54e1e5dc9f8e05a1c50db911ba70f68091c7ac540fd8082deb51380f27ff0201

General

Target

d9847123b526161e5454f0b6ba07218041ccc47e15171972c3d04d681a1bfba0.rtf
Size

81KB
MD5

afb14dcb82dbb041183e8d492c415a13
SHA1

6e75ff4e6d06c9824d9a9b50061d22c21f7d659f
SHA256

d9847123b526161e5454f0b6ba07218041ccc47e15171972c3d04d681a1bfba0
SHA512

f5adb4a97c5d6bc8a8102c70b2bc3f4b05bc5ea1acbeae6457d654510d46cbeb3018880e64c487ebeaee89978827871f951e025220bed25bbddfb1ae5b6e0ac8
SSDEEP

384:Ghvwphf2vHXsv6kBBZK9llGuaPJ4QmwhzofOQT6pLcdYa9eyDAPI/uVOP8d465Q7:Ghxv8LB0MJwwSfOQOO1eyDAA/kdJg

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2156	WINWORD.EXE
2156	WINWORD.EXE

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2156	WINWORD.EXE
2156	WINWORD.EXE
2156	WINWORD.EXE
2156	WINWORD.EXE
2156	WINWORD.EXE
2156	WINWORD.EXE
2156	WINWORD.EXE
2156	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\d9847123b526161e5454f0b6ba07218041ccc47e15171972c3d04d681a1bfba0.rtf" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TCD17DB.tmp\sist02.xsl

Filesize
245KB

MD5
f883b260a8d67082ea895c14bf56dd56

SHA1
7954565c1f243d46ad3b1e2f1baf3281451fc14b

SHA256
ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

SHA512
d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
2KB

MD5
45315435c6bf0f37bde3c049c51f7155

SHA1
2fa6fc323bfaabf05dfab29c3d82810a244c92b6

SHA256
4100b66790b415e0ba35319e8e268901f0ad3f9a73de90e1c855be4854999462

SHA512
17ea369d886336ec362f53a22ff73ecc36514006ffa7ac94cea5d1e4ed2e76b36cd9151b1855214f4f45ea77f50ac8d41cceda54c6c1f73098935a5d6083f051

Download Submit
memory/2156-17-0x00007FFE46EB0000-0x00007FFE46EC0000-memory.dmp

Filesize
64KB

Download
memory/2156-11-0x00007FFE89790000-0x00007FFE89985000-memory.dmp

Filesize
2.0MB

Download
memory/2156-6-0x00007FFE49810000-0x00007FFE49820000-memory.dmp

Filesize
64KB

Download
memory/2156-5-0x00007FFE89790000-0x00007FFE89985000-memory.dmp

Filesize
2.0MB

Download
memory/2156-9-0x00007FFE89790000-0x00007FFE89985000-memory.dmp

Filesize
2.0MB

Download
memory/2156-8-0x00007FFE89790000-0x00007FFE89985000-memory.dmp

Filesize
2.0MB

Download
memory/2156-7-0x00007FFE49810000-0x00007FFE49820000-memory.dmp

Filesize
64KB

Download
memory/2156-12-0x00007FFE89790000-0x00007FFE89985000-memory.dmp

Filesize
2.0MB

Download
memory/2156-13-0x00007FFE89790000-0x00007FFE89985000-memory.dmp

Filesize
2.0MB

Download
memory/2156-15-0x00007FFE89790000-0x00007FFE89985000-memory.dmp

Filesize
2.0MB

Download
memory/2156-14-0x00007FFE89790000-0x00007FFE89985000-memory.dmp

Filesize
2.0MB

Download
memory/2156-2-0x00007FFE49810000-0x00007FFE49820000-memory.dmp

Filesize
64KB

Download
memory/2156-16-0x00007FFE89790000-0x00007FFE89985000-memory.dmp

Filesize
2.0MB

Download
memory/2156-4-0x00007FFE89790000-0x00007FFE89985000-memory.dmp

Filesize
2.0MB

Download
memory/2156-18-0x00007FFE46EB0000-0x00007FFE46EC0000-memory.dmp

Filesize
64KB

Download
memory/2156-10-0x00007FFE89790000-0x00007FFE89985000-memory.dmp

Filesize
2.0MB

Download
memory/2156-0-0x00007FFE8982D000-0x00007FFE8982E000-memory.dmp

Filesize
4KB

Download
memory/2156-38-0x00007FFE89790000-0x00007FFE89985000-memory.dmp

Filesize
2.0MB

Download
memory/2156-39-0x00007FFE8982D000-0x00007FFE8982E000-memory.dmp

Filesize
4KB

Download
memory/2156-40-0x00007FFE89790000-0x00007FFE89985000-memory.dmp

Filesize
2.0MB

Download
memory/2156-41-0x00007FFE89790000-0x00007FFE89985000-memory.dmp

Filesize
2.0MB

Download
memory/2156-3-0x00007FFE49810000-0x00007FFE49820000-memory.dmp

Filesize
64KB

Download
memory/2156-1-0x00007FFE49810000-0x00007FFE49820000-memory.dmp

Filesize
64KB

Download
memory/2156-397-0x00007FFE49810000-0x00007FFE49820000-memory.dmp

Filesize
64KB

Download
memory/2156-398-0x00007FFE89790000-0x00007FFE89985000-memory.dmp

Filesize
2.0MB

Download
memory/2156-396-0x00007FFE49810000-0x00007FFE49820000-memory.dmp

Filesize
64KB

Download
memory/2156-395-0x00007FFE49810000-0x00007FFE49820000-memory.dmp

Filesize
64KB

Download
memory/2156-394-0x00007FFE49810000-0x00007FFE49820000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads