10c1a3d79d11e461f2611c49360b876f80ec20e2e39e14051a6bfa23c1b366a3

General

Target

0d01b24f7666f9bccf0f16ea97e41e0bc26f4c49cdfb7a4dabcc0a494b44ec9b.doc
Size

2.3MB
MD5

3f326da2affb0f7f2a4c5c95ffc660cc
SHA1

f38abb67d47a4f69536ae67aa9c6df7287c08869
SHA256

0d01b24f7666f9bccf0f16ea97e41e0bc26f4c49cdfb7a4dabcc0a494b44ec9b
SHA512

83b322f899801920604457910c262500490f518591d9d0eefaccec59db98b546c76cfc4c1ac7f2fb08253b1201d76c5d6eaf5600a6d3793c4f3cba16c1f8cd18
SSDEEP

24576:uguUgXlNGKIZyltJSR3PlRiBwlvQn5tNXw9OSTwbB3UGIpVoR1sLAXI3TYF+PXyx:unUgQWtIBlR7vQN3dBMRUXIDkCy

Score

7^/10

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\windowsupdateconf.lnk	expand.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\~WRD0000.tmp\:Zone.Identifier:$DATA	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4720	WINWORD.EXE
4720	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4720	WINWORD.EXE
4720	WINWORD.EXE
3392	Explorer.EXE
3392	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3392	Explorer.EXE
Token: SeCreatePagefilePrivilege	3392	Explorer.EXE
Token: SeAuditPrivilege	4720	WINWORD.EXE
Token: SeShutdownPrivilege	3392	Explorer.EXE
Token: SeCreatePagefilePrivilege	3392	Explorer.EXE

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
4720	WINWORD.EXE
4720	WINWORD.EXE
4720	WINWORD.EXE
4720	WINWORD.EXE
4720	WINWORD.EXE
4720	WINWORD.EXE
4720	WINWORD.EXE
4720	WINWORD.EXE
4720	WINWORD.EXE
4720	WINWORD.EXE
4720	WINWORD.EXE
4720	WINWORD.EXE
4720	WINWORD.EXE
4720	WINWORD.EXE

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3392	Explorer.EXE

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 4720 wrote to memory of 4700	4720	WINWORD.EXE	85
PID 4720 wrote to memory of 4700	4720	WINWORD.EXE	85
PID 4720 wrote to memory of 3392	4720	WINWORD.EXE	55
PID 4720 wrote to memory of 3392	4720	WINWORD.EXE	55
PID 4720 wrote to memory of 3392	4720	WINWORD.EXE	55
PID 3392 wrote to memory of 880	3392	Explorer.EXE	88
PID 3392 wrote to memory of 880	3392	Explorer.EXE	88
PID 3392 wrote to memory of 3868	3392	Explorer.EXE	98
PID 3392 wrote to memory of 3868	3392	Explorer.EXE	98
PID 3392 wrote to memory of 3868	3392	Explorer.EXE	98
PID 3392 wrote to memory of 3868	3392	Explorer.EXE	98
PID 3392 wrote to memory of 3868	3392	Explorer.EXE	98
PID 3392 wrote to memory of 3868	3392	Explorer.EXE	98

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3392
- C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\0d01b24f7666f9bccf0f16ea97e41e0bc26f4c49cdfb7a4dabcc0a494b44ec9b.doc" /o ""
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - NTFS ADS
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4720
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:4700
- C:\Windows\system32\expand.exe
  expand "C:\Users\Admin\AppData\Local\Temp\WindowsUpdateConf.lnk" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdateConf.lnk"
  2⤵
  - Drops startup file
  PID:880
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe
  2⤵
  PID:3868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\4A015293.wmf

Filesize
316B

MD5
fe97064665ebe15dd56dde1edd2df969

SHA1
fc1133b9d239822dc7e52d48b242dc5dedd3393f

SHA256
b7f0b658e073b348819687bef0a3971ceab0f29c4c405eb650936f32420cd0d8

SHA512
5b81d88df4a0627d51ce5b0cd3852b4a16299f099026d998763ea374b9f4a5b877faf25c5be1d9ccfb3223f079b382a027a99d82f862607e4455f7bb3fd365b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCDD18C.tmp\iso690.xsl

Filesize
263KB

MD5
ff0e07eff1333cdf9fc2523d323dd654

SHA1
77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

SHA256
3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

SHA512
b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\~WRD0000.tmp

Filesize
4.2MB

MD5
12a92152437619caf02128c25c5a7ebb

SHA1
827d15bc7f471bb7df538cf609456eb0dd54c3d4

SHA256
f4a7f5311fa7d717509a181b2ec96ae70e22c0954e82f9062b422848dbcb27a2

SHA512
16d3298517cf046577885111822e3bf1f8a91dce20d57f0acbda33acccd33e44a81f5c2718775347bbdb551ca9c7299a58226c617f304e175d1aede32fd9e2f7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
2KB

MD5
b24450650023d4fcab05c0f28b21c9d8

SHA1
95412fc9716f1f8026a64551f2e45af3f9b30ff3

SHA256
24496ee3788944ea5a561ceff7ffe2dd0dab69ce378a6b7e1483b540d305776d

SHA512
9abf4bf24242de6d899b120bae4b858c5409e9d2b41df287b1b87f2fd6e92e9ce7cf0609b9676f58ef44c9c9c27918fb8b1ab42baa3dd8ccc06960b17d35429e

Download Submit
C:\Wíndows\system32\wuaueng.dll

Filesize
227KB

MD5
490c885dc7ba0f32c07ddfe02a04bbb9

SHA1
294690c1aee8dc7723858dafcb2a0ed273296641

SHA256
829eceee720b0a3e505efbd3262c387b92abdf46183d51a50489e2b157dac3b1

SHA512
127f014d18b926433d56bfee85b350fe36cc26a1442ef8f16cf1c9e6cce95c2f83a8609b9d29e53b7b5617739f760ba4263bd6222870fd25309a16d46000d29c

Download Submit
\??\c:\users\admin\appdata\local\temp\windowsupdateconf.lnk

Filesize
846B

MD5
bb0573e16ce70c6f066bddeee50cc7c5

SHA1
4380db2be63facf65da611cbe2dcff4440ae4617

SHA256
c0630a7c05a151036724cf66fcfb0edf759c307a07a8393457e5d0b4266a6f7a

SHA512
735e7e686d4fc93cdbc8995ea96b8e879c499ec59b3d282e6e53e2f03ef558f5920cb5f028807d08d2cdf0109c9a1592d5a68ecdc0c9c0a3974637c12639bd71

Download Submit
memory/3392-115-0x0000000008CD0000-0x0000000008D52000-memory.dmp

Filesize
520KB

Download
memory/3392-121-0x0000000008CD0000-0x0000000008D52000-memory.dmp

Filesize
520KB

Download
memory/3392-447-0x0000000003370000-0x00000000033AC000-memory.dmp

Filesize
240KB

Download
memory/3392-453-0x00000000033B0000-0x00000000033D6000-memory.dmp

Filesize
152KB

Download
memory/3392-435-0x0000000008CD0000-0x0000000008D52000-memory.dmp

Filesize
520KB

Download
memory/3392-114-0x00000000015A0000-0x00000000015A1000-memory.dmp

Filesize
4KB

Download
memory/3392-123-0x0000000180000000-0x000000018001B000-memory.dmp

Filesize
108KB

Download
memory/3868-445-0x00000177B7C00000-0x00000177B7C54000-memory.dmp

Filesize
336KB

Download
memory/3868-442-0x00000177B7C00000-0x00000177B7C54000-memory.dmp

Filesize
336KB

Download
memory/3868-436-0x00000177B7C00000-0x00000177B7C54000-memory.dmp

Filesize
336KB

Download
memory/4720-7-0x00007FFE83050000-0x00007FFE83245000-memory.dmp

Filesize
2.0MB

Download
memory/4720-156-0x00007FFE83050000-0x00007FFE83245000-memory.dmp

Filesize
2.0MB

Download
memory/4720-10-0x00007FFE83050000-0x00007FFE83245000-memory.dmp

Filesize
2.0MB

Download
memory/4720-16-0x00007FFE408B0000-0x00007FFE408C0000-memory.dmp

Filesize
64KB

Download
memory/4720-11-0x00007FFE83050000-0x00007FFE83245000-memory.dmp

Filesize
2.0MB

Download
memory/4720-6-0x00007FFE83050000-0x00007FFE83245000-memory.dmp

Filesize
2.0MB

Download
memory/4720-0-0x00007FFE430D0000-0x00007FFE430E0000-memory.dmp

Filesize
64KB

Download
memory/4720-1-0x00007FFE430D0000-0x00007FFE430E0000-memory.dmp

Filesize
64KB

Download
memory/4720-155-0x00007FFE83050000-0x00007FFE83245000-memory.dmp

Filesize
2.0MB

Download
memory/4720-3-0x00007FFE830ED000-0x00007FFE830EE000-memory.dmp

Filesize
4KB

Download
memory/4720-4-0x00007FFE430D0000-0x00007FFE430E0000-memory.dmp

Filesize
64KB

Download
memory/4720-5-0x00007FFE430D0000-0x00007FFE430E0000-memory.dmp

Filesize
64KB

Download
memory/4720-8-0x00007FFE83050000-0x00007FFE83245000-memory.dmp

Filesize
2.0MB

Download
memory/4720-15-0x00007FFE408B0000-0x00007FFE408C0000-memory.dmp

Filesize
64KB

Download
memory/4720-9-0x00007FFE83050000-0x00007FFE83245000-memory.dmp

Filesize
2.0MB

Download
memory/4720-13-0x00007FFE83050000-0x00007FFE83245000-memory.dmp

Filesize
2.0MB

Download
memory/4720-12-0x00007FFE83050000-0x00007FFE83245000-memory.dmp

Filesize
2.0MB

Download
memory/4720-14-0x00007FFE83050000-0x00007FFE83245000-memory.dmp

Filesize
2.0MB

Download
memory/4720-2-0x00007FFE430D0000-0x00007FFE430E0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads