27a37162f8f0baf5fe161825f8108f1f3e20bada83c2be08fe9919c60e4727b8

General

Target

Bank Swift Copy.docx
Size

459KB
MD5

3f9ae2b975cec92e0402d614cd2391a5
SHA1

43d41944021358bee6b6b48594d9c3f54fbaecd5
SHA256

27a37162f8f0baf5fe161825f8108f1f3e20bada83c2be08fe9919c60e4727b8
SHA512

1a14966056b58e84438309a1dea5ed4d5a6036b76cde5b0baec395d87bcfb2edf596bf9c201c0310847972f89c04c866f2008e938791b233ffb7042365222771
SSDEEP

6144:drlcbR5HastSFXbqUAbqUAbqUvyLE8IIIIIW0ru0rqme6eeCe9vCeXhdwt9tmYL+:RARtUVhpr/rqIXg9mrm9Bt2mhW8G0Y1Z

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid	Process
3088	WINWORD.EXE
3088	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WINWORD.EXE

description	pid	Process
Token: SeAuditPrivilege	3088	WINWORD.EXE

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

WINWORD.EXE

pid	Process
3088	WINWORD.EXE
3088	WINWORD.EXE
3088	WINWORD.EXE
3088	WINWORD.EXE
3088	WINWORD.EXE
3088	WINWORD.EXE
3088	WINWORD.EXE
3088	WINWORD.EXE

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Bank Swift Copy.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VKYZDMA5\xXdquUOrM1vD3An[1].doc

Filesize
799KB

MD5
2087de574fefae441db7ced132da6407

SHA1
6d8b4083d71075be31068808232805ea486f77d8

SHA256
dc8ae41681fdf19abcf62b27b3d8359c32ba6f20bee1e24b7ce9b37d4faebe8b

SHA512
02ead1047af13379ee161c25e1db2c83033daf752629159b9c5836ed0c1d5f6436da73299d920cc10cefe6d4edd3272266d9b4f2088225bc434a53c20ba43ce9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
72B

MD5
5617b91c16ea99a0f3041eff7cbecf35

SHA1
bbf184de7592e808a38354e44de620cfb59d098c

SHA256
bc125e2e9ce2977b0182287efe15d8d2a4845b78d99bd93363e9c2fd26e987f2

SHA512
033fe7d64e797037eb02024de68d34125c7ebba95faa61ee6920be5acbc86837467897603fc7884089fb514503fec78987453a5b58196b5504d5e3089cb16758

Download Submit
memory/3088-14-0x00007FFD2C550000-0x00007FFD2C560000-memory.dmp

Filesize
64KB

Download
memory/3088-4-0x00007FFD2E970000-0x00007FFD2E980000-memory.dmp

Filesize
64KB

Download
memory/3088-16-0x00007FFD6E8F0000-0x00007FFD6EAE5000-memory.dmp

Filesize
2.0MB

Download
memory/3088-6-0x00007FFD6E8F0000-0x00007FFD6EAE5000-memory.dmp

Filesize
2.0MB

Download
memory/3088-7-0x00007FFD2E970000-0x00007FFD2E980000-memory.dmp

Filesize
64KB

Download
memory/3088-5-0x00007FFD6E8F0000-0x00007FFD6EAE5000-memory.dmp

Filesize
2.0MB

Download
memory/3088-8-0x00007FFD6E8F0000-0x00007FFD6EAE5000-memory.dmp

Filesize
2.0MB

Download
memory/3088-9-0x00007FFD2C550000-0x00007FFD2C560000-memory.dmp

Filesize
64KB

Download
memory/3088-17-0x00007FFD6E8F0000-0x00007FFD6EAE5000-memory.dmp

Filesize
2.0MB

Download
memory/3088-12-0x00007FFD6E8F0000-0x00007FFD6EAE5000-memory.dmp

Filesize
2.0MB

Download
memory/3088-3-0x00007FFD2E970000-0x00007FFD2E980000-memory.dmp

Filesize
64KB

Download
memory/3088-1-0x00007FFD2E970000-0x00007FFD2E980000-memory.dmp

Filesize
64KB

Download
memory/3088-10-0x00007FFD6E8F0000-0x00007FFD6EAE5000-memory.dmp

Filesize
2.0MB

Download
memory/3088-19-0x00007FFD6E8F0000-0x00007FFD6EAE5000-memory.dmp

Filesize
2.0MB

Download
memory/3088-18-0x00007FFD6E8F0000-0x00007FFD6EAE5000-memory.dmp

Filesize
2.0MB

Download
memory/3088-15-0x00007FFD6E8F0000-0x00007FFD6EAE5000-memory.dmp

Filesize
2.0MB

Download
memory/3088-13-0x00007FFD6E8F0000-0x00007FFD6EAE5000-memory.dmp

Filesize
2.0MB

Download
memory/3088-11-0x00007FFD6E8F0000-0x00007FFD6EAE5000-memory.dmp

Filesize
2.0MB

Download
memory/3088-26-0x00007FFD6E98D000-0x00007FFD6E98E000-memory.dmp

Filesize
4KB

Download
memory/3088-27-0x00007FFD6E8F0000-0x00007FFD6EAE5000-memory.dmp

Filesize
2.0MB

Download
memory/3088-2-0x00007FFD2E970000-0x00007FFD2E980000-memory.dmp

Filesize
64KB

Download
memory/3088-0-0x00007FFD6E98D000-0x00007FFD6E98E000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads