f47ed185c87184f8f9b70ecae8bc0bcbfbba601ca52478f5cff1ae0c0f5a56a3

General

Target

dukas022.docx
Size

93KB
MD5

8a0aac20ae081eea8420993173c312ea
SHA1

3b7a41204fae477566a0e04d284064de189b84d3
SHA256

f47ed185c87184f8f9b70ecae8bc0bcbfbba601ca52478f5cff1ae0c0f5a56a3
SHA512

d814bea11ce52dd4e21c83342e0fdd7b14f12ff963d018fb9f05b1ced53fc0c6585ccc42e0c9b5fb85b2a63f991c497986da9ce3b7c7495d70e6d872cdc2063e
SSDEEP

1536:TIzw/hgP0QF6smQKEMzqsQtrm5rbXkvMtLQ6j7jfmMIGSzyn5ivkSVkkKLkJe+VI:80Q8hjOXIrbXyMtE6j/EfvkS8LrcI

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3992	WINWORD.EXE
3992	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeAuditPrivilege	3992	WINWORD.EXE

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
3992	WINWORD.EXE
3992	WINWORD.EXE
3992	WINWORD.EXE
3992	WINWORD.EXE
3992	WINWORD.EXE
3992	WINWORD.EXE
3992	WINWORD.EXE
3992	WINWORD.EXE

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\dukas022.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\I0E3LJN0\duk[1].doc

Filesize
612KB

MD5
0b98de8b03f4f26b25888b58c19dcaab

SHA1
dcb036ae76f9a236383f1192d94eb7c6c6fa3bd2

SHA256
d25624c26e85dccb4512e601ede7c1617e41b3aa26cc50649123e3ef04ad3071

SHA512
e400a10959c9edbf7d9a78ff5b803303f7e514e1ab1c2e724d9ef594d7185504610dc651e0dabbee0fff2743d5ba91948bbec5a7ed3bb91f4072397683a45bb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCD130D.tmp\iso690.xsl

Filesize
263KB

MD5
ff0e07eff1333cdf9fc2523d323dd654

SHA1
77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

SHA256
3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

SHA512
b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
369B

MD5
96ce2cad8ada7bd79dd072f3c6d5b723

SHA1
8cba7f68ea93833d613cc6829798fddb76e5d3fc

SHA256
74a73ece4b6f7095636433a1cfe6fa0fe7be887e060616798772e79a722c9ddc

SHA512
8ba307455d8bcfbe824270e1417d2053187ed6f100bcc30e12feaa3f97d69ab71848c8f39ddae9f50f1ac1dfb010e0bd6b5353e3d1092c1f16e380601d00bbf0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
2KB

MD5
ae74e06eb7c7e906590e68e04600e27e

SHA1
6d1c10e8f5c3966dc1cd8dcd1019cb6782fb2cfc

SHA256
9519ce8a228712df91fdaea0ab31b37352d433f6d522debea6ce01162abc7182

SHA512
ace807ecea0129b7bc2a8ebb8f6a8544dac607791206a9954cbfc02618f08b0dcebc3277d440ffdae06e0031dc010075900d79eefcdf216b2c33a0937ccb050f

Download Submit
memory/3992-12-0x00007FF9442D0000-0x00007FF9442E0000-memory.dmp

Filesize
64KB

Download
memory/3992-1-0x00007FF946B70000-0x00007FF946B80000-memory.dmp

Filesize
64KB

Download
memory/3992-9-0x00007FF986AF0000-0x00007FF986CE5000-memory.dmp

Filesize
2.0MB

Download
memory/3992-11-0x00007FF986AF0000-0x00007FF986CE5000-memory.dmp

Filesize
2.0MB

Download
memory/3992-0-0x00007FF946B70000-0x00007FF946B80000-memory.dmp

Filesize
64KB

Download
memory/3992-10-0x00007FF986AF0000-0x00007FF986CE5000-memory.dmp

Filesize
2.0MB

Download
memory/3992-14-0x00007FF986AF0000-0x00007FF986CE5000-memory.dmp

Filesize
2.0MB

Download
memory/3992-15-0x00007FF986AF0000-0x00007FF986CE5000-memory.dmp

Filesize
2.0MB

Download
memory/3992-16-0x00007FF986AF0000-0x00007FF986CE5000-memory.dmp

Filesize
2.0MB

Download
memory/3992-13-0x00007FF986AF0000-0x00007FF986CE5000-memory.dmp

Filesize
2.0MB

Download
memory/3992-8-0x00007FF986AF0000-0x00007FF986CE5000-memory.dmp

Filesize
2.0MB

Download
memory/3992-7-0x00007FF986AF0000-0x00007FF986CE5000-memory.dmp

Filesize
2.0MB

Download
memory/3992-17-0x00007FF9442D0000-0x00007FF9442E0000-memory.dmp

Filesize
64KB

Download
memory/3992-5-0x00007FF986B8D000-0x00007FF986B8E000-memory.dmp

Filesize
4KB

Download
memory/3992-3-0x00007FF946B70000-0x00007FF946B80000-memory.dmp

Filesize
64KB

Download
memory/3992-6-0x00007FF986AF0000-0x00007FF986CE5000-memory.dmp

Filesize
2.0MB

Download
memory/3992-2-0x00007FF946B70000-0x00007FF946B80000-memory.dmp

Filesize
64KB

Download
memory/3992-82-0x00007FF986AF0000-0x00007FF986CE5000-memory.dmp

Filesize
2.0MB

Download
memory/3992-83-0x00007FF986AF0000-0x00007FF986CE5000-memory.dmp

Filesize
2.0MB

Download
memory/3992-84-0x00007FF986AF0000-0x00007FF986CE5000-memory.dmp

Filesize
2.0MB

Download
memory/3992-89-0x00007FF986AF0000-0x00007FF986CE5000-memory.dmp

Filesize
2.0MB

Download
memory/3992-88-0x00007FF986AF0000-0x00007FF986CE5000-memory.dmp

Filesize
2.0MB

Download
memory/3992-87-0x00007FF986AF0000-0x00007FF986CE5000-memory.dmp

Filesize
2.0MB

Download
memory/3992-86-0x00007FF986AF0000-0x00007FF986CE5000-memory.dmp

Filesize
2.0MB

Download
memory/3992-85-0x00007FF986AF0000-0x00007FF986CE5000-memory.dmp

Filesize
2.0MB

Download
memory/3992-4-0x00007FF946B70000-0x00007FF946B80000-memory.dmp

Filesize
64KB

Download
memory/3992-233-0x00007FF946B70000-0x00007FF946B80000-memory.dmp

Filesize
64KB

Download
memory/3992-234-0x00007FF946B70000-0x00007FF946B80000-memory.dmp

Filesize
64KB

Download
memory/3992-236-0x00007FF946B70000-0x00007FF946B80000-memory.dmp

Filesize
64KB

Download
memory/3992-235-0x00007FF946B70000-0x00007FF946B80000-memory.dmp

Filesize
64KB

Download
memory/3992-237-0x00007FF986AF0000-0x00007FF986CE5000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads