a515d869a75da322c87985158750d4e12f5556b0785379d558d778e3ef481eac

General

Target

a515d869a75da322c87985158750d4e12f5556b0785379d558d778e3ef481eac.doc
Size

36KB
MD5

e01f640fbceaf6a2584e49d047d89176
SHA1

75e0ecbfd3029a11dccecb682fffc45dbb60f2bd
SHA256

a515d869a75da322c87985158750d4e12f5556b0785379d558d778e3ef481eac
SHA512

11e5c2fd6b6068fbb8116684d904691d75ce7211d6c315c2e138baa8afc859c469b56c27a3e7ea151bef7fca9012d4e6f1b7dc23cd0634f2b35d12dd1a042d62
SSDEEP

384:wAMiS8px8SMDIdyK118MD32suJcXNBB3Su0jijm:d3y2yK3zD32JJcXLEud

Score

10^/10

macro macro_on_action

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	2612	2884	WScript.exe	29

Office macro that triggers on suspicious action 1 IoCs

Office document macro which triggers in special circumstances - often malicious.

macro macro_on_action

resource	yara_rule
behavioral1/files/0x0007000000015dab-17.dat	office_macro_on_action

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system.vbe	WINWORD.EXE

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	WScript.exe
File opened (read-only)	\??\J:	WScript.exe
File opened (read-only)	\??\O:	WScript.exe
File opened (read-only)	\??\S:	WScript.exe
File opened (read-only)	\??\Y:	WScript.exe
File opened (read-only)	\??\G:	WScript.exe
File opened (read-only)	\??\K:	WScript.exe
File opened (read-only)	\??\R:	WScript.exe
File opened (read-only)	\??\V:	WScript.exe
File opened (read-only)	\??\W:	WScript.exe
File opened (read-only)	\??\E:	WScript.exe
File opened (read-only)	\??\L:	WScript.exe
File opened (read-only)	\??\M:	WScript.exe
File opened (read-only)	\??\Q:	WScript.exe
File opened (read-only)	\??\U:	WScript.exe
File opened (read-only)	\??\H:	WScript.exe
File opened (read-only)	\??\N:	WScript.exe
File opened (read-only)	\??\P:	WScript.exe
File opened (read-only)	\??\T:	WScript.exe
File opened (read-only)	\??\X:	WScript.exe
File opened (read-only)	\??\Z:	WScript.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2884	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2884	WINWORD.EXE
2884	WINWORD.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2884 wrote to memory of 2612	2884	WINWORD.EXE	30
PID 2884 wrote to memory of 2612	2884	WINWORD.EXE	30
PID 2884 wrote to memory of 2612	2884	WINWORD.EXE	30
PID 2884 wrote to memory of 2612	2884	WINWORD.EXE	30
PID 2884 wrote to memory of 2068	2884	WINWORD.EXE	32
PID 2884 wrote to memory of 2068	2884	WINWORD.EXE	32
PID 2884 wrote to memory of 2068	2884	WINWORD.EXE	32
PID 2884 wrote to memory of 2068	2884	WINWORD.EXE	32

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\a515d869a75da322c87985158750d4e12f5556b0785379d558d778e3ef481eac.doc"
1⤵
- Drops startup file
- Drops file in Windows directory
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2884
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system.vbe"
  2⤵
  - Process spawned unexpected child process
  - Enumerates connected drives
  PID:2612
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system.vbe

Filesize
1KB

MD5
b3ae7487667beac7edd4a7d0c19e61ba

SHA1
7daca93828c48c37bf2414f20ca5ccaf04b56f7d

SHA256
2ab9d2edb0855a80276c2ed821f9427d8ff87ee23cde0211d96b55faacfe1b8c

SHA512
1ce18cdbbb7fe830c3c78b41eb7862f15a919a1187846ea3f25f0071a26018a1600e78228aed1382387006e3b5e213bad5cdf8d214a7252418d1cf03c8ea3537

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sysrar.doc

Filesize
35KB

MD5
430bd48eaf3c24c495cf21ac41423687

SHA1
c1ad5f378bcc8749840f8d802c308f3f60f262e5

SHA256
78deb02ca875ca1baff357251187799659b1bdc09cb406e79c05c6437b80beca

SHA512
ddd8b1038967ebd1367a8513017cf3e9956946dc117e62e043d2e40733ff1e568a308a0f6f2d5e8c924ed13ad97947947842f8c56212f4a8d725c2d39294bd64

Download Submit
memory/2884-8-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/2884-7-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/2884-6-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/2884-5-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/2884-0-0x000000002FA41000-0x000000002FA42000-memory.dmp

Filesize
4KB

Download
memory/2884-4-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/2884-2-0x000000007181D000-0x0000000071828000-memory.dmp

Filesize
44KB

Download
memory/2884-19-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/2884-20-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/2884-23-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/2884-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2884-39-0x000000007181D000-0x0000000071828000-memory.dmp

Filesize
44KB

Download
memory/2884-40-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing