ecb4ebff87ef24a8a2f929ed19f4db7e5191e8805b66c476ddeb4a1079f744df

General

Target

Device/HarddiskVolume3/Users/Demo/Downloads/SalaryPayment.docm
Size

83KB
MD5

46d71e324f8a183ff2fc25639501064e
SHA1

049d20520cdff2c9de0e084acc7c74b38a0a32bf
SHA256

8c19b0a81eca2b255bd301735b5ee22f8e4558aab3cb94175d7f579dfc3ea7f6
SHA512

7c8a73376ba5ab65ce11234ec8cca578b0012751c97b4273887e3741fb543a41e676076714bbbc080197529e3f82c756e4949159bcd5a33573786c51528bf927
SSDEEP

1536:AH+WqQuctgdcmf511SRYOGYEwQu5MaMiIRcOOzwFd0mCdXmi8OXCld:o+X8YRHWnhdMaTQO2dbCdXm5OC/

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4440	rad50BF6.tmp.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rad50BF6.tmp.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1920	WINWORD.EXE
1920	WINWORD.EXE

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1920	WINWORD.EXE
1920	WINWORD.EXE
1920	WINWORD.EXE
1920	WINWORD.EXE
1920	WINWORD.EXE
1920	WINWORD.EXE
1920	WINWORD.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1920 wrote to memory of 4440	1920	WINWORD.EXE	86
PID 1920 wrote to memory of 4440	1920	WINWORD.EXE	86
PID 1920 wrote to memory of 4440	1920	WINWORD.EXE	86

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume3\Users\Demo\Downloads\SalaryPayment.docm" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1920
- C:\Users\Admin\AppData\Local\Temp\rad50BF6.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\rad50BF6.tmp.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TCD9C39.tmp\gb.xsl

Filesize
262KB

MD5
51d32ee5bc7ab811041f799652d26e04

SHA1
412193006aa3ef19e0a57e16acf86b830993024a

SHA256
6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97

SHA512
5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

Download Submit
C:\Users\Admin\AppData\Local\Temp\rad50BF6.tmp.exe

Filesize
72KB

MD5
55057a887bc1f8b88f1d52d92fa81b69

SHA1
ebeee9c0de38352a1e97c10f61c67f599a8eaf95

SHA256
947c8187564eeaaed545134c5892796dd692ced76548bc2ccda90f398c21d5f2

SHA512
cb5d9780d03cbbdec0126cdf76bb6a562cc83b6691e743f48190e5eba588c4a7bb3029915d417526977e758a2b3d61d0000b670922f5e58313532e27c86fa8db

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
16B

MD5
d29962abc88624befc0135579ae485ec

SHA1
e40a6458296ec6a2427bcb280572d023a9862b31

SHA256
a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866

SHA512
4311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f

Download Submit
memory/1920-12-0x00007FFF69A50000-0x00007FFF69C45000-memory.dmp

Filesize
2.0MB

Download
memory/1920-11-0x00007FFF69A50000-0x00007FFF69C45000-memory.dmp

Filesize
2.0MB

Download
memory/1920-10-0x00007FFF69A50000-0x00007FFF69C45000-memory.dmp

Filesize
2.0MB

Download
memory/1920-35-0x00007FFF69A50000-0x00007FFF69C45000-memory.dmp

Filesize
2.0MB

Download
memory/1920-8-0x00007FFF69A50000-0x00007FFF69C45000-memory.dmp

Filesize
2.0MB

Download
memory/1920-7-0x00007FFF69A50000-0x00007FFF69C45000-memory.dmp

Filesize
2.0MB

Download
memory/1920-0-0x00007FFF69AED000-0x00007FFF69AEE000-memory.dmp

Filesize
4KB

Download
memory/1920-38-0x00007FFF69A50000-0x00007FFF69C45000-memory.dmp

Filesize
2.0MB

Download
memory/1920-13-0x00007FFF279D0000-0x00007FFF279E0000-memory.dmp

Filesize
64KB

Download
memory/1920-6-0x00007FFF69A50000-0x00007FFF69C45000-memory.dmp

Filesize
2.0MB

Download
memory/1920-14-0x00007FFF279D0000-0x00007FFF279E0000-memory.dmp

Filesize
64KB

Download
memory/1920-2-0x00007FFF29AD0000-0x00007FFF29AE0000-memory.dmp

Filesize
64KB

Download
memory/1920-18-0x00007FFF69A50000-0x00007FFF69C45000-memory.dmp

Filesize
2.0MB

Download
memory/1920-37-0x00007FFF69A50000-0x00007FFF69C45000-memory.dmp

Filesize
2.0MB

Download
memory/1920-16-0x00007FFF69A50000-0x00007FFF69C45000-memory.dmp

Filesize
2.0MB

Download
memory/1920-15-0x00007FFF69A50000-0x00007FFF69C45000-memory.dmp

Filesize
2.0MB

Download
memory/1920-9-0x00007FFF69A50000-0x00007FFF69C45000-memory.dmp

Filesize
2.0MB

Download
memory/1920-3-0x00007FFF29AD0000-0x00007FFF29AE0000-memory.dmp

Filesize
64KB

Download
memory/1920-17-0x00007FFF69A50000-0x00007FFF69C45000-memory.dmp

Filesize
2.0MB

Download
memory/1920-36-0x00007FFF69A50000-0x00007FFF69C45000-memory.dmp

Filesize
2.0MB

Download
memory/1920-33-0x00007FFF69A50000-0x00007FFF69C45000-memory.dmp

Filesize
2.0MB

Download
memory/1920-46-0x00007FFF69A50000-0x00007FFF69C45000-memory.dmp

Filesize
2.0MB

Download
memory/1920-4-0x00007FFF29AD0000-0x00007FFF29AE0000-memory.dmp

Filesize
64KB

Download
memory/1920-1-0x00007FFF29AD0000-0x00007FFF29AE0000-memory.dmp

Filesize
64KB

Download
memory/1920-5-0x00007FFF29AD0000-0x00007FFF29AE0000-memory.dmp

Filesize
64KB

Download
memory/1920-71-0x00007FFF69AED000-0x00007FFF69AEE000-memory.dmp

Filesize
4KB

Download
memory/1920-72-0x00007FFF69A50000-0x00007FFF69C45000-memory.dmp

Filesize
2.0MB

Download
memory/1920-73-0x00007FFF69A50000-0x00007FFF69C45000-memory.dmp

Filesize
2.0MB

Download
memory/1920-74-0x00007FFF69A50000-0x00007FFF69C45000-memory.dmp

Filesize
2.0MB

Download
memory/1920-75-0x00007FFF69A50000-0x00007FFF69C45000-memory.dmp

Filesize
2.0MB

Download
memory/1920-76-0x00007FFF69A50000-0x00007FFF69C45000-memory.dmp

Filesize
2.0MB

Download
memory/1920-82-0x00007FFF69A50000-0x00007FFF69C45000-memory.dmp

Filesize
2.0MB

Download
memory/4440-61-0x00007FFF69A50000-0x00007FFF69C45000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads