576a6dbf6587252004da5e3d04f425486ae7aa91fa0ffeab1982d7d899482572

General

Target

d040e890b58aad20ff1c101a2b4ff4e90b1d18f835cb223a4a8ce4ee13a1f99e.docx
Size

13KB
MD5

e9fb71dd600d96ec09b6aa7143b43a67
SHA1

aa37c5659c8edde33a52a74e91b461e27295c6ff
SHA256

d040e890b58aad20ff1c101a2b4ff4e90b1d18f835cb223a4a8ce4ee13a1f99e
SHA512

9f3e20d1bea9e18cb48bded4a6be00da870781aa73a5c6058f791f2966816b22b7974278b9bd3c362e2a774a17417ea40f646ea52d0b4fd213a305f17537d6ca
SSDEEP

192:Rg3VYycpU9JNf9WV8JYQnPZXutEzSPBkiOS0XZE4M//FYywPJA//YT:Rg3V1cpUTWSJYAx+Q45gpLEYyd/AT

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1480	WINWORD.EXE
1480	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeAuditPrivilege	1480	WINWORD.EXE

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1480	WINWORD.EXE
1480	WINWORD.EXE
1480	WINWORD.EXE
1480	WINWORD.EXE
1480	WINWORD.EXE
1480	WINWORD.EXE
1480	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\d040e890b58aad20ff1c101a2b4ff4e90b1d18f835cb223a4a8ce4ee13a1f99e.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\EA2BE68E.dat

Filesize
1KB

MD5
a19e3005f2cf4408c6a0ef18419fd9cf

SHA1
2b2fe21480eae6c5bbc3bdc736e1186815fecffc

SHA256
01188acaff9047e8b0e6293aa34350f74b8b27f425323323b3ebd16e0284a26e

SHA512
f2c3dcc37e1868612cf73c976385c00d11c0b52db3846ab8a19d2fdf9cc0a0ec9e704da7607bb56076de7c57743f581d4ba56924994a89e692d20fe16b7ee7aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCD20AC.tmp\sist02.xsl

Filesize
245KB

MD5
f883b260a8d67082ea895c14bf56dd56

SHA1
7954565c1f243d46ad3b1e2f1baf3281451fc14b

SHA256
ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

SHA512
d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
2KB

MD5
2ae85d5e581077da65cc68e1df51748c

SHA1
a777425a34cdf9565c261d1420630516709e3a96

SHA256
f091f2314ec52f20659fdce445826281f78ce12753060ece8edbfcdef5ed3ee2

SHA512
eaa31ac97d3006dbb2d761e40db250e4675d7a7701508ac2abae001eccb0367e05b3d4733071cddcaa7edb46b00135c63bf1c13ada67ebf019809e722ca81dc5

Download Submit
memory/1480-8-0x00007FFE2AA90000-0x00007FFE2AC85000-memory.dmp

Filesize
2.0MB

Download
memory/1480-14-0x00007FFE2AA90000-0x00007FFE2AC85000-memory.dmp

Filesize
2.0MB

Download
memory/1480-5-0x00007FFDEAB10000-0x00007FFDEAB20000-memory.dmp

Filesize
64KB

Download
memory/1480-9-0x00007FFE2AA90000-0x00007FFE2AC85000-memory.dmp

Filesize
2.0MB

Download
memory/1480-0-0x00007FFDEAB10000-0x00007FFDEAB20000-memory.dmp

Filesize
64KB

Download
memory/1480-7-0x00007FFE2AA90000-0x00007FFE2AC85000-memory.dmp

Filesize
2.0MB

Download
memory/1480-6-0x00007FFE2AA90000-0x00007FFE2AC85000-memory.dmp

Filesize
2.0MB

Download
memory/1480-11-0x00007FFE2AA90000-0x00007FFE2AC85000-memory.dmp

Filesize
2.0MB

Download
memory/1480-13-0x00007FFE2AA90000-0x00007FFE2AC85000-memory.dmp

Filesize
2.0MB

Download
memory/1480-12-0x00007FFE2AA90000-0x00007FFE2AC85000-memory.dmp

Filesize
2.0MB

Download
memory/1480-16-0x00007FFE2AA90000-0x00007FFE2AC85000-memory.dmp

Filesize
2.0MB

Download
memory/1480-17-0x00007FFE2AA90000-0x00007FFE2AC85000-memory.dmp

Filesize
2.0MB

Download
memory/1480-15-0x00007FFDE8590000-0x00007FFDE85A0000-memory.dmp

Filesize
64KB

Download
memory/1480-4-0x00007FFDEAB10000-0x00007FFDEAB20000-memory.dmp

Filesize
64KB

Download
memory/1480-10-0x00007FFE2AA90000-0x00007FFE2AC85000-memory.dmp

Filesize
2.0MB

Download
memory/1480-18-0x00007FFDE8590000-0x00007FFDE85A0000-memory.dmp

Filesize
64KB

Download
memory/1480-3-0x00007FFE2AB2D000-0x00007FFE2AB2E000-memory.dmp

Filesize
4KB

Download
memory/1480-62-0x00007FFE2AA90000-0x00007FFE2AC85000-memory.dmp

Filesize
2.0MB

Download
memory/1480-2-0x00007FFDEAB10000-0x00007FFDEAB20000-memory.dmp

Filesize
64KB

Download
memory/1480-1-0x00007FFDEAB10000-0x00007FFDEAB20000-memory.dmp

Filesize
64KB

Download
memory/1480-261-0x00007FFDEAB10000-0x00007FFDEAB20000-memory.dmp

Filesize
64KB

Download
memory/1480-262-0x00007FFDEAB10000-0x00007FFDEAB20000-memory.dmp

Filesize
64KB

Download
memory/1480-264-0x00007FFDEAB10000-0x00007FFDEAB20000-memory.dmp

Filesize
64KB

Download
memory/1480-263-0x00007FFDEAB10000-0x00007FFDEAB20000-memory.dmp

Filesize
64KB

Download
memory/1480-265-0x00007FFE2AA90000-0x00007FFE2AC85000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads