e763827e8385a621c0c28456d7c3fd0393b01d542b52a2b18bd5061492b97662

General

Target

SWIFT COPY 2.docx
Size

459KB
MD5

fd1963efc96cae15689f5e7eb9664b4b
SHA1

b4b13fc72a4bab883ae9ec4efc84cfe48c6b8d8a
SHA256

e763827e8385a621c0c28456d7c3fd0393b01d542b52a2b18bd5061492b97662
SHA512

50f91dba0d6180e02b8b1d5345ae024c9ed24666fb6c54e22798da122276dd1e1e85a43126826d9456e4db5e21fb762e9797d50f323cf498807d860935c04992
SSDEEP

6144:kMlcbR5HastSFXbqUAbqUAbqUvyLE8IIIIIW0ru0rqme6eeCe9vCeXhdrJ9tmYLk:/ARtUVhpr/rqIXt9mrm9Bt2mhW8G0YX

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4604	WINWORD.EXE
4604	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeAuditPrivilege	4604	WINWORD.EXE

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
4604	WINWORD.EXE
4604	WINWORD.EXE
4604	WINWORD.EXE
4604	WINWORD.EXE
4604	WINWORD.EXE
4604	WINWORD.EXE
4604	WINWORD.EXE
4604	WINWORD.EXE

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\SWIFT COPY 2.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PGH3GSHW\EN7nq8lm3v7yww0[1].doc

Filesize
920KB

MD5
7dcb918d1d06064ea8ac517cf90113cb

SHA1
d669c4f7b46d0ec5ef9d66bb8aa5a650913c9e4b

SHA256
4a1ca6523f044927f03a353dca5742012370035ee216214bb8f0342ed113763c

SHA512
cb3b4ab3281f9018d52f635843abb72b962ae158adf7cbb020986cf05aae9a506234090c6cd0d39adefbc3cd2becbe3ec19b11ae59e934cdafbf260b68a5aec1

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCD962A.tmp\iso690.xsl

Filesize
263KB

MD5
ff0e07eff1333cdf9fc2523d323dd654

SHA1
77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

SHA256
3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

SHA512
b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
391B

MD5
1215afd54695e52a20a045b775cbae78

SHA1
c81b17fedb32b8a813a215b7844f5b043d8b0474

SHA256
f4ac9c1edc04b97113a0cdd7bf5e9a87c77ef879658730c7f71d3bc7d5d009c7

SHA512
17a0992a09dff2153a144e72fb9b5b778283bbbfb44eb722d5ab81c99ca12dfdf6c8d11185f788bc19f4f666fb33df4f51a009d580b66bfc9e07d570816f9784

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
95034419bf82f53c7f5e303f514b215c

SHA1
8e153c0907944b4af9903b75b59b7a1272763919

SHA256
2a8a73abc44c7abc3a4496d2acd270a1a4124a59aeb751ec884cd4f732216839

SHA512
08c2b5f6afb836134c0e400c81296d0d7947ee9ef3033453861950abd27273ce530f9457a070212a056a9df81e1efa519b57c99b59d8f8330fe7c87182a4e6ed

Download Submit
memory/4604-13-0x00007FFBE31B0000-0x00007FFBE33A5000-memory.dmp

Filesize
2.0MB

Download
memory/4604-6-0x00007FFBE31B0000-0x00007FFBE33A5000-memory.dmp

Filesize
2.0MB

Download
memory/4604-7-0x00007FFBA3230000-0x00007FFBA3240000-memory.dmp

Filesize
64KB

Download
memory/4604-9-0x00007FFBE31B0000-0x00007FFBE33A5000-memory.dmp

Filesize
2.0MB

Download
memory/4604-10-0x00007FFBA1180000-0x00007FFBA1190000-memory.dmp

Filesize
64KB

Download
memory/4604-12-0x00007FFBE31B0000-0x00007FFBE33A5000-memory.dmp

Filesize
2.0MB

Download
memory/4604-11-0x00007FFBE31B0000-0x00007FFBE33A5000-memory.dmp

Filesize
2.0MB

Download
memory/4604-8-0x00007FFBE31B0000-0x00007FFBE33A5000-memory.dmp

Filesize
2.0MB

Download
memory/4604-14-0x00007FFBE31B0000-0x00007FFBE33A5000-memory.dmp

Filesize
2.0MB

Download
memory/4604-15-0x00007FFBE31B0000-0x00007FFBE33A5000-memory.dmp

Filesize
2.0MB

Download
memory/4604-17-0x00007FFBE31B0000-0x00007FFBE33A5000-memory.dmp

Filesize
2.0MB

Download
memory/4604-19-0x00007FFBE31B0000-0x00007FFBE33A5000-memory.dmp

Filesize
2.0MB

Download
memory/4604-21-0x00007FFBE31B0000-0x00007FFBE33A5000-memory.dmp

Filesize
2.0MB

Download
memory/4604-20-0x00007FFBE31B0000-0x00007FFBE33A5000-memory.dmp

Filesize
2.0MB

Download
memory/4604-18-0x00007FFBA1180000-0x00007FFBA1190000-memory.dmp

Filesize
64KB

Download
memory/4604-16-0x00007FFBE31B0000-0x00007FFBE33A5000-memory.dmp

Filesize
2.0MB

Download
memory/4604-5-0x00007FFBE31B0000-0x00007FFBE33A5000-memory.dmp

Filesize
2.0MB

Download
memory/4604-0-0x00007FFBA3230000-0x00007FFBA3240000-memory.dmp

Filesize
64KB

Download
memory/4604-78-0x00007FFBE31B0000-0x00007FFBE33A5000-memory.dmp

Filesize
2.0MB

Download
memory/4604-2-0x00007FFBA3230000-0x00007FFBA3240000-memory.dmp

Filesize
64KB

Download
memory/4604-66-0x00007FFBE31B0000-0x00007FFBE33A5000-memory.dmp

Filesize
2.0MB

Download
memory/4604-67-0x00007FFBE324D000-0x00007FFBE324E000-memory.dmp

Filesize
4KB

Download
memory/4604-69-0x00007FFBE31B0000-0x00007FFBE33A5000-memory.dmp

Filesize
2.0MB

Download
memory/4604-73-0x00007FFBE31B0000-0x00007FFBE33A5000-memory.dmp

Filesize
2.0MB

Download
memory/4604-72-0x00007FFBE31B0000-0x00007FFBE33A5000-memory.dmp

Filesize
2.0MB

Download
memory/4604-71-0x00007FFBE31B0000-0x00007FFBE33A5000-memory.dmp

Filesize
2.0MB

Download
memory/4604-70-0x00007FFBE31B0000-0x00007FFBE33A5000-memory.dmp

Filesize
2.0MB

Download
memory/4604-68-0x00007FFBE31B0000-0x00007FFBE33A5000-memory.dmp

Filesize
2.0MB

Download
memory/4604-4-0x00007FFBA3230000-0x00007FFBA3240000-memory.dmp

Filesize
64KB

Download
memory/4604-77-0x00007FFBE31B0000-0x00007FFBE33A5000-memory.dmp

Filesize
2.0MB

Download
memory/4604-76-0x00007FFBE31B0000-0x00007FFBE33A5000-memory.dmp

Filesize
2.0MB

Download
memory/4604-75-0x00007FFBE31B0000-0x00007FFBE33A5000-memory.dmp

Filesize
2.0MB

Download
memory/4604-74-0x00007FFBE31B0000-0x00007FFBE33A5000-memory.dmp

Filesize
2.0MB

Download
memory/4604-82-0x00007FFBE31B0000-0x00007FFBE33A5000-memory.dmp

Filesize
2.0MB

Download
memory/4604-3-0x00007FFBA3230000-0x00007FFBA3240000-memory.dmp

Filesize
64KB

Download
memory/4604-1-0x00007FFBE324D000-0x00007FFBE324E000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads