dd24a1f8f7fde8933ebf7afeaafc52b8ab2c19a4c752ec281efa

General

Target

e5cd6145ccc4dd24a1f8f7fde8933ebf7afeaafc52b8ab2c19a4c752ec281efa.docx
Size

16KB
MD5

8d5a9a8978f345f34597fdda3b77aa15
SHA1

61fa9cf1e7f058018106ebf7db7a1af70c53ef1b
SHA256

e5cd6145ccc4dd24a1f8f7fde8933ebf7afeaafc52b8ab2c19a4c752ec281efa
SHA512

2546b42680a703474a3ee7dee29872446d1ac715834f9170bafc0c4a1273c66444e7423ba739128764c5049c35b000b06963a5f9a3701d55d6becbacb8831a76
SSDEEP

384:byXlm4wWns8PL8wi4OEwH8TIbE91r2fRNJY6viBnVs+f:bclAA5P3DOqnYJrTvQnVse

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2916	WINWORD.EXE
2916	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeAuditPrivilege	2916	WINWORD.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2916	WINWORD.EXE
2916	WINWORD.EXE

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2916	WINWORD.EXE
2916	WINWORD.EXE
2916	WINWORD.EXE
2916	WINWORD.EXE
2916	WINWORD.EXE
2916	WINWORD.EXE
2916	WINWORD.EXE
2916	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2916 wrote to memory of 2336	2916	WINWORD.EXE	90
PID 2916 wrote to memory of 2336	2916	WINWORD.EXE	90

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\e5cd6145ccc4dd24a1f8f7fde8933ebf7afeaafc52b8ab2c19a4c752ec281efa.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2916
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\18923D97.wmf

Filesize
512B

MD5
94b82e1db31b26f83777caa8b1c01321

SHA1
f02493727ad477b8e6677673aab5407a69e83c98

SHA256
c62ae3af3d27d1fddea8d159815807d15a8ccf50ca0ec09ef457d862e20923e1

SHA512
061837fa9f46fb8756ee8aec8f87e584de2054705545f1a3b07d2d95c88fb3c88c8b4a7a6e2da906672098a37a5278166b5e5c715f2140e9c2493d7fc80886eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\A141C41B.wmf

Filesize
642B

MD5
4f03b86e4d6631c26ff5fffc7332be1d

SHA1
14952a78ea51df67d5b5b6c6b4de3d96ba7935bd

SHA256
83f4ea26254d69825486bffd1d400217aac7245c5c48fe5acc3ccdea173c4851

SHA512
4bed29b66444d826e89589b55dd786758ff68fcd2daf8296703d4443edb991fffce563e20db22bfb34fdb488638bbb43252392b6c105d12e721329adc2774632

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\E4F4F46E.wmf

Filesize
512B

MD5
1b3219e50454576290be2c5ccf473bbd

SHA1
56990ca73c9899a1637ab734dc135afc7c004ef5

SHA256
77011bc7d7610ea9c2668d42024e09f76e3553fd9e91200d7d2ae790600da41a

SHA512
73275a850c1dc9b33aec7c7146037fbf0516f6a6c81000eff17fc803048c45b20d957f3b510ca2ca899abd371b0857f55e679cdb2a7e83416ba9308b7c81ec38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\WO7P3K64\white[1].htm

Filesize
4KB

MD5
5abd9b967f8706464e9ba1757210e3fd

SHA1
6e634a730e9888a3b252b8de883d14e50b89810a

SHA256
def66248793878aa7aac1fd256c8a3e64de92f5502d79c220afdc56e5b6f074d

SHA512
e7e562d7dd2a1f8c2e1ccbcc7c2b183c06a37741ae764b3c6476d056bb00c9febf480869c8551806de0fe6ae70c9dc285c06ece18b2290b863ef625e24f090d9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
307B

MD5
bf4a47232dd3b62ca6f06058563d6bec

SHA1
98da204ba28a38fe1dbf690d21a3140f10e308d6

SHA256
6b33fd2692f0ef8612f2bb1a8bc8e47ad96b8807e8fbe952d19f50eb774f2270

SHA512
fdc006c5f436d0713fd8262a2203decfc917b6abbc9b9d6c4c6fbaee9ef0456aed4ebd42869f3084f677071e629a793db4256b7d4a5b7d89c171d3b824073c73

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/2916-7-0x00007FF84CE10000-0x00007FF84D005000-memory.dmp

Filesize
2.0MB

Download
memory/2916-8-0x00007FF84CE10000-0x00007FF84D005000-memory.dmp

Filesize
2.0MB

Download
memory/2916-6-0x00007FF84CE10000-0x00007FF84D005000-memory.dmp

Filesize
2.0MB

Download
memory/2916-9-0x00007FF84CE10000-0x00007FF84D005000-memory.dmp

Filesize
2.0MB

Download
memory/2916-10-0x00007FF80A720000-0x00007FF80A730000-memory.dmp

Filesize
64KB

Download
memory/2916-12-0x00007FF84CE10000-0x00007FF84D005000-memory.dmp

Filesize
2.0MB

Download
memory/2916-11-0x00007FF84CE10000-0x00007FF84D005000-memory.dmp

Filesize
2.0MB

Download
memory/2916-13-0x00007FF84CE10000-0x00007FF84D005000-memory.dmp

Filesize
2.0MB

Download
memory/2916-14-0x00007FF84CE10000-0x00007FF84D005000-memory.dmp

Filesize
2.0MB

Download
memory/2916-15-0x00007FF80A720000-0x00007FF80A730000-memory.dmp

Filesize
64KB

Download
memory/2916-28-0x00007FF84CE10000-0x00007FF84D005000-memory.dmp

Filesize
2.0MB

Download
memory/2916-0-0x00007FF80CE90000-0x00007FF80CEA0000-memory.dmp

Filesize
64KB

Download
memory/2916-4-0x00007FF80CE90000-0x00007FF80CEA0000-memory.dmp

Filesize
64KB

Download
memory/2916-5-0x00007FF80CE90000-0x00007FF80CEA0000-memory.dmp

Filesize
64KB

Download
memory/2916-75-0x00007FF84CE10000-0x00007FF84D005000-memory.dmp

Filesize
2.0MB

Download
memory/2916-1-0x00007FF80CE90000-0x00007FF80CEA0000-memory.dmp

Filesize
64KB

Download
memory/2916-2-0x00007FF80CE90000-0x00007FF80CEA0000-memory.dmp

Filesize
64KB

Download
memory/2916-3-0x00007FF84CEAD000-0x00007FF84CEAE000-memory.dmp

Filesize
4KB

Download
memory/2916-328-0x00007FF80CE90000-0x00007FF80CEA0000-memory.dmp

Filesize
64KB

Download
memory/2916-329-0x00007FF80CE90000-0x00007FF80CEA0000-memory.dmp

Filesize
64KB

Download
memory/2916-330-0x00007FF80CE90000-0x00007FF80CEA0000-memory.dmp

Filesize
64KB

Download
memory/2916-331-0x00007FF80CE90000-0x00007FF80CEA0000-memory.dmp

Filesize
64KB

Download
memory/2916-332-0x00007FF84CE10000-0x00007FF84D005000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads