9483ce32d2782940a10d3adde0672765930fe7ecfac3f8e4cad50b870316b758

General

Target

9483ce32d2782940a10d3adde0672765930fe7ecfac3f8e4cad50b870316b758.docx
Size

12KB
MD5

7d206684fbf955cf16abb54f17c95d7b
SHA1

0aceac53c75bcc176ff64621118e9612f3b3b33b
SHA256

9483ce32d2782940a10d3adde0672765930fe7ecfac3f8e4cad50b870316b758
SHA512

8db6503d82006a9a2d2151d753dfdd4ec52d116b284bd3f5b866d9c7d9b52540d514f93a00a74ed21b2b98315d3db5a75927c4f62ab8487d4c0539df7c1c0d97
SSDEEP

384:C6sZXSIh7hvXGMH111/em5bi4GmZa3Ktz+xZwFLOcqK:CXWEeaXJ

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE

NTFS ADS 1 IoCs

Processes:

WINWORD.EXE

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\mhtml:https:\rb6z69deadx2ocgwl1s11bd3lurlfc90y.oastify.com\word.html!x-usc:https:\rb6z69deadx2ocgwl1s11bd3lurlfc90y.oastify.com\word.html	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

2068 WINWORD.EXE
2068 WINWORD.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WINWORD.EXE

description pid process

Token: SeAuditPrivilege 2068 WINWORD.EXE
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

WINWORD.EXE

pid process

2068 WINWORD.EXE
2068 WINWORD.EXE
2068 WINWORD.EXE
2068 WINWORD.EXE
2068 WINWORD.EXE
2068 WINWORD.EXE
2068 WINWORD.EXE

pid	process
2068	WINWORD.EXE
2068	WINWORD.EXE

description	pid	process
Token: SeAuditPrivilege	2068	WINWORD.EXE

pid	process
2068	WINWORD.EXE
2068	WINWORD.EXE
2068	WINWORD.EXE
2068	WINWORD.EXE
2068	WINWORD.EXE
2068	WINWORD.EXE
2068	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\9483ce32d2782940a10d3adde0672765930fe7ecfac3f8e4cad50b870316b758.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\9MFSIIMR\word[1].htm

Filesize
56B

MD5
59ea5cf14c6e67acd7a71bf0a1c49300

SHA1
7ac606f111b3080bcd0dc13f36c4a6879261693b

SHA256
9dfb11ac68548c120402a769188ae630636688358386e49aaa71fbb221fe813d

SHA512
81943f16b80fb45511223e79e9a4d2ac67016ae005ddf8d815d480eb52dd41731deff9ecd2d56ce2a443b33c37782043b4c7db04a33299e91c11269af508f93f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCD30B5.tmp\sist02.xsl

Filesize
245KB

MD5
f883b260a8d67082ea895c14bf56dd56

SHA1
7954565c1f243d46ad3b1e2f1baf3281451fc14b

SHA256
ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

SHA512
d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
127ed6c1886d02a2b16687adced68b92

SHA1
3a8744eb226222e9c3073f5a5698597559441874

SHA256
ac106a1a39ff30a91fefdf3458accbc901a8878895f63b0735d94848d9c5e5a4

SHA512
a794cb360fb7af34101aae609919ceabcdd9c4116fd4c0661ba19e3e3806c4dc38cd2608894a02ad68b8dd0796586deb63811a8873a5b5e2dacd08e4108ebce1

Download Submit
memory/2068-10-0x00007FF906710000-0x00007FF906905000-memory.dmp

Filesize
2.0MB

Download
memory/2068-17-0x00007FF8C4290000-0x00007FF8C42A0000-memory.dmp

Filesize
64KB

Download
memory/2068-7-0x00007FF906710000-0x00007FF906905000-memory.dmp

Filesize
2.0MB

Download
memory/2068-8-0x00007FF906710000-0x00007FF906905000-memory.dmp

Filesize
2.0MB

Download
memory/2068-11-0x00007FF906710000-0x00007FF906905000-memory.dmp

Filesize
2.0MB

Download
memory/2068-12-0x00007FF906710000-0x00007FF906905000-memory.dmp

Filesize
2.0MB

Download
memory/2068-13-0x00007FF8C4290000-0x00007FF8C42A0000-memory.dmp

Filesize
64KB

Download
memory/2068-15-0x00007FF906710000-0x00007FF906905000-memory.dmp

Filesize
2.0MB

Download
memory/2068-14-0x00007FF906710000-0x00007FF906905000-memory.dmp

Filesize
2.0MB

Download
memory/2068-0-0x00007FF8C6790000-0x00007FF8C67A0000-memory.dmp

Filesize
64KB

Download
memory/2068-16-0x00007FF906710000-0x00007FF906905000-memory.dmp

Filesize
2.0MB

Download
memory/2068-4-0x00007FF906710000-0x00007FF906905000-memory.dmp

Filesize
2.0MB

Download
memory/2068-18-0x00007FF906710000-0x00007FF906905000-memory.dmp

Filesize
2.0MB

Download
memory/2068-9-0x00007FF906710000-0x00007FF906905000-memory.dmp

Filesize
2.0MB

Download
memory/2068-6-0x00007FF8C6790000-0x00007FF8C67A0000-memory.dmp

Filesize
64KB

Download
memory/2068-3-0x00007FF8C6790000-0x00007FF8C67A0000-memory.dmp

Filesize
64KB

Download
memory/2068-5-0x00007FF906710000-0x00007FF906905000-memory.dmp

Filesize
2.0MB

Download
memory/2068-77-0x00007FF906710000-0x00007FF906905000-memory.dmp

Filesize
2.0MB

Download
memory/2068-78-0x00007FF906710000-0x00007FF906905000-memory.dmp

Filesize
2.0MB

Download
memory/2068-79-0x00007FF906710000-0x00007FF906905000-memory.dmp

Filesize
2.0MB

Download
memory/2068-1-0x00007FF8C6790000-0x00007FF8C67A0000-memory.dmp

Filesize
64KB

Download
memory/2068-2-0x00007FF8C6790000-0x00007FF8C67A0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads