38c59ba61fb5ddf358ba31b75eb6a4d7727b1d43fa64f48ecd9aa89acf947b7f

General

Target

Report and Contract.rtf
Size

2.8MB
MD5

2020683c0740feb8c7a41ea70377b7fc
SHA1

326a0155051677653084e841125984b63b30666a
SHA256

3a0b5b12f26a4751964e2660ee62d20b192e00a044cd322f6867acfa25e341bc
SHA512

b550381f4874e6d0d5d8e7af708f4f122aacbcc1b29fbd7dd528751166591458f1bf2fc725714b2a771cd430a8a02a99999df4a5fa4ee3f277137f2bf7263431
SSDEEP

24576:l0wKl7r3ezbhrC+1J5nbVlvTagtZwAQd5CTkY7PGfk/sGvidzy5AghAoDmqaepIn:O

Score

4^/10

Malware Config

Signatures

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\{01429C9A-6E62-4CB4-80E3-76EE6040FB53}\Client.exe:Zone.Identifier	WINWORD.EXE

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\{01429C9A-6E62-4CB4-80E3-76EE6040FB53}\Client.exe:Zone.Identifier	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
512	WINWORD.EXE
512	WINWORD.EXE

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
512	WINWORD.EXE
512	WINWORD.EXE
512	WINWORD.EXE
512	WINWORD.EXE
512	WINWORD.EXE
512	WINWORD.EXE
512	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Report and Contract.rtf" /o ""
1⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

1

T1553

SIP and Trust Provider Hijacking

1

T1553.003

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
2KB

MD5
705fc79e74fdc4c03a68ab608eb9fa1e

SHA1
ff77f55f63ae6797ae4fa7e289df7acb318f484b

SHA256
42dc932355bdbfd9a88f64e60dd33abb79697b18bd98293c0cafa1198cea2b42

SHA512
a20d90287c69c5f0c07356803a72056579535cc4a816bd33e6954d3d9dfa4cad6b4fd5c6c5fcf5c766cefb07bca5886b83bd655a8214c2b4b1a69c8719b4da2a

Download Submit
memory/512-12-0x00007FFB52560000-0x00007FFB52570000-memory.dmp

Filesize
64KB

Download
memory/512-1-0x00007FFB54830000-0x00007FFB54840000-memory.dmp

Filesize
64KB

Download
memory/512-0-0x00007FFB9484D000-0x00007FFB9484E000-memory.dmp

Filesize
4KB

Download
memory/512-6-0x00007FFB947B0000-0x00007FFB949A5000-memory.dmp

Filesize
2.0MB

Download
memory/512-5-0x00007FFB947B0000-0x00007FFB949A5000-memory.dmp

Filesize
2.0MB

Download
memory/512-7-0x00007FFB54830000-0x00007FFB54840000-memory.dmp

Filesize
64KB

Download
memory/512-10-0x00007FFB947B0000-0x00007FFB949A5000-memory.dmp

Filesize
2.0MB

Download
memory/512-9-0x00007FFB947B0000-0x00007FFB949A5000-memory.dmp

Filesize
2.0MB

Download
memory/512-11-0x00007FFB947B0000-0x00007FFB949A5000-memory.dmp

Filesize
2.0MB

Download
memory/512-17-0x00007FFB947B0000-0x00007FFB949A5000-memory.dmp

Filesize
2.0MB

Download
memory/512-4-0x00007FFB54830000-0x00007FFB54840000-memory.dmp

Filesize
64KB

Download
memory/512-2-0x00007FFB54830000-0x00007FFB54840000-memory.dmp

Filesize
64KB

Download
memory/512-8-0x00007FFB947B0000-0x00007FFB949A5000-memory.dmp

Filesize
2.0MB

Download
memory/512-18-0x00007FFB947B0000-0x00007FFB949A5000-memory.dmp

Filesize
2.0MB

Download
memory/512-16-0x00007FFB52560000-0x00007FFB52570000-memory.dmp

Filesize
64KB

Download
memory/512-14-0x00007FFB947B0000-0x00007FFB949A5000-memory.dmp

Filesize
2.0MB

Download
memory/512-13-0x00007FFB947B0000-0x00007FFB949A5000-memory.dmp

Filesize
2.0MB

Download
memory/512-3-0x00007FFB54830000-0x00007FFB54840000-memory.dmp

Filesize
64KB

Download
memory/512-38-0x00007FFB9484D000-0x00007FFB9484E000-memory.dmp

Filesize
4KB

Download
memory/512-39-0x00007FFB947B0000-0x00007FFB949A5000-memory.dmp

Filesize
2.0MB

Download
memory/512-40-0x00007FFB947B0000-0x00007FFB949A5000-memory.dmp

Filesize
2.0MB

Download
memory/512-41-0x00007FFB947B0000-0x00007FFB949A5000-memory.dmp

Filesize
2.0MB

Download
memory/512-15-0x00007FFB947B0000-0x00007FFB949A5000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads