487f4dd9bdbe94a9cf1a04a8fdec19f16f86864d05d06f0511544b3ff68c850c

General

Target

virusshare/3/VirusShare_3fb34964fa7b8c6bfad8d960380ff04e.doc
Size

34KB
MD5

3fb34964fa7b8c6bfad8d960380ff04e
SHA1

9a3aec40056ce74bac833989ed71dfb6c2626f4c
SHA256

26026b1b3d0cb660c6be6c536df679acca0b5562a3adbb507d001474d23f5650
SHA512

a82b522dfd7eac30292a9e9ab19ddac94563804e77a1090e5f44de7e794ef4e5ebe0e7fb36e5177479417c8176ae0475613700755ca015c7ce941a4740215faa
SSDEEP

384:bzIPMepSbSsG/CdPvunCpeJzKoSS3D6JO5LfBqtjbjk4Eohubn3ezta:nIPMecWsGKVunFFRDE6pqjhust

Score

8^/10

macro macro_on_action

Malware Config

Signatures

Office macro that triggers on suspicious action 1 IoCs

Office document macro which triggers in special circumstances - often malicious.

macro macro_on_action

resource	yara_rule
behavioral1/files/0x000d0000000242f8-186.dat	office_macro_on_action

Deletes itself 1 IoCs

pid	Process
1252	WINWORD.EXE

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\virusshare\3\~WRD0003.tmp\:Zone.Identifier:$DATA	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1252	WINWORD.EXE
1252	WINWORD.EXE

Suspicious use of SetWindowsHookEx 35 IoCs

pid	Process
1252	WINWORD.EXE
1252	WINWORD.EXE
1252	WINWORD.EXE
1252	WINWORD.EXE
1252	WINWORD.EXE
1252	WINWORD.EXE
1252	WINWORD.EXE
1252	WINWORD.EXE
1252	WINWORD.EXE
1252	WINWORD.EXE
1252	WINWORD.EXE
1252	WINWORD.EXE
1252	WINWORD.EXE
1252	WINWORD.EXE
1252	WINWORD.EXE
1252	WINWORD.EXE
1252	WINWORD.EXE
1252	WINWORD.EXE
1252	WINWORD.EXE
1252	WINWORD.EXE
1252	WINWORD.EXE
1252	WINWORD.EXE
1252	WINWORD.EXE
1252	WINWORD.EXE
1252	WINWORD.EXE
1252	WINWORD.EXE
1252	WINWORD.EXE
1252	WINWORD.EXE
1252	WINWORD.EXE
1252	WINWORD.EXE
1252	WINWORD.EXE
1252	WINWORD.EXE
1252	WINWORD.EXE
1252	WINWORD.EXE
1252	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1252 wrote to memory of 768	1252	WINWORD.EXE	97
PID 1252 wrote to memory of 768	1252	WINWORD.EXE	97

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\virusshare\3\VirusShare_3fb34964fa7b8c6bfad8d960380ff04e.doc" /o ""
1⤵
- Deletes itself
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1252
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:768

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:1588

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRD2606.docx

Filesize
11KB

MD5
79499dd572b4c733c511050ca6df3dcf

SHA1
e85c4c40ee5204536905b86a48751a46936defa2

SHA256
9c32a25ed099cb742264d639526580395848c303b2e98b4ecff61c5ad4ec4d3c

SHA512
3b1eaf2acebce2c46b72bc65ae158218ef5c764b8db2ebf685acdca3f1dd7e825be70ce75b0b30665240478579e5fdd485a4f13c3cb10c22d6daaa48960d3716

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRD2610.docx

Filesize
11KB

MD5
4d881c4002133d61be437ff0a6331e53

SHA1
20055370077b8e05bc69da2f323893a8c3176c10

SHA256
f91f651ae217c76f8bcb98cbc12853081ed62eb0d1e9b669dce375391dee0193

SHA512
ab02f000b9ac2873f8bcca1133c4f61e4a1888f07204dd76b359b78957db0feef8631f1c668537879a5ee7330c3e4eaedb77a73523c64d120c7b19c30a36b2da

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCDA234.tmp\gb.xsl

Filesize
262KB

MD5
51d32ee5bc7ab811041f799652d26e04

SHA1
412193006aa3ef19e0a57e16acf86b830993024a

SHA256
6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97

SHA512
5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

Download Submit
C:\Users\Admin\AppData\Local\Temp\virusshare\3\~WRD0003.tmp

Filesize
35KB

MD5
0810875ab3ac2f86487256074ab842b2

SHA1
b0d5c9592f1918d7b6ed6f45fb958cab15b6976e

SHA256
7ccaeb349e3a40dc2abf0619d1b1f072a23cc3ff2bcb9e7eafa3e6d6d7d806a2

SHA512
60cb57503ea8494b7e6c507b726080bffad6a89066594e901d4bd0b3f3c026b8185d8431d851197b6eac30c215a07026f14e538d4e29d8fdb6734530c8822749

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
16B

MD5
d29962abc88624befc0135579ae485ec

SHA1
e40a6458296ec6a2427bcb280572d023a9862b31

SHA256
a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866

SHA512
4311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
1KB

MD5
41e387fdb97e102176c147832d43b0b7

SHA1
32e17e5951c6f6771de27d02fb783e6c6b370bc2

SHA256
5de6dee4dd83e0f09756271836923c865125388cb6699d4c35e57dc512756247

SHA512
4bafd4a94fc73b68d641cdf1bb84c9471b593155a0a872a2357ed870b88376cd34b456d93f3c70eed06aa8edf31dcca5fc48deba2db19bd0bafcabe275fc85b7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Word\AutoRecovery save of ~WRL1687.asd

Filesize
95KB

MD5
65ed85c1ba68c18d8303cd96de4fa15f

SHA1
46d8fc0b8083154d8b6d2cc726bcc4d77a92c4b3

SHA256
1b99f31a11fca0cb1baa7bf0ec1cc03ec637202e5f61dc99f2484e7d3413fff3

SHA512
27de04b6ff67bb8947a499120d2db0f17f3497257f651712411b17a95524201bde50df0161c42575cc57c0d388c0de87148da7f8582127ce73f4155a3c668ede

Download Submit
memory/1252-12-0x00007FFD0BD90000-0x00007FFD0BF85000-memory.dmp

Filesize
2.0MB

Download
memory/1252-31-0x00007FFD0BD90000-0x00007FFD0BF85000-memory.dmp

Filesize
2.0MB

Download
memory/1252-13-0x00007FFD0BD90000-0x00007FFD0BF85000-memory.dmp

Filesize
2.0MB

Download
memory/1252-11-0x00007FFD0BD90000-0x00007FFD0BF85000-memory.dmp

Filesize
2.0MB

Download
memory/1252-10-0x00007FFD0BD90000-0x00007FFD0BF85000-memory.dmp

Filesize
2.0MB

Download
memory/1252-14-0x00007FFCC97E0000-0x00007FFCC97F0000-memory.dmp

Filesize
64KB

Download
memory/1252-6-0x00007FFD0BD90000-0x00007FFD0BF85000-memory.dmp

Filesize
2.0MB

Download
memory/1252-15-0x00007FFD0BD90000-0x00007FFD0BF85000-memory.dmp

Filesize
2.0MB

Download
memory/1252-16-0x00007FFCC97E0000-0x00007FFCC97F0000-memory.dmp

Filesize
64KB

Download
memory/1252-17-0x00007FFD0BD90000-0x00007FFD0BF85000-memory.dmp

Filesize
2.0MB

Download
memory/1252-20-0x00007FFD0BD90000-0x00007FFD0BF85000-memory.dmp

Filesize
2.0MB

Download
memory/1252-22-0x00007FFD0BD90000-0x00007FFD0BF85000-memory.dmp

Filesize
2.0MB

Download
memory/1252-21-0x00007FFD0BD90000-0x00007FFD0BF85000-memory.dmp

Filesize
2.0MB

Download
memory/1252-19-0x00007FFD0BD90000-0x00007FFD0BF85000-memory.dmp

Filesize
2.0MB

Download
memory/1252-18-0x00007FFD0BD90000-0x00007FFD0BF85000-memory.dmp

Filesize
2.0MB

Download
memory/1252-1-0x00007FFD0BE2D000-0x00007FFD0BE2E000-memory.dmp

Filesize
4KB

Download
memory/1252-32-0x00007FFD0BE2D000-0x00007FFD0BE2E000-memory.dmp

Filesize
4KB

Download
memory/1252-33-0x00007FFD0BD90000-0x00007FFD0BF85000-memory.dmp

Filesize
2.0MB

Download
memory/1252-7-0x00007FFD0BD90000-0x00007FFD0BF85000-memory.dmp

Filesize
2.0MB

Download
memory/1252-8-0x00007FFD0BD90000-0x00007FFD0BF85000-memory.dmp

Filesize
2.0MB

Download
memory/1252-4-0x00007FFCCBE10000-0x00007FFCCBE20000-memory.dmp

Filesize
64KB

Download
memory/1252-9-0x00007FFD0BD90000-0x00007FFD0BF85000-memory.dmp

Filesize
2.0MB

Download
memory/1252-5-0x00007FFCCBE10000-0x00007FFCCBE20000-memory.dmp

Filesize
64KB

Download
memory/1252-2-0x00007FFCCBE10000-0x00007FFCCBE20000-memory.dmp

Filesize
64KB

Download
memory/1252-3-0x00007FFCCBE10000-0x00007FFCCBE20000-memory.dmp

Filesize
64KB

Download
memory/1252-0-0x00007FFCCBE10000-0x00007FFCCBE20000-memory.dmp

Filesize
64KB

Download
memory/1252-252-0x00007FFCCBE10000-0x00007FFCCBE20000-memory.dmp

Filesize
64KB

Download
memory/1252-256-0x00007FFD0BD90000-0x00007FFD0BF85000-memory.dmp

Filesize
2.0MB

Download
memory/1252-255-0x00007FFCCBE10000-0x00007FFCCBE20000-memory.dmp

Filesize
64KB

Download
memory/1252-254-0x00007FFCCBE10000-0x00007FFCCBE20000-memory.dmp

Filesize
64KB

Download
memory/1252-253-0x00007FFCCBE10000-0x00007FFCCBE20000-memory.dmp

Filesize
64KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads