5de1378264acf7c2476c921237f77e32cce1db126ef09e9ff7ff9c2d65492892

General

Target

Order list.docx
Size

264KB
MD5

4115f6dbb0506ef0d0456fb5af4d15e3
SHA1

4a60662c298bb379b0caf6f01ba4d008dc26d47c
SHA256

5de1378264acf7c2476c921237f77e32cce1db126ef09e9ff7ff9c2d65492892
SHA512

303c47aae9ebf90278cefa92876526baeceee257a18d2540b629700229b4dd88065ce8b0161a9d7d84c1f46fefebf2835369deb67fa935c5084c798a81145d3f
SSDEEP

6144:IOu2KODqCLYDJQGhFT+2diEFyhieKnymDX:I52KoqMYDfhR+6EiXyE

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3224	WINWORD.EXE
3224	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeAuditPrivilege	3224	WINWORD.EXE

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
3224	WINWORD.EXE
3224	WINWORD.EXE
3224	WINWORD.EXE
3224	WINWORD.EXE
3224	WINWORD.EXE
3224	WINWORD.EXE
3224	WINWORD.EXE

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Order list.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\4A3B05B1.emf

Filesize
1.2MB

MD5
082e8fbe73d98fd6c861150ef1fc0905

SHA1
c91eccf6c9a73b74d9d1442eb72a8d6f650edc64

SHA256
574ef96fef6b764d4047bb2d714ab5d753ec81e87bc9f5ad1526db74446e3b13

SHA512
afee4534199071801e19ae9d8e57b396989746e3f9d7081337b85b4b2108625849364bd04afba41261cc731bd54a83d8269a5ef74ee1878b157628c34240e751

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\T1CTRFUW\feelniceforgivenmegreatthingstobegreatforgetbacknicepictureofmygirlfrinedwhoreallylovedeveryonetogetmebackwithherlifesheisbeauty______nicegirliseenforeverme[1].doc

Filesize
97KB

MD5
2db98a27e71fef64135ce5e259d5a8c4

SHA1
c56c7928e5be5938ca7d958ebb03d3544b05ecdb

SHA256
a237c08add2ea84614fdf51181abd922b15e53b01673b06509578f4e3ba301bd

SHA512
64c1abcb9304ee96bedca9bcafaa29f2be0c0cdcf08cab69e0b11531e16e612ab8f451e8259cebd55c2d4e4e12565912b5579b61102f1cebea97f5bd58cd2cf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCDED08.tmp\iso690.xsl

Filesize
263KB

MD5
ff0e07eff1333cdf9fc2523d323dd654

SHA1
77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

SHA256
3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

SHA512
b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
300B

MD5
e49fe4d6705bee9270eee3788881882b

SHA1
a0e60ce0ac94018b6319970e10b8171feddb555c

SHA256
f40a311617833f79c67433699791bff7a50ebb4da7ce0e7e960a2370c11e24d7

SHA512
d1589131ef75de92630a8ebeb05fd7a5aee7778cae981697046dc11a5673aca8346beb1f932e8b3c922f847446969dd03c7f256776eba630508f054bc4cd2322

Download Submit
memory/3224-8-0x00007FFE8E9D0000-0x00007FFE8EBC5000-memory.dmp

Filesize
2.0MB

Download
memory/3224-21-0x00007FFE8E9D0000-0x00007FFE8EBC5000-memory.dmp

Filesize
2.0MB

Download
memory/3224-9-0x00007FFE8E9D0000-0x00007FFE8EBC5000-memory.dmp

Filesize
2.0MB

Download
memory/3224-10-0x00007FFE8E9D0000-0x00007FFE8EBC5000-memory.dmp

Filesize
2.0MB

Download
memory/3224-0-0x00007FFE4EA50000-0x00007FFE4EA60000-memory.dmp

Filesize
64KB

Download
memory/3224-7-0x00007FFE8E9D0000-0x00007FFE8EBC5000-memory.dmp

Filesize
2.0MB

Download
memory/3224-11-0x00007FFE4C540000-0x00007FFE4C550000-memory.dmp

Filesize
64KB

Download
memory/3224-6-0x00007FFE8E9D0000-0x00007FFE8EBC5000-memory.dmp

Filesize
2.0MB

Download
memory/3224-13-0x00007FFE8E9D0000-0x00007FFE8EBC5000-memory.dmp

Filesize
2.0MB

Download
memory/3224-14-0x00007FFE8E9D0000-0x00007FFE8EBC5000-memory.dmp

Filesize
2.0MB

Download
memory/3224-12-0x00007FFE8E9D0000-0x00007FFE8EBC5000-memory.dmp

Filesize
2.0MB

Download
memory/3224-16-0x00007FFE8E9D0000-0x00007FFE8EBC5000-memory.dmp

Filesize
2.0MB

Download
memory/3224-17-0x00007FFE8E9D0000-0x00007FFE8EBC5000-memory.dmp

Filesize
2.0MB

Download
memory/3224-15-0x00007FFE4C540000-0x00007FFE4C550000-memory.dmp

Filesize
64KB

Download
memory/3224-18-0x00007FFE8E9D0000-0x00007FFE8EBC5000-memory.dmp

Filesize
2.0MB

Download
memory/3224-2-0x00007FFE4EA50000-0x00007FFE4EA60000-memory.dmp

Filesize
64KB

Download
memory/3224-20-0x00007FFE8E9D0000-0x00007FFE8EBC5000-memory.dmp

Filesize
2.0MB

Download
memory/3224-19-0x00007FFE8E9D0000-0x00007FFE8EBC5000-memory.dmp

Filesize
2.0MB

Download
memory/3224-5-0x00007FFE4EA50000-0x00007FFE4EA60000-memory.dmp

Filesize
64KB

Download
memory/3224-3-0x00007FFE4EA50000-0x00007FFE4EA60000-memory.dmp

Filesize
64KB

Download
memory/3224-4-0x00007FFE4EA50000-0x00007FFE4EA60000-memory.dmp

Filesize
64KB

Download
memory/3224-86-0x00007FFE8E9D0000-0x00007FFE8EBC5000-memory.dmp

Filesize
2.0MB

Download
memory/3224-88-0x00007FFE8E9D0000-0x00007FFE8EBC5000-memory.dmp

Filesize
2.0MB

Download
memory/3224-87-0x00007FFE8EA6D000-0x00007FFE8EA6E000-memory.dmp

Filesize
4KB

Download
memory/3224-89-0x00007FFE8E9D0000-0x00007FFE8EBC5000-memory.dmp

Filesize
2.0MB

Download
memory/3224-1-0x00007FFE8EA6D000-0x00007FFE8EA6E000-memory.dmp

Filesize
4KB

Download
memory/3224-600-0x00007FFE4EA50000-0x00007FFE4EA60000-memory.dmp

Filesize
64KB

Download
memory/3224-599-0x00007FFE4EA50000-0x00007FFE4EA60000-memory.dmp

Filesize
64KB

Download
memory/3224-601-0x00007FFE4EA50000-0x00007FFE4EA60000-memory.dmp

Filesize
64KB

Download
memory/3224-602-0x00007FFE4EA50000-0x00007FFE4EA60000-memory.dmp

Filesize
64KB

Download
memory/3224-603-0x00007FFE8E9D0000-0x00007FFE8EBC5000-memory.dmp

Filesize
2.0MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads