7cc1f9b3600a2c34b40fe42117b8ed678eca91312730d8435def4b356037c680

General

Target

7cc1f9b3600a2c34b40fe42117b8ed678eca91312730d8435def4b356037c680.docm
Size

83KB
MD5

5c598af465c80c34768fb84ed8e5be07
SHA1

a112304563fc6aa0132f2f5d396c6438849a836a
SHA256

7cc1f9b3600a2c34b40fe42117b8ed678eca91312730d8435def4b356037c680
SHA512

0f6664e279645e2f2b39239afca6982c4d8c69e2fd2c80617897240fa37c9d2fa0e09b347655e505db54b70b8eb6f646fa1096fff76c8db470fcd251ada4b7b3
SSDEEP

1536:UX+WqQuctgdEmHVJZtQ1tSW+fIwMyPiEHB8nrdFIILILBZUymgicOXClW:I+X8YdDZFM0iISrdFjEBamdOCE

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

radEE318.tmp.exe

pid	Process
5028	radEE318.tmp.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

radEE318.tmp.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	radEE318.tmp.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid	Process
852	WINWORD.EXE
852	WINWORD.EXE

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

WINWORD.EXE

pid	Process
852	WINWORD.EXE
852	WINWORD.EXE
852	WINWORD.EXE
852	WINWORD.EXE
852	WINWORD.EXE
852	WINWORD.EXE
852	WINWORD.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

WINWORD.EXE

description	pid	Process	procid_target
PID 852 wrote to memory of 5028	852	WINWORD.EXE	88
PID 852 wrote to memory of 5028	852	WINWORD.EXE	88
PID 852 wrote to memory of 5028	852	WINWORD.EXE	88

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\7cc1f9b3600a2c34b40fe42117b8ed678eca91312730d8435def4b356037c680.docm" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:852
- C:\Users\Admin\AppData\Local\Temp\radEE318.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\radEE318.tmp.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TCDE64F.tmp\iso690.xsl

Filesize
263KB

MD5
ff0e07eff1333cdf9fc2523d323dd654

SHA1
77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

SHA256
3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

SHA512
b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\radEE318.tmp.exe

Filesize
72KB

MD5
478827ae8aed91b877dbf1fb178eb7b6

SHA1
82f8f9e5eb9acf652dddd73f9a3b328ec0e76e9f

SHA256
9ff743bf5e93230cd77b6651ef9dd506c21dca7e07841de241db0f940b28c53e

SHA512
794ede00a1d332b09957624fc4070bf075c49247ce5ac0c923dfd5863a51bb183bfbfbaffa1c7a31a8d7e5287a61d4bbbe22acb38bd9bbcebf4623918c9d51fb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
1KB

MD5
d8996e967cad9393edd79ebb7e2232ea

SHA1
066e3318dfacb367bb6ae8a0fb3b51ac5a26d35e

SHA256
a006858b733ca93a61d3e9a5ee5fa85bd46be37c8d64b99d26883f0033fb388e

SHA512
2b619c3aa4e0f6b0b2c0f3da1f2f05159be9382358bfa2fcccf3e30691107272e8ffe6e425961f2e086b00c241a92a306d307884f3ce8cefab8ff3bb3cfb1443

Download Submit
memory/852-6-0x00007FFB01010000-0x00007FFB01205000-memory.dmp

Filesize
2.0MB

Download
memory/852-13-0x00007FFB01010000-0x00007FFB01205000-memory.dmp

Filesize
2.0MB

Download
memory/852-0-0x00007FFAC1090000-0x00007FFAC10A0000-memory.dmp

Filesize
64KB

Download
memory/852-10-0x00007FFB01010000-0x00007FFB01205000-memory.dmp

Filesize
2.0MB

Download
memory/852-44-0x00007FFB01010000-0x00007FFB01205000-memory.dmp

Filesize
2.0MB

Download
memory/852-8-0x00007FFB01010000-0x00007FFB01205000-memory.dmp

Filesize
2.0MB

Download
memory/852-11-0x00007FFB01010000-0x00007FFB01205000-memory.dmp

Filesize
2.0MB

Download
memory/852-47-0x00007FFB01010000-0x00007FFB01205000-memory.dmp

Filesize
2.0MB

Download
memory/852-12-0x00007FFB01010000-0x00007FFB01205000-memory.dmp

Filesize
2.0MB

Download
memory/852-46-0x00007FFB01010000-0x00007FFB01205000-memory.dmp

Filesize
2.0MB

Download
memory/852-15-0x00007FFB01010000-0x00007FFB01205000-memory.dmp

Filesize
2.0MB

Download
memory/852-7-0x00007FFB01010000-0x00007FFB01205000-memory.dmp

Filesize
2.0MB

Download
memory/852-18-0x00007FFB01010000-0x00007FFB01205000-memory.dmp

Filesize
2.0MB

Download
memory/852-17-0x00007FFB01010000-0x00007FFB01205000-memory.dmp

Filesize
2.0MB

Download
memory/852-16-0x00007FFABE990000-0x00007FFABE9A0000-memory.dmp

Filesize
64KB

Download
memory/852-2-0x00007FFAC1090000-0x00007FFAC10A0000-memory.dmp

Filesize
64KB

Download
memory/852-9-0x00007FFB01010000-0x00007FFB01205000-memory.dmp

Filesize
2.0MB

Download
memory/852-3-0x00007FFB010AD000-0x00007FFB010AE000-memory.dmp

Filesize
4KB

Download
memory/852-14-0x00007FFABE990000-0x00007FFABE9A0000-memory.dmp

Filesize
64KB

Download
memory/852-45-0x00007FFB01010000-0x00007FFB01205000-memory.dmp

Filesize
2.0MB

Download
memory/852-38-0x00007FFB01010000-0x00007FFB01205000-memory.dmp

Filesize
2.0MB

Download
memory/852-35-0x00007FFB01010000-0x00007FFB01205000-memory.dmp

Filesize
2.0MB

Download
memory/852-49-0x00007FFB01010000-0x00007FFB01205000-memory.dmp

Filesize
2.0MB

Download
memory/852-5-0x00007FFAC1090000-0x00007FFAC10A0000-memory.dmp

Filesize
64KB

Download
memory/852-1-0x00007FFAC1090000-0x00007FFAC10A0000-memory.dmp

Filesize
64KB

Download
memory/852-64-0x00007FFB01010000-0x00007FFB01205000-memory.dmp

Filesize
2.0MB

Download
memory/852-65-0x00007FFB01010000-0x00007FFB01205000-memory.dmp

Filesize
2.0MB

Download
memory/852-66-0x00007FFB01010000-0x00007FFB01205000-memory.dmp

Filesize
2.0MB

Download
memory/852-67-0x00007FFB01010000-0x00007FFB01205000-memory.dmp

Filesize
2.0MB

Download
memory/852-68-0x00007FFB01010000-0x00007FFB01205000-memory.dmp

Filesize
2.0MB

Download
memory/852-4-0x00007FFAC1090000-0x00007FFAC10A0000-memory.dmp

Filesize
64KB

Download
memory/852-74-0x00007FFB01010000-0x00007FFB01205000-memory.dmp

Filesize
2.0MB

Download
memory/852-78-0x00007FFB01010000-0x00007FFB01205000-memory.dmp

Filesize
2.0MB

Download
memory/5028-63-0x00007FFB01010000-0x00007FFB01205000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads