f28711542218b72a926ac9490ad33798b52a9f7789c53c995c06d7fd3025a445

Reason

Machine shutdown

General

Target

EROOT.docx
Size

402KB
MD5

116b479d6ddd69cd6f3003fe7f3e680c
SHA1

38cfdaa2baed93be0c8a157327688b0d1218b0c5
SHA256

c3508f3a554f606adc2ee25736181c64fe6da8d351fd6cfb8a963af8f221189b
SHA512

7c3f193fd00338f7c10a04789423bceccadb46c627da13b0c75d942b847c26e014fe907142020525fd73f48bd55609521cb003d70570b724ba148422270f5fe5
SSDEEP

6144:LPVgB6IWj6F84miZquPsW5LlTfDxZshwkGpuBGYmbq/aMglTfDxZshwkGpuBGGtp:DVW6IWjOI+UWlxfAMuwYaMgxfAMuwSJ

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4200	WINWORD.EXE
4200	WINWORD.EXE

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
4200	WINWORD.EXE
4200	WINWORD.EXE
4200	WINWORD.EXE
4200	WINWORD.EXE
4200	WINWORD.EXE
4200	WINWORD.EXE
4200	WINWORD.EXE
4200	WINWORD.EXE
4200	WINWORD.EXE
4200	WINWORD.EXE
4200	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\EROOT.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TCDC623.tmp\gb.xsl

Filesize
262KB

MD5
51d32ee5bc7ab811041f799652d26e04

SHA1
412193006aa3ef19e0a57e16acf86b830993024a

SHA256
6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97

SHA512
5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
1KB

MD5
bf23033f1d29c21e838dc70bd6bf3387

SHA1
0f1cf53af328a53aca0ac3888f4dfe9db4a0f422

SHA256
983bddcdbbf31fb2f22a7c9072ba14f8276e222255d4b8773070c25da79bc91f

SHA512
769a8e1f41adc781eed6236d3a40caf8c4063d62d55f101673a5adfe5e703c05af23a7105593d75b629bc74e34919d1a7d7ee8ae714350e2b4d777df1763d829

Download Submit
memory/4200-17-0x00007FFA98090000-0x00007FFA980A0000-memory.dmp

Filesize
64KB

Download
memory/4200-42-0x00007FFADA28D000-0x00007FFADA28E000-memory.dmp

Filesize
4KB

Download
memory/4200-8-0x00007FFADA1F0000-0x00007FFADA3E5000-memory.dmp

Filesize
2.0MB

Download
memory/4200-9-0x00007FFADA1F0000-0x00007FFADA3E5000-memory.dmp

Filesize
2.0MB

Download
memory/4200-18-0x00007FFADA1F0000-0x00007FFADA3E5000-memory.dmp

Filesize
2.0MB

Download
memory/4200-4-0x00007FFA9A270000-0x00007FFA9A280000-memory.dmp

Filesize
64KB

Download
memory/4200-3-0x00007FFA9A270000-0x00007FFA9A280000-memory.dmp

Filesize
64KB

Download
memory/4200-2-0x00007FFA9A270000-0x00007FFA9A280000-memory.dmp

Filesize
64KB

Download
memory/4200-10-0x00007FFADA1F0000-0x00007FFADA3E5000-memory.dmp

Filesize
2.0MB

Download
memory/4200-13-0x00007FFADA1F0000-0x00007FFADA3E5000-memory.dmp

Filesize
2.0MB

Download
memory/4200-14-0x00007FFADA1F0000-0x00007FFADA3E5000-memory.dmp

Filesize
2.0MB

Download
memory/4200-12-0x00007FFA98090000-0x00007FFA980A0000-memory.dmp

Filesize
64KB

Download
memory/4200-6-0x00007FFADA1F0000-0x00007FFADA3E5000-memory.dmp

Filesize
2.0MB

Download
memory/4200-0-0x00007FFA9A270000-0x00007FFA9A280000-memory.dmp

Filesize
64KB

Download
memory/4200-7-0x00007FFADA1F0000-0x00007FFADA3E5000-memory.dmp

Filesize
2.0MB

Download
memory/4200-20-0x00007FFADA1F0000-0x00007FFADA3E5000-memory.dmp

Filesize
2.0MB

Download
memory/4200-23-0x00007FFADA1F0000-0x00007FFADA3E5000-memory.dmp

Filesize
2.0MB

Download
memory/4200-22-0x00007FFADA1F0000-0x00007FFADA3E5000-memory.dmp

Filesize
2.0MB

Download
memory/4200-21-0x00007FFADA1F0000-0x00007FFADA3E5000-memory.dmp

Filesize
2.0MB

Download
memory/4200-19-0x00007FFADA1F0000-0x00007FFADA3E5000-memory.dmp

Filesize
2.0MB

Download
memory/4200-15-0x00007FFADA1F0000-0x00007FFADA3E5000-memory.dmp

Filesize
2.0MB

Download
memory/4200-11-0x00007FFADA1F0000-0x00007FFADA3E5000-memory.dmp

Filesize
2.0MB

Download
memory/4200-41-0x00007FFADA1F0000-0x00007FFADA3E5000-memory.dmp

Filesize
2.0MB

Download
memory/4200-16-0x00007FFADA1F0000-0x00007FFADA3E5000-memory.dmp

Filesize
2.0MB

Download
memory/4200-43-0x00007FFADA1F0000-0x00007FFADA3E5000-memory.dmp

Filesize
2.0MB

Download
memory/4200-44-0x00007FFADA1F0000-0x00007FFADA3E5000-memory.dmp

Filesize
2.0MB

Download
memory/4200-5-0x00007FFA9A270000-0x00007FFA9A280000-memory.dmp

Filesize
64KB

Download
memory/4200-1-0x00007FFADA28D000-0x00007FFADA28E000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads