61f8e4e5644fe73fca16ac2bd69b9c4235510dbce70d1d7faf102134f869a2aa

General

Target

61f8e4e5644fe73fca16ac2bd69b9c4235510dbce70d1d7faf102134f869a2aa.docx
Size

84KB
MD5

4d1dda7b62796f1d78efc8081aed6e6a
SHA1

82bcec87e818bd0e56144c07c488bd063b27faad
SHA256

61f8e4e5644fe73fca16ac2bd69b9c4235510dbce70d1d7faf102134f869a2aa
SHA512

ca71010077f6337acf05e7badb6e8351e87aabdb98063f35cfdc0932767c0ebc56e74a93f72097cabfa13b2a1c37bb4dc16aa7e69518c31db067abb45a459f57
SSDEEP

1536:QItb7ih7kPw17kG1Tc2FjOpptOYN1TZhLdvV5brdSdA:QIt3ixkw17kcFOpptOYH99JV5brdSdA

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
856	WINWORD.EXE
856	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeAuditPrivilege	856	WINWORD.EXE

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
856	WINWORD.EXE
856	WINWORD.EXE
856	WINWORD.EXE
856	WINWORD.EXE
856	WINWORD.EXE
856	WINWORD.EXE
856	WINWORD.EXE

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\61f8e4e5644fe73fca16ac2bd69b9c4235510dbce70d1d7faf102134f869a2aa.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\CC1C246D.emf

Filesize
78KB

MD5
97f3291db00b29c1537f6faabfcf8983

SHA1
38ac80147123d212b5923160c7f29b93c25e885c

SHA256
6f6e805c9473d6b4c0aec3b082cbc7e782b6c56a4d0048ef5902bb3ed8a8965c

SHA512
ec3ccb5b3ab053968fa47048f6915de82e85bf1a4313eb479d34a9dbf4cd20ea059553c5f7407f8710da642f01356bc86411a10809575b286f43969d49a6cad0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\JACP9GNT\gZTJU[1].htm

Filesize
3KB

MD5
13d05fa49ce698401220226338e3db02

SHA1
fc85534c4b31cbcc5b564b364f4e1c350ccfbffb

SHA256
774d99709d25ef7d59676ae618bccdda580001e0ffe60bd163ef9b0fc897f0c4

SHA512
79bc8e48cc0166ef17a3552edd6a24d1a6737b47d08776519e684852216cad78824e5debe447ce15fb228d83192d748f424cbe6657695a1c096ee5d21529d984

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCD5B02.tmp\sist02.xsl

Filesize
245KB

MD5
f883b260a8d67082ea895c14bf56dd56

SHA1
7954565c1f243d46ad3b1e2f1baf3281451fc14b

SHA256
ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

SHA512
d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
230B

MD5
866fa5b828f548309d98688ea074d377

SHA1
637cee85ab8ba27ba4062bc6c3492516bdfcbea1

SHA256
a084447f894a5040db5f15fa4a47f3c30adf739effe73f9a44194b9e79526b36

SHA512
355f15cf77c01bd1c2f8831ce43bf2df722a635e040fc426f7af7b6996992f9a388d35da2c659bd128ceaf7ec569320f090f3f8b26ba8f1561001c182bb9b606

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/856-9-0x00007FF839EF0000-0x00007FF83A0E5000-memory.dmp

Filesize
2.0MB

Download
memory/856-7-0x00007FF839EF0000-0x00007FF83A0E5000-memory.dmp

Filesize
2.0MB

Download
memory/856-5-0x00007FF7F9F70000-0x00007FF7F9F80000-memory.dmp

Filesize
64KB

Download
memory/856-12-0x00007FF839EF0000-0x00007FF83A0E5000-memory.dmp

Filesize
2.0MB

Download
memory/856-14-0x00007FF839EF0000-0x00007FF83A0E5000-memory.dmp

Filesize
2.0MB

Download
memory/856-13-0x00007FF839EF0000-0x00007FF83A0E5000-memory.dmp

Filesize
2.0MB

Download
memory/856-16-0x00007FF7F7F10000-0x00007FF7F7F20000-memory.dmp

Filesize
64KB

Download
memory/856-15-0x00007FF839EF0000-0x00007FF83A0E5000-memory.dmp

Filesize
2.0MB

Download
memory/856-17-0x00007FF7F7F10000-0x00007FF7F7F20000-memory.dmp

Filesize
64KB

Download
memory/856-11-0x00007FF839EF0000-0x00007FF83A0E5000-memory.dmp

Filesize
2.0MB

Download
memory/856-10-0x00007FF839EF0000-0x00007FF83A0E5000-memory.dmp

Filesize
2.0MB

Download
memory/856-0-0x00007FF7F9F70000-0x00007FF7F9F80000-memory.dmp

Filesize
64KB

Download
memory/856-8-0x00007FF7F9F70000-0x00007FF7F9F80000-memory.dmp

Filesize
64KB

Download
memory/856-6-0x00007FF839EF0000-0x00007FF83A0E5000-memory.dmp

Filesize
2.0MB

Download
memory/856-4-0x00007FF839EF0000-0x00007FF83A0E5000-memory.dmp

Filesize
2.0MB

Download
memory/856-1-0x00007FF839F8D000-0x00007FF839F8E000-memory.dmp

Filesize
4KB

Download
memory/856-95-0x00007FF839EF0000-0x00007FF83A0E5000-memory.dmp

Filesize
2.0MB

Download
memory/856-2-0x00007FF7F9F70000-0x00007FF7F9F80000-memory.dmp

Filesize
64KB

Download
memory/856-102-0x00007FF839F8D000-0x00007FF839F8E000-memory.dmp

Filesize
4KB

Download
memory/856-103-0x00007FF839EF0000-0x00007FF83A0E5000-memory.dmp

Filesize
2.0MB

Download
memory/856-104-0x00007FF839EF0000-0x00007FF83A0E5000-memory.dmp

Filesize
2.0MB

Download
memory/856-3-0x00007FF7F9F70000-0x00007FF7F9F80000-memory.dmp

Filesize
64KB

Download
memory/856-614-0x00007FF7F9F70000-0x00007FF7F9F80000-memory.dmp

Filesize
64KB

Download
memory/856-617-0x00007FF7F9F70000-0x00007FF7F9F80000-memory.dmp

Filesize
64KB

Download
memory/856-616-0x00007FF7F9F70000-0x00007FF7F9F80000-memory.dmp

Filesize
64KB

Download
memory/856-615-0x00007FF7F9F70000-0x00007FF7F9F80000-memory.dmp

Filesize
64KB

Download
memory/856-618-0x00007FF839EF0000-0x00007FF83A0E5000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads