df9f9bed6685eeba38defa87a755a0c8120f7b572094368e3aef41829039980d

General

Target

factura.rtf
Size

11KB
MD5

05c137d8e79ce59ed6e4b7cd78e5b8a2
SHA1

3a41de3774b6a17a34a8bedf1a0881a3f08d492d
SHA256

5a31c77293af2920d7020d5d0236691adcea2c57c2716658ce118a5cba9d4913
SHA512

46551cb4556183b6d5e4fe20e1d2f916c9e50f109f1bec69cc3abce295d1be138c0dadc69ab7a510d4e29e59656b47b1d36a486c1e68d71c776271ff1ef58aa3
SSDEEP

192:TMv9/nrxOgNIVk04Pre4VqPuc+17rf14g/gjXKSDxX8VxrdPJH:Yv9/rsok+Prz1dZKXDsjtJH

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

WINWORD.EXE

pid process

4584 WINWORD.EXE

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

NTFS ADS 2 IoCs

Processes:

WINWORD.EXE

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Temp\~WRD0000.tmp\:Zone.Identifier:$DATA	WINWORD.EXE
File created	C:\Users\Admin\AppData\Local\Temp\~WRD0002.tmp\:Zone.Identifier:$DATA	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

4584 WINWORD.EXE
4584 WINWORD.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

WINWORD.EXE

pid	process
4584	WINWORD.EXE
4584	WINWORD.EXE
4584	WINWORD.EXE
4584	WINWORD.EXE
4584	WINWORD.EXE
4584	WINWORD.EXE
4584	WINWORD.EXE
4584	WINWORD.EXE
4584	WINWORD.EXE
4584	WINWORD.EXE
4584	WINWORD.EXE
4584	WINWORD.EXE
4584	WINWORD.EXE
4584	WINWORD.EXE
4584	WINWORD.EXE
4584	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 4584 wrote to memory of 4932	4584	WINWORD.EXE	splwow64.exe
PID 4584 wrote to memory of 4932	4584	WINWORD.EXE	splwow64.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\factura.rtf" /o ""
1⤵
- Deletes itself
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4584

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:4932

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:3704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TCDD0E2.tmp\iso690.xsl

Filesize
263KB

MD5
ff0e07eff1333cdf9fc2523d323dd654

SHA1
77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

SHA256
3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

SHA512
b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\~WRD0000.tmp

Filesize
61KB

MD5
a565cbbe27d6aab55d4823025a4917df

SHA1
3fe429115b0a2bedd01a5cf44849d8db9223def6

SHA256
ad6025b90592b5be04a4dd28709f1a09552bbd0c17e58c529832649c944140f9

SHA512
52d42ab6441002c75c763928c6873d7a6febec4b412af5ef4e07b680748c7f33c93ca2f7b7fc3b68087cc59fd05854832e501143a3059d17fa5d34c353336340

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
16B

MD5
d29962abc88624befc0135579ae485ec

SHA1
e40a6458296ec6a2427bcb280572d023a9862b31

SHA256
a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866

SHA512
4311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
1KB

MD5
a3098d0a27ca09967b411e12e20ad851

SHA1
d4570de8e5fa6e68f06f71d63633e3c640fa71da

SHA256
83981af507d86fd8987810bfc6fde2ee31d250e52ee2dabc71e86fa242f0d24c

SHA512
bf93b1ec0853fd2414592ac073144eabe0e253bc19970d9dd83624e00b8a17ccc848c84c84159d74ecef34c3ca003db1e396a6069deca25831917e4cc129e9a6

Download Submit
memory/4584-16-0x00007FFEF2090000-0x00007FFEF2285000-memory.dmp

Filesize
2.0MB

Download
memory/4584-17-0x00007FFEF2090000-0x00007FFEF2285000-memory.dmp

Filesize
2.0MB

Download
memory/4584-9-0x00007FFEF2090000-0x00007FFEF2285000-memory.dmp

Filesize
2.0MB

Download
memory/4584-11-0x00007FFEF2090000-0x00007FFEF2285000-memory.dmp

Filesize
2.0MB

Download
memory/4584-10-0x00007FFEF2090000-0x00007FFEF2285000-memory.dmp

Filesize
2.0MB

Download
memory/4584-12-0x00007FFEF2090000-0x00007FFEF2285000-memory.dmp

Filesize
2.0MB

Download
memory/4584-14-0x00007FFEF2090000-0x00007FFEF2285000-memory.dmp

Filesize
2.0MB

Download
memory/4584-15-0x00007FFEAFCD0000-0x00007FFEAFCE0000-memory.dmp

Filesize
64KB

Download
memory/4584-3-0x00007FFEB2110000-0x00007FFEB2120000-memory.dmp

Filesize
64KB

Download
memory/4584-13-0x00007FFEF2090000-0x00007FFEF2285000-memory.dmp

Filesize
2.0MB

Download
memory/4584-18-0x00007FFEF2090000-0x00007FFEF2285000-memory.dmp

Filesize
2.0MB

Download
memory/4584-5-0x00007FFEB2110000-0x00007FFEB2120000-memory.dmp

Filesize
64KB

Download
memory/4584-8-0x00007FFEF2090000-0x00007FFEF2285000-memory.dmp

Filesize
2.0MB

Download
memory/4584-7-0x00007FFEF2090000-0x00007FFEF2285000-memory.dmp

Filesize
2.0MB

Download
memory/4584-6-0x00007FFEF2090000-0x00007FFEF2285000-memory.dmp

Filesize
2.0MB

Download
memory/4584-19-0x00007FFEAFCD0000-0x00007FFEAFCE0000-memory.dmp

Filesize
64KB

Download
memory/4584-1-0x00007FFEB2110000-0x00007FFEB2120000-memory.dmp

Filesize
64KB

Download
memory/4584-34-0x00007FFEF2090000-0x00007FFEF2285000-memory.dmp

Filesize
2.0MB

Download
memory/4584-2-0x00007FFEF212D000-0x00007FFEF212E000-memory.dmp

Filesize
4KB

Download
memory/4584-4-0x00007FFEB2110000-0x00007FFEB2120000-memory.dmp

Filesize
64KB

Download
memory/4584-0-0x00007FFEB2110000-0x00007FFEB2120000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads