2e866dc1f844a29e6b551e4a111147f05125d598cac2c5424fa0cc1a73ef07b8

General

Target

10072024_1503_09072024_HUGHUR343EDRFQ.docx
Size

16KB
MD5

830c2b82a06eeb1950161dc65f313bda
SHA1

01fd8522710ffd0635f2755dc93ca7b1485b0bae
SHA256

2e866dc1f844a29e6b551e4a111147f05125d598cac2c5424fa0cc1a73ef07b8
SHA512

f594cbe8a500bbe1e5cc59879af4c8a05a2da0ab2f3b2ae3f214c5793db82fe9109e7b5d28a56d925edb8c2564389bba7b72b482d9c6fc9ea85622ed2768968a
SSDEEP

384:WyXBnQPWys8PL8wi4OEwH8TIbE91r2fRyJYRvi49U1Gk:WcBUh5P3DOqnYJswvR9U1p

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1084	WINWORD.EXE
1084	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeAuditPrivilege	1084	WINWORD.EXE

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1084	WINWORD.EXE
1084	WINWORD.EXE
1084	WINWORD.EXE
1084	WINWORD.EXE
1084	WINWORD.EXE
1084	WINWORD.EXE
1084	WINWORD.EXE
1084	WINWORD.EXE

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\10072024_1503_09072024_HUGHUR343EDRFQ.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\WZ04RUV6\may[1].doc

Filesize
474KB

MD5
0c8f476fd30221bed38c4a5e58bdcd53

SHA1
0d239a8ba1fb453758e497434e9c1012f39e58f7

SHA256
ebc1ebcbbb9138771433da50dbc388ad4947cc10f0825602160c4451a2d5af7b

SHA512
3bd55c06dbd04e595b07761f277f02d464f801feefe386fda9288a1f38e7a084990402b6c18abe562d7e75ca9ee272c5a76e4120f16fc70e4840e99d4503fa58

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
419B

MD5
0b8be55a0068bf84529e7e86ca7dd97e

SHA1
9dae25bcabd620a02b630db1f7d7d979bbed7fe4

SHA256
f913d650932e2d75cdd8e86f7df8d7b416ac027ac119621289f54a4411b4e4c1

SHA512
dd55d21008a47693ae7d847167bbd99ff4b01d1fa064bcfee838450afb471390980fc9f9ffef1917cc3627eda2e75f673e9657a579b87b8c72e2091a00171dc7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
c1ac3aa5b7688917e70e3db811044ebf

SHA1
c9a5411ac600b50bdb97e32a9f964e24c6361a8d

SHA256
69e3bbfd8f40275baabfd8888cb0d324f4e92eb61385b0c7ea8fe1d4893c1c50

SHA512
2083fb2ebf2f0101ba76e21f467024a7c34dc5ea7bbab444bece085979688d9ad5e3905bf7b38db5b9f3eacca9787b77a8dcfcb65ed1abd6509d771d767ab78f

Download Submit
memory/1084-8-0x00007FFAED350000-0x00007FFAED545000-memory.dmp

Filesize
2.0MB

Download
memory/1084-17-0x00007FFAED350000-0x00007FFAED545000-memory.dmp

Filesize
2.0MB

Download
memory/1084-5-0x00007FFAAD3D0000-0x00007FFAAD3E0000-memory.dmp

Filesize
64KB

Download
memory/1084-7-0x00007FFAED350000-0x00007FFAED545000-memory.dmp

Filesize
2.0MB

Download
memory/1084-6-0x00007FFAED350000-0x00007FFAED545000-memory.dmp

Filesize
2.0MB

Download
memory/1084-9-0x00007FFAED350000-0x00007FFAED545000-memory.dmp

Filesize
2.0MB

Download
memory/1084-12-0x00007FFAED350000-0x00007FFAED545000-memory.dmp

Filesize
2.0MB

Download
memory/1084-13-0x00007FFAED350000-0x00007FFAED545000-memory.dmp

Filesize
2.0MB

Download
memory/1084-14-0x00007FFAED350000-0x00007FFAED545000-memory.dmp

Filesize
2.0MB

Download
memory/1084-11-0x00007FFAED350000-0x00007FFAED545000-memory.dmp

Filesize
2.0MB

Download
memory/1084-10-0x00007FFAED350000-0x00007FFAED545000-memory.dmp

Filesize
2.0MB

Download
memory/1084-1-0x00007FFAAD3D0000-0x00007FFAAD3E0000-memory.dmp

Filesize
64KB

Download
memory/1084-16-0x00007FFAED350000-0x00007FFAED545000-memory.dmp

Filesize
2.0MB

Download
memory/1084-4-0x00007FFAED3ED000-0x00007FFAED3EE000-memory.dmp

Filesize
4KB

Download
memory/1084-19-0x00007FFAAB180000-0x00007FFAAB190000-memory.dmp

Filesize
64KB

Download
memory/1084-20-0x00007FFAED350000-0x00007FFAED545000-memory.dmp

Filesize
2.0MB

Download
memory/1084-21-0x00007FFAED350000-0x00007FFAED545000-memory.dmp

Filesize
2.0MB

Download
memory/1084-18-0x00007FFAED350000-0x00007FFAED545000-memory.dmp

Filesize
2.0MB

Download
memory/1084-15-0x00007FFAAB180000-0x00007FFAAB190000-memory.dmp

Filesize
64KB

Download
memory/1084-0-0x00007FFAAD3D0000-0x00007FFAAD3E0000-memory.dmp

Filesize
64KB

Download
memory/1084-2-0x00007FFAAD3D0000-0x00007FFAAD3E0000-memory.dmp

Filesize
64KB

Download
memory/1084-3-0x00007FFAAD3D0000-0x00007FFAAD3E0000-memory.dmp

Filesize
64KB

Download
memory/1084-73-0x00007FFAED350000-0x00007FFAED545000-memory.dmp

Filesize
2.0MB

Download
memory/1084-99-0x00007FFAAD3D0000-0x00007FFAAD3E0000-memory.dmp

Filesize
64KB

Download
memory/1084-98-0x00007FFAAD3D0000-0x00007FFAAD3E0000-memory.dmp

Filesize
64KB

Download
memory/1084-100-0x00007FFAAD3D0000-0x00007FFAAD3E0000-memory.dmp

Filesize
64KB

Download
memory/1084-101-0x00007FFAAD3D0000-0x00007FFAAD3E0000-memory.dmp

Filesize
64KB

Download
memory/1084-102-0x00007FFAED350000-0x00007FFAED545000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads