4ba4a67aaf60917264c4f64c43c22d0ed7d53074624299cf07b87d62851f80dd

General

Target

protected_secret_fixed.docm
Size

161KB
MD5

1d0c026a0984cccfb9f07aedb04d0337
SHA1

f36c27957b250af1860fe999f410877a911d9524
SHA256

4ba4a67aaf60917264c4f64c43c22d0ed7d53074624299cf07b87d62851f80dd
SHA512

86d3100a63665eeef1b12d4b8289aa9da16717465774b99bf2eebea72717e01bd5589d03d352d4db615a9793a9c76a94c0f68463a97490fb68b102ade1748ac6
SSDEEP

3072:EW7lceF+nLrAu7yLzcHeDxFHVoF95nNZkEb6pATMvHs:5ltF+XAu2ntO9hNZxeSgvs

Score

10^/10

defense_evasion

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	3420	4372	cmd.exe	80

Deobfuscate/Decode Files or Information 1 TTPs 2 IoCs

Payload decoded via CertUtil.

defense_evasion

Deobfuscate/Decode Files or Information

T1140

pid	Process
2440	certutil.exe
4948	certutil.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4372	WINWORD.EXE
4372	WINWORD.EXE

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
4372	WINWORD.EXE
4372	WINWORD.EXE
4372	WINWORD.EXE
4372	WINWORD.EXE
4372	WINWORD.EXE
4372	WINWORD.EXE
4372	WINWORD.EXE
4372	WINWORD.EXE
4372	WINWORD.EXE
4372	WINWORD.EXE

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4372 wrote to memory of 3420	4372	WINWORD.EXE	83
PID 4372 wrote to memory of 3420	4372	WINWORD.EXE	83
PID 3420 wrote to memory of 2440	3420	cmd.exe	85
PID 3420 wrote to memory of 2440	3420	cmd.exe	85
PID 3420 wrote to memory of 4948	3420	cmd.exe	86
PID 3420 wrote to memory of 4948	3420	cmd.exe	86

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\protected_secret_fixed.docm" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4372
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\temp.bat
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  PID:3420
- - C:\Windows\system32\certutil.exe
    certutil -decode temp1 temp
    3⤵
    - Deobfuscate/Decode Files or Information
    PID:2440
- - C:\Windows\system32\certutil.exe
    certutil -decode temp temp.exe
    3⤵
    - Deobfuscate/Decode Files or Information
    PID:4948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Deobfuscate/Decode Files or Information

1

T1140

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\temp

Filesize
82KB

MD5
7e19c8086f59ab494ca8f5d52e19fe0c

SHA1
44bd9aebbd29fb4ca4be81b1b75e9c2e29ceac03

SHA256
98f13e98013b34ae843865c7c4672bc9d9868dcd315cced9c9222e319e3adc63

SHA512
51dd295eca2e40bb77d7bb0dd2987d675dce1cf4641da1212e0851cd9b5c7cb81ee4a2de4125298f40322bc90384de56e21551ce48fb0cdf349ade8710fd7f43

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.bat

Filesize
161B

MD5
944e1972f01701fd4bdcdb9c5210758b

SHA1
9d63f7db2553c05415519fd3013c6248eba3ab08

SHA256
c1aab18f1dbe2173e4939a086aaa870369ed13a3465d7bfd5d09c97572bc1023

SHA512
159787f81ccbc5d164ac8c56620b1960ed1ab4beee80d76930269abe6591cba521e9773806920cae202d68dacb626d434dd315a4c8064eea98b92e9832254ffc

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp1

Filesize
110KB

MD5
046396839b84281c0c00b2706be3a1b1

SHA1
211fa8b46268916784acb6cd3594fd89ef386e6b

SHA256
a39341781e14ea387350773ddb26364a4e468bb9bc2a933b5edfe0ad5a910c1a

SHA512
7ad76c5ce7630aada621b819a1d250877e68001936518eb4434c1883fddd7bdc1e5c7d06a95dc1da388ae427699dc9c8506f7dbe346c920ea607d1e7968d22cd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
16B

MD5
d29962abc88624befc0135579ae485ec

SHA1
e40a6458296ec6a2427bcb280572d023a9862b31

SHA256
a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866

SHA512
4311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/4372-15-0x00007FFA29FE0000-0x00007FFA2A1E9000-memory.dmp

Filesize
2.0MB

Download
memory/4372-16-0x00007FFA29FE0000-0x00007FFA2A1E9000-memory.dmp

Filesize
2.0MB

Download
memory/4372-1-0x00007FFA2A083000-0x00007FFA2A084000-memory.dmp

Filesize
4KB

Download
memory/4372-8-0x00007FFA29FE0000-0x00007FFA2A1E9000-memory.dmp

Filesize
2.0MB

Download
memory/4372-9-0x00007FF9E7E50000-0x00007FF9E7E60000-memory.dmp

Filesize
64KB

Download
memory/4372-10-0x00007FFA29FE0000-0x00007FFA2A1E9000-memory.dmp

Filesize
2.0MB

Download
memory/4372-11-0x00007FF9E7E50000-0x00007FF9E7E60000-memory.dmp

Filesize
64KB

Download
memory/4372-12-0x00007FFA29FE0000-0x00007FFA2A1E9000-memory.dmp

Filesize
2.0MB

Download
memory/4372-13-0x00007FFA29FE0000-0x00007FFA2A1E9000-memory.dmp

Filesize
2.0MB

Download
memory/4372-0-0x00007FF9EA070000-0x00007FF9EA080000-memory.dmp

Filesize
64KB

Download
memory/4372-19-0x00007FFA29FE0000-0x00007FFA2A1E9000-memory.dmp

Filesize
2.0MB

Download
memory/4372-18-0x00007FFA29FE0000-0x00007FFA2A1E9000-memory.dmp

Filesize
2.0MB

Download
memory/4372-17-0x00007FFA29FE0000-0x00007FFA2A1E9000-memory.dmp

Filesize
2.0MB

Download
memory/4372-2-0x00007FF9EA070000-0x00007FF9EA080000-memory.dmp

Filesize
64KB

Download
memory/4372-14-0x00007FFA29FE0000-0x00007FFA2A1E9000-memory.dmp

Filesize
2.0MB

Download
memory/4372-21-0x00007FFA29FE0000-0x00007FFA2A1E9000-memory.dmp

Filesize
2.0MB

Download
memory/4372-22-0x00007FFA29FE0000-0x00007FFA2A1E9000-memory.dmp

Filesize
2.0MB

Download
memory/4372-52-0x00007FFA2A083000-0x00007FFA2A084000-memory.dmp

Filesize
4KB

Download
memory/4372-53-0x00007FFA29FE0000-0x00007FFA2A1E9000-memory.dmp

Filesize
2.0MB

Download
memory/4372-54-0x00007FFA29FE0000-0x00007FFA2A1E9000-memory.dmp

Filesize
2.0MB

Download
memory/4372-3-0x00007FF9EA070000-0x00007FF9EA080000-memory.dmp

Filesize
64KB

Download
memory/4372-7-0x00007FFA29FE0000-0x00007FFA2A1E9000-memory.dmp

Filesize
2.0MB

Download
memory/4372-6-0x00007FF9EA070000-0x00007FF9EA080000-memory.dmp

Filesize
64KB

Download
memory/4372-5-0x00007FFA29FE0000-0x00007FFA2A1E9000-memory.dmp

Filesize
2.0MB

Download
memory/4372-4-0x00007FF9EA070000-0x00007FF9EA080000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads