bd016a3a10a8e28d6a1ef688828c73282db9e17246653b71ee347d977628f155

General

Target

bd016a3a10a8e28d6a1ef688828c73282db9e17246653b71ee347d977628f155.docm
Size

83KB
MD5

7e884a5c624f84eb907b43d4518f9fd9
SHA1

a93c0597744dc6acd132072ad1ccf11259fd1664
SHA256

bd016a3a10a8e28d6a1ef688828c73282db9e17246653b71ee347d977628f155
SHA512

dc264281bab9ef3d1c51cc04e9d969ce1990c362fd653ddd4188894d069943fd3a017f5bb94f29bcf910231802b2baf16ae562646471d8572b0da5f3f709b94f
SSDEEP

1536:Yj+WqQuctgdgmT1pRFRT0/JDiX9vxgaBtLotjzMLqT+9E/wwkJkT0ioOXCls:k+X8YZPBTgJDwvKavotzMuT+y/wAT0NQ

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4756	rad11AB8.tmp.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rad11AB8.tmp.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3128	WINWORD.EXE
3128	WINWORD.EXE

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
3128	WINWORD.EXE
3128	WINWORD.EXE
3128	WINWORD.EXE
3128	WINWORD.EXE
3128	WINWORD.EXE
3128	WINWORD.EXE
3128	WINWORD.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3128 wrote to memory of 4756	3128	WINWORD.EXE	84
PID 3128 wrote to memory of 4756	3128	WINWORD.EXE	84
PID 3128 wrote to memory of 4756	3128	WINWORD.EXE	84

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\bd016a3a10a8e28d6a1ef688828c73282db9e17246653b71ee347d977628f155.docm" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3128
- C:\Users\Admin\AppData\Local\Temp\rad11AB8.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\rad11AB8.tmp.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TCD329D.tmp\sist02.xsl

Filesize
245KB

MD5
f883b260a8d67082ea895c14bf56dd56

SHA1
7954565c1f243d46ad3b1e2f1baf3281451fc14b

SHA256
ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

SHA512
d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

Download Submit
C:\Users\Admin\AppData\Local\Temp\rad11AB8.tmp.exe

Filesize
72KB

MD5
363f604c7fc3d5d26d75913257f8d9d2

SHA1
15a3c4be4de3b9c2bd82c863f23cf5bfefdf732e

SHA256
b51fbd7bafd493ce77df3632a4e052112a86bb8a0d41b1ff6869c6a912afab3a

SHA512
8fec37a8ac7485934868142f6e647fdd33f0af1c715646a99724e648d1fca1a3291e7813ae69bac07118f44806c3a28de111324ca7014554acc4143342156681

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
c8f7d3db5f72f86f63d2b0170cd89dd8

SHA1
efa59b03964a32f67759b1528752f9f5e4df4217

SHA256
2e013b7af33a34120ea7022e01776a1817da5e5c98ec96cd29fb2220f6fb629f

SHA512
8db57b0ae3a7e756c00cac841537ed768d2c1b2f9815ebd937b9fbfd54025f7d31237608a1d6af4553bf369ed83c74f74c8810e030449b0fefbcc7781d73baf5

Download Submit
memory/3128-15-0x00007FFBDBA10000-0x00007FFBDBC05000-memory.dmp

Filesize
2.0MB

Download
memory/3128-38-0x00007FFBDBA10000-0x00007FFBDBC05000-memory.dmp

Filesize
2.0MB

Download
memory/3128-10-0x00007FFBDBA10000-0x00007FFBDBC05000-memory.dmp

Filesize
2.0MB

Download
memory/3128-9-0x00007FFBDBA10000-0x00007FFBDBC05000-memory.dmp

Filesize
2.0MB

Download
memory/3128-8-0x00007FFBDBA10000-0x00007FFBDBC05000-memory.dmp

Filesize
2.0MB

Download
memory/3128-37-0x00007FFBDBA10000-0x00007FFBDBC05000-memory.dmp

Filesize
2.0MB

Download
memory/3128-12-0x00007FFBDBA10000-0x00007FFBDBC05000-memory.dmp

Filesize
2.0MB

Download
memory/3128-11-0x00007FFBDBA10000-0x00007FFBDBC05000-memory.dmp

Filesize
2.0MB

Download
memory/3128-13-0x00007FFB998A0000-0x00007FFB998B0000-memory.dmp

Filesize
64KB

Download
memory/3128-6-0x00007FFB9BA90000-0x00007FFB9BAA0000-memory.dmp

Filesize
64KB

Download
memory/3128-5-0x00007FFBDBA10000-0x00007FFBDBC05000-memory.dmp

Filesize
2.0MB

Download
memory/3128-14-0x00007FFBDBA10000-0x00007FFBDBC05000-memory.dmp

Filesize
2.0MB

Download
memory/3128-16-0x00007FFBDBA10000-0x00007FFBDBC05000-memory.dmp

Filesize
2.0MB

Download
memory/3128-19-0x00007FFB998A0000-0x00007FFB998B0000-memory.dmp

Filesize
64KB

Download
memory/3128-20-0x00007FFBDBA10000-0x00007FFBDBC05000-memory.dmp

Filesize
2.0MB

Download
memory/3128-18-0x00007FFBDBA10000-0x00007FFBDBC05000-memory.dmp

Filesize
2.0MB

Download
memory/3128-17-0x00007FFBDBA10000-0x00007FFBDBC05000-memory.dmp

Filesize
2.0MB

Download
memory/3128-0-0x00007FFB9BA90000-0x00007FFB9BAA0000-memory.dmp

Filesize
64KB

Download
memory/3128-4-0x00007FFB9BA90000-0x00007FFB9BAA0000-memory.dmp

Filesize
64KB

Download
memory/3128-39-0x00007FFBDBA10000-0x00007FFBDBC05000-memory.dmp

Filesize
2.0MB

Download
memory/3128-7-0x00007FFBDBA10000-0x00007FFBDBC05000-memory.dmp

Filesize
2.0MB

Download
memory/3128-36-0x00007FFBDBA10000-0x00007FFBDBC05000-memory.dmp

Filesize
2.0MB

Download
memory/3128-41-0x00007FFBDBA10000-0x00007FFBDBC05000-memory.dmp

Filesize
2.0MB

Download
memory/3128-40-0x00007FFBDBA10000-0x00007FFBDBC05000-memory.dmp

Filesize
2.0MB

Download
memory/3128-3-0x00007FFB9BA90000-0x00007FFB9BAA0000-memory.dmp

Filesize
64KB

Download
memory/3128-44-0x00007FFBDBA10000-0x00007FFBDBC05000-memory.dmp

Filesize
2.0MB

Download
memory/3128-1-0x00007FFBDBAAD000-0x00007FFBDBAAE000-memory.dmp

Filesize
4KB

Download
memory/3128-66-0x00007FFBDBA10000-0x00007FFBDBC05000-memory.dmp

Filesize
2.0MB

Download
memory/3128-67-0x00007FFBDBAAD000-0x00007FFBDBAAE000-memory.dmp

Filesize
4KB

Download
memory/3128-68-0x00007FFBDBA10000-0x00007FFBDBC05000-memory.dmp

Filesize
2.0MB

Download
memory/3128-69-0x00007FFBDBA10000-0x00007FFBDBC05000-memory.dmp

Filesize
2.0MB

Download
memory/3128-70-0x00007FFBDBA10000-0x00007FFBDBC05000-memory.dmp

Filesize
2.0MB

Download
memory/3128-72-0x00007FFBDBA10000-0x00007FFBDBC05000-memory.dmp

Filesize
2.0MB

Download
memory/3128-71-0x00007FFBDBA10000-0x00007FFBDBC05000-memory.dmp

Filesize
2.0MB

Download
memory/3128-2-0x00007FFB9BA90000-0x00007FFB9BAA0000-memory.dmp

Filesize
64KB

Download
memory/3128-81-0x00007FFBDBA10000-0x00007FFBDBC05000-memory.dmp

Filesize
2.0MB

Download
memory/4756-57-0x00007FFBDBA10000-0x00007FFBDBC05000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads