31300645371f90f83ca6aa058503fa7c2ba386f496ac181a6b287ba7ba1ea10e

General

Target

31300645371f90f83ca6aa058503fa7c2ba386f496ac181a6b287ba7ba1ea10e.doc
Size

1.9MB
MD5

1ee73b17111ab0ffb2f62690310f4ada
SHA1

3d3e2e367fe9b358bbb91e5cbcbe90250c220648
SHA256

31300645371f90f83ca6aa058503fa7c2ba386f496ac181a6b287ba7ba1ea10e
SHA512

811ecc63317c2636729026d95489f6f15053c2e52020a2260a7d6896f06aad39135b0194ddfc2bdd526ecb9d497cf3af90ce1c60b28ee4f2d39f2d14f67a4b36
SSDEEP

24576:j1NDbbUMbRNjy8lZ2UFRTHD/mrM1e6sBiNhaYQBFq:vDbJbvjynUyCpx

Score

7^/10

persistence privilege_escalation spyware stealer

Malware Config

Signatures

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 1 IoCs

pid	Process
2208	MicrosoftWordUpdater.log

Loads dropped DLL 1 IoCs

pid	Process
2208	MicrosoftWordUpdater.log

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\CLSID\{6F58F65F-EC0E-4ACA-99FE-FC5A1A25E4BE}	MicrosoftWordUpdater.log
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\CLSID\{6F58F65F-EC0E-4ACA-99FE-FC5A1A25E4BE}\ = "Language Components Installer"	MicrosoftWordUpdater.log
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\CLSID\{6F58F65F-EC0E-4ACA-99FE-FC5A1A25E4BE}\InProcServer32	MicrosoftWordUpdater.log
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\CLSID\{6F58F65F-EC0E-4ACA-99FE-FC5A1A25E4BE}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Edge\\User Data\\Synchronize\\vcruntime190.dll"	MicrosoftWordUpdater.log
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\CLSID\{6F58F65F-EC0E-4ACA-99FE-FC5A1A25E4BE}\InProcServer32\ThreadingModel = "Both"	MicrosoftWordUpdater.log

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4688	WINWORD.EXE
4688	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2208	MicrosoftWordUpdater.log
2208	MicrosoftWordUpdater.log
2208	MicrosoftWordUpdater.log
2208	MicrosoftWordUpdater.log

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4688	WINWORD.EXE
4688	WINWORD.EXE

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
4688	WINWORD.EXE
4688	WINWORD.EXE
4688	WINWORD.EXE
4688	WINWORD.EXE
4688	WINWORD.EXE
4688	WINWORD.EXE
4688	WINWORD.EXE
4688	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4688 wrote to memory of 3128	4688	WINWORD.EXE	87
PID 4688 wrote to memory of 3128	4688	WINWORD.EXE	87
PID 4688 wrote to memory of 2208	4688	WINWORD.EXE	90
PID 4688 wrote to memory of 2208	4688	WINWORD.EXE	90

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\31300645371f90f83ca6aa058503fa7c2ba386f496ac181a6b287ba7ba1ea10e.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4688
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:3128
- C:\Users\Public\Documents\MicrosoftWordUpdater.log
  C:\Users\Public\Documents\MicrosoftWordUpdater.log
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:2208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1546

Component Object Model Hijacking

1

T1546.015

Privilege Escalation

Event Triggered Execution

1

T1546

Component Object Model Hijacking

1

T1546.015

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Synchronize\synchronize.dll

Filesize
148KB

MD5
0f8727575a53207acf78fcd8260e11c0

SHA1
702f4d1f7e947c28f4b0c26dc98a45e7359d9338

SHA256
6fa56ab1ce0d4fc9db6422bff8caa38bea1bdb9abbe4a48ecfb364eb20c7ac1a

SHA512
cd6296eea2612cc7169b204abe94766fe04de909442a5a586a9a40d463b9483af744dfc167e158996db149217a5ad98044c1415205884d3799b2393cbdd393c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\B19F0CD1.wmf

Filesize
370B

MD5
c04eb249161372b3ec1102a5f8a38a3e

SHA1
45a7e9fdf9235ee8fdac5bb244e515af89d05909

SHA256
0275daac1226b684ec9845ef32a71c7fd69b2b7cfdd0b27b727a27814626a78d

SHA512
7745cd58679985212ff951851e8a97d4cf856a23de90c57e516ece02f9dff196435b5f3058476632884ff3497b0c3eedd0cd7a73268908ffcab41fd6998aec6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCDE401.tmp\iso690.xsl

Filesize
263KB

MD5
ff0e07eff1333cdf9fc2523d323dd654

SHA1
77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

SHA256
3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

SHA512
b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Public\Documents\MicrosoftWordUpdater.log

Filesize
327KB

MD5
0d1dca5eaad49c2dbd979e1bf0b5f8d0

SHA1
f21b1c8c4482392d69725025e82eddd313f48aad

SHA256
a250740948aba579462397ac95ff10e6b0ee952c2af7d9d726cbfde9da1eaaff

SHA512
50f5f10de2187e10bc40195b27d4652db7d3517b490b08acc17be4cf6b7e52dfe55b9d76d7aefddd36530c1c9e3aed10a76096d55d7ccee7ceaf2f5fcb94dde7

Download Submit
memory/4688-15-0x00007FFA76570000-0x00007FFA76765000-memory.dmp

Filesize
2.0MB

Download
memory/4688-17-0x00007FFA342C0000-0x00007FFA342D0000-memory.dmp

Filesize
64KB

Download
memory/4688-11-0x00007FFA76570000-0x00007FFA76765000-memory.dmp

Filesize
2.0MB

Download
memory/4688-8-0x00007FFA76570000-0x00007FFA76765000-memory.dmp

Filesize
2.0MB

Download
memory/4688-14-0x00007FFA76570000-0x00007FFA76765000-memory.dmp

Filesize
2.0MB

Download
memory/4688-13-0x00007FFA76570000-0x00007FFA76765000-memory.dmp

Filesize
2.0MB

Download
memory/4688-12-0x00007FFA342C0000-0x00007FFA342D0000-memory.dmp

Filesize
64KB

Download
memory/4688-0-0x00007FFA365F0000-0x00007FFA36600000-memory.dmp

Filesize
64KB

Download
memory/4688-7-0x00007FFA76570000-0x00007FFA76765000-memory.dmp

Filesize
2.0MB

Download
memory/4688-6-0x00007FFA76570000-0x00007FFA76765000-memory.dmp

Filesize
2.0MB

Download
memory/4688-18-0x00007FFA76570000-0x00007FFA76765000-memory.dmp

Filesize
2.0MB

Download
memory/4688-10-0x00007FFA76570000-0x00007FFA76765000-memory.dmp

Filesize
2.0MB

Download
memory/4688-16-0x00007FFA76570000-0x00007FFA76765000-memory.dmp

Filesize
2.0MB

Download
memory/4688-19-0x00007FFA76570000-0x00007FFA76765000-memory.dmp

Filesize
2.0MB

Download
memory/4688-9-0x00007FFA76570000-0x00007FFA76765000-memory.dmp

Filesize
2.0MB

Download
memory/4688-5-0x00007FFA7660D000-0x00007FFA7660E000-memory.dmp

Filesize
4KB

Download
memory/4688-4-0x00007FFA365F0000-0x00007FFA36600000-memory.dmp

Filesize
64KB

Download
memory/4688-3-0x00007FFA365F0000-0x00007FFA36600000-memory.dmp

Filesize
64KB

Download
memory/4688-1-0x00007FFA365F0000-0x00007FFA36600000-memory.dmp

Filesize
64KB

Download
memory/4688-119-0x00007FFA76570000-0x00007FFA76765000-memory.dmp

Filesize
2.0MB

Download
memory/4688-2-0x00007FFA365F0000-0x00007FFA36600000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads