aca3d8614954a35938653f8a26effa4f96952d8227222ca57dda6ab7cd607424

General

Target

aca3d8614954a35938653f8a26effa4f96952d8227222ca57dda6ab7cd607424.docx
Size

459KB
MD5

d2d23ccc53607370c926fe786f92c75b
SHA1

8a84a9083d5b1e26fb9d0374efec7b259a3d059b
SHA256

aca3d8614954a35938653f8a26effa4f96952d8227222ca57dda6ab7cd607424
SHA512

2a38f263819d6350fdcc7e12345d68dbb6745eedef50ac261b488f73e534e0cc568c0d7dd909ca1bc438e436a9148aaf0f38f86792d8a92c174faef37e4396ca
SSDEEP

6144:hdlcbR5HastSFXbqUAbqUAbqUvyLE8IIIIIW0ru0rqme6eeCe9vCeXhdYp9tmYL2:zARtUVhpr/rqIXM9mrm9Bt2mhW8G0Yf

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid	Process
2992	WINWORD.EXE
2992	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WINWORD.EXE

description	pid	Process
Token: SeAuditPrivilege	2992	WINWORD.EXE

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

WINWORD.EXE

pid	Process
2992	WINWORD.EXE
2992	WINWORD.EXE
2992	WINWORD.EXE
2992	WINWORD.EXE
2992	WINWORD.EXE
2992	WINWORD.EXE
2992	WINWORD.EXE
2992	WINWORD.EXE

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\aca3d8614954a35938653f8a26effa4f96952d8227222ca57dda6ab7cd607424.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\1EC9156.htm

Filesize
408KB

MD5
f6e89e6c3ab17d8d58699ccefeaf3c8d

SHA1
86c245d0a2ef138aa7afca6bb43316e251b07c68

SHA256
32f5bf26d32b42212ada3e88017ad037c6c84f760a64585252576d893a00ff5f

SHA512
ab3a82dcd600c7169da373101593480a1ef8e82b2d339b5367f0e2b118f23ec3eb591a3e269de3f5d8b0e0843ec4574b33c5f98e0344c4be38a26c25caccb4b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCD9D8B.tmp\sist02.xsl

Filesize
245KB

MD5
f883b260a8d67082ea895c14bf56dd56

SHA1
7954565c1f243d46ad3b1e2f1baf3281451fc14b

SHA256
ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

SHA512
d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
394B

MD5
7e3e9031f33be9ede0e29eebba781caa

SHA1
4f5d93e25523ef0a3d4d37e90efdcf3bad28e02f

SHA256
b472964568aac7f5b0f4fc711d0f98f06d5d3c80d4fe3e2f0327e9b2a3119d0d

SHA512
16735455729f74edc4dfb2441e713c494bb6f422599f774c6458ff3c5efa7c7648d20c3ed6d1b1e69385cad0ad65451ea2ee5bda09a06c26c4d92b5288dc3936

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
1KB

MD5
ba7e81e61de2b9edcfda42b1bdd30fd7

SHA1
ded08ba91f09e75838968d6c5dc9f302df89a7af

SHA256
72f2d4187c7a02ef31e75d4eb0483282af8255804f4e01cedfb3d7d3999a78d2

SHA512
6dc5f1b443ff9a3a0267872e6f6bb52c9da390484c63b969fdd17720a63238b2b6eba05c6c8e753a5e557eee0c930b619e0d651ad5b980031de415e45514db74

Download Submit
memory/2992-15-0x00007FFC694B0000-0x00007FFC696A5000-memory.dmp

Filesize
2.0MB

Download
memory/2992-13-0x00007FFC694B0000-0x00007FFC696A5000-memory.dmp

Filesize
2.0MB

Download
memory/2992-5-0x00007FFC29530000-0x00007FFC29540000-memory.dmp

Filesize
64KB

Download
memory/2992-11-0x00007FFC694B0000-0x00007FFC696A5000-memory.dmp

Filesize
2.0MB

Download
memory/2992-10-0x00007FFC27230000-0x00007FFC27240000-memory.dmp

Filesize
64KB

Download
memory/2992-12-0x00007FFC694B0000-0x00007FFC696A5000-memory.dmp

Filesize
2.0MB

Download
memory/2992-2-0x00007FFC29530000-0x00007FFC29540000-memory.dmp

Filesize
64KB

Download
memory/2992-1-0x00007FFC6954D000-0x00007FFC6954E000-memory.dmp

Filesize
4KB

Download
memory/2992-20-0x00007FFC694B0000-0x00007FFC696A5000-memory.dmp

Filesize
2.0MB

Download
memory/2992-17-0x00007FFC694B0000-0x00007FFC696A5000-memory.dmp

Filesize
2.0MB

Download
memory/2992-16-0x00007FFC694B0000-0x00007FFC696A5000-memory.dmp

Filesize
2.0MB

Download
memory/2992-0-0x00007FFC29530000-0x00007FFC29540000-memory.dmp

Filesize
64KB

Download
memory/2992-14-0x00007FFC694B0000-0x00007FFC696A5000-memory.dmp

Filesize
2.0MB

Download
memory/2992-6-0x00007FFC694B0000-0x00007FFC696A5000-memory.dmp

Filesize
2.0MB

Download
memory/2992-19-0x00007FFC694B0000-0x00007FFC696A5000-memory.dmp

Filesize
2.0MB

Download
memory/2992-21-0x00007FFC694B0000-0x00007FFC696A5000-memory.dmp

Filesize
2.0MB

Download
memory/2992-18-0x00007FFC27230000-0x00007FFC27240000-memory.dmp

Filesize
64KB

Download
memory/2992-7-0x00007FFC694B0000-0x00007FFC696A5000-memory.dmp

Filesize
2.0MB

Download
memory/2992-9-0x00007FFC694B0000-0x00007FFC696A5000-memory.dmp

Filesize
2.0MB

Download
memory/2992-67-0x00007FFC694B0000-0x00007FFC696A5000-memory.dmp

Filesize
2.0MB

Download
memory/2992-69-0x00007FFC694B0000-0x00007FFC696A5000-memory.dmp

Filesize
2.0MB

Download
memory/2992-68-0x00007FFC6954D000-0x00007FFC6954E000-memory.dmp

Filesize
4KB

Download
memory/2992-70-0x00007FFC694B0000-0x00007FFC696A5000-memory.dmp

Filesize
2.0MB

Download
memory/2992-71-0x00007FFC694B0000-0x00007FFC696A5000-memory.dmp

Filesize
2.0MB

Download
memory/2992-8-0x00007FFC694B0000-0x00007FFC696A5000-memory.dmp

Filesize
2.0MB

Download
memory/2992-4-0x00007FFC29530000-0x00007FFC29540000-memory.dmp

Filesize
64KB

Download
memory/2992-3-0x00007FFC29530000-0x00007FFC29540000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads