ba296aa6091ebd264a04676834bc32841307e9176f814b703b255ede301a524b

General

Target

0df947fb97839a1ad407667df1c19b277db26fde3954e6109ce70202102184d3.rtf
Size

83KB
MD5

61b061a48eb132e15884e4b53cf0401f
SHA1

0a8dfe6c53dd529299be6596b4fd0dad2e7aadc0
SHA256

0df947fb97839a1ad407667df1c19b277db26fde3954e6109ce70202102184d3
SHA512

5a1dc1b710942d267bf1fd68b9263e98772bb05349d3e6b77dfaeb5d84ebc544643dbedbe1fd5a9f1cf3221eae55b0a71df64c3c962fa0875bcbdbebfa7a5083
SSDEEP

768:yVeODj00VpwJYMEIKPalpyL+/9po1piuf:seOVVeJHEVilpyLyo14uf

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3544	WINWORD.EXE
3544	WINWORD.EXE

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
3544	WINWORD.EXE
3544	WINWORD.EXE
3544	WINWORD.EXE
3544	WINWORD.EXE
3544	WINWORD.EXE
3544	WINWORD.EXE
3544	WINWORD.EXE
3544	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\0df947fb97839a1ad407667df1c19b277db26fde3954e6109ce70202102184d3.rtf" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TCDE858.tmp\sist02.xsl

Filesize
245KB

MD5
f883b260a8d67082ea895c14bf56dd56

SHA1
7954565c1f243d46ad3b1e2f1baf3281451fc14b

SHA256
ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

SHA512
d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
1KB

MD5
83b7fffb57fe5962c0a2c18870491921

SHA1
3489ed24f600cb96d3f0eae738c6b56ad08ade02

SHA256
721133c1dbde772ed2b2281d2bdcdd43819687ce4c3c150fb4757403ec137081

SHA512
fa4b509234d86beb6fc74023b9d80fe33ee38bd9a5b400d996d5cad398bb337df7ca01359bc6b0a563d4a5f10e4b363721b8e9455db5334109a7b021b2781e64

Download Submit
memory/3544-14-0x00007FFF52F90000-0x00007FFF53185000-memory.dmp

Filesize
2.0MB

Download
memory/3544-314-0x00007FFF13010000-0x00007FFF13020000-memory.dmp

Filesize
64KB

Download
memory/3544-2-0x00007FFF13010000-0x00007FFF13020000-memory.dmp

Filesize
64KB

Download
memory/3544-0-0x00007FFF13010000-0x00007FFF13020000-memory.dmp

Filesize
64KB

Download
memory/3544-17-0x00007FFF10E50000-0x00007FFF10E60000-memory.dmp

Filesize
64KB

Download
memory/3544-7-0x00007FFF52F90000-0x00007FFF53185000-memory.dmp

Filesize
2.0MB

Download
memory/3544-9-0x00007FFF52F90000-0x00007FFF53185000-memory.dmp

Filesize
2.0MB

Download
memory/3544-10-0x00007FFF52F90000-0x00007FFF53185000-memory.dmp

Filesize
2.0MB

Download
memory/3544-12-0x00007FFF52F90000-0x00007FFF53185000-memory.dmp

Filesize
2.0MB

Download
memory/3544-11-0x00007FFF52F90000-0x00007FFF53185000-memory.dmp

Filesize
2.0MB

Download
memory/3544-13-0x00007FFF10E50000-0x00007FFF10E60000-memory.dmp

Filesize
64KB

Download
memory/3544-6-0x00007FFF52F90000-0x00007FFF53185000-memory.dmp

Filesize
2.0MB

Download
memory/3544-4-0x00007FFF13010000-0x00007FFF13020000-memory.dmp

Filesize
64KB

Download
memory/3544-1-0x00007FFF5302D000-0x00007FFF5302E000-memory.dmp

Filesize
4KB

Download
memory/3544-8-0x00007FFF52F90000-0x00007FFF53185000-memory.dmp

Filesize
2.0MB

Download
memory/3544-16-0x00007FFF52F90000-0x00007FFF53185000-memory.dmp

Filesize
2.0MB

Download
memory/3544-15-0x00007FFF52F90000-0x00007FFF53185000-memory.dmp

Filesize
2.0MB

Download
memory/3544-30-0x00007FFF52F90000-0x00007FFF53185000-memory.dmp

Filesize
2.0MB

Download
memory/3544-31-0x00007FFF5302D000-0x00007FFF5302E000-memory.dmp

Filesize
4KB

Download
memory/3544-32-0x00007FFF52F90000-0x00007FFF53185000-memory.dmp

Filesize
2.0MB

Download
memory/3544-5-0x00007FFF13010000-0x00007FFF13020000-memory.dmp

Filesize
64KB

Download
memory/3544-38-0x00007FFF52F90000-0x00007FFF53185000-memory.dmp

Filesize
2.0MB

Download
memory/3544-3-0x00007FFF13010000-0x00007FFF13020000-memory.dmp

Filesize
64KB

Download
memory/3544-18-0x00007FFF52F90000-0x00007FFF53185000-memory.dmp

Filesize
2.0MB

Download
memory/3544-315-0x00007FFF13010000-0x00007FFF13020000-memory.dmp

Filesize
64KB

Download
memory/3544-317-0x00007FFF13010000-0x00007FFF13020000-memory.dmp

Filesize
64KB

Download
memory/3544-316-0x00007FFF13010000-0x00007FFF13020000-memory.dmp

Filesize
64KB

Download
memory/3544-318-0x00007FFF52F90000-0x00007FFF53185000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads