15479d24a288ccce5ac421de34259518026761dde5f452bc1756fb557b09cfee

Analysis

max time kernel
147s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
21-06-2024 05:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PurchaseXOrderXNo.4036041334.docx
Size

16KB
MD5

e1d91cae0bc5e4510f6a07c38ed9db1f
SHA1

0d1288b1c6ca2e30910712c5e0d881a8b54caaa2
SHA256

15479d24a288ccce5ac421de34259518026761dde5f452bc1756fb557b09cfee
SHA512

37a8b983183ba1acba1254b3c323d8a1becace5a0d305ed977fa2f85df93184b5a24c57b861a8952a808b1932ce75353133b5a30fff218d382caf23227215d8b
SSDEEP

384:tyXLyi0WVs8PL8wi4OEwH8TIbE91r2fRXJYsvi1x3egCy:tcLm65P3DOqnYJ5Zvcx3eg7

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

MsoSync.exe

description pid pid_target process target process

Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 4044 4440 MsoSync.exe WINWORD.EXE

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	4044	4440	MsoSync.exe	WINWORD.EXE

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEMsoSync.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	MsoSync.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	MsoSync.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MsoSync.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEMsoSync.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	MsoSync.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	MsoSync.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	MsoSync.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

4440 WINWORD.EXE
4440 WINWORD.EXE
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

WINWORD.EXEMsoSync.exe

description pid process

Token: SeAuditPrivilege 4440 WINWORD.EXE
Token: SeAuditPrivilege 4044 MsoSync.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

MsoSync.exe

pid process

4044 MsoSync.exe
4044 MsoSync.exe
4044 MsoSync.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

MsoSync.exe

pid process

4044 MsoSync.exe
4044 MsoSync.exe
4044 MsoSync.exe
Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

WINWORD.EXEMsoSync.exe

pid process

4440 WINWORD.EXE
4440 WINWORD.EXE
4440 WINWORD.EXE
4440 WINWORD.EXE
4440 WINWORD.EXE
4440 WINWORD.EXE
4440 WINWORD.EXE
4440 WINWORD.EXE
4044 MsoSync.exe
Suspicious use of WriteProcessMemory 2 IoCs

Processes:

WINWORD.EXE

description pid process target process

PID 4440 wrote to memory of 4044 4440 WINWORD.EXE MsoSync.exe
PID 4440 wrote to memory of 4044 4440 WINWORD.EXE MsoSync.exe

pid	process
4440	WINWORD.EXE
4440	WINWORD.EXE

description	pid	process
Token: SeAuditPrivilege	4440	WINWORD.EXE
Token: SeAuditPrivilege	4044	MsoSync.exe

pid	process
4044	MsoSync.exe
4044	MsoSync.exe
4044	MsoSync.exe

pid	process
4044	MsoSync.exe
4044	MsoSync.exe
4044	MsoSync.exe

pid	process
4440	WINWORD.EXE
4440	WINWORD.EXE
4440	WINWORD.EXE
4440	WINWORD.EXE
4440	WINWORD.EXE
4440	WINWORD.EXE
4440	WINWORD.EXE
4440	WINWORD.EXE
4044	MsoSync.exe

description	pid	process	target process
PID 4440 wrote to memory of 4044	4440	WINWORD.EXE	MsoSync.exe
PID 4440 wrote to memory of 4044	4440	WINWORD.EXE	MsoSync.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\PurchaseXOrderXNo.4036041334.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4440

C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe
"C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe"
2⤵
- Process spawned unexpected child process
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4044

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.accdb
Filesize
512KB

MD5
7e5b28912c7f83368e8efea012d02ed2

SHA1
9b81e48ccaa35ac3da9eb70d549f423a22aa4dfd

SHA256
469b0163ddbd7f2f8e98b6a0f8e453fe2feaa4793aa1bf20cb8f62b9794f5f1a

SHA512
c98d6271fb8da9ef620f6a2ddba113710c6a1fc7e2ed686db63e0df5f89f15b43c52a024f016e7ab8fdea1ba606f0fa3f56fea191310524fb8c8728b096983fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.laccdb
Filesize
128B

MD5
e438cf53da1d0c1d6d62a9d9bb681126

SHA1
0354537896ce46360052aeb3b19bc85028c4dbd8

SHA256
7640f896131970903533d56469c1af47947a312451d1d683154a7d44a1aea341

SHA512
823f202d11be2f204f68d04963ac319ab64d845a5aa8e8228cc68e6025031eb1cc7bda5ffc09a7e1a63b33300adab34e2e4b1bff59ad4bb187f2228b9d8948bd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/4044-53-0x00007FFB38A90000-0x00007FFB38C85000-memory.dmp

Filesize
2.0MB

Download
memory/4044-49-0x00007FFB38A90000-0x00007FFB38C85000-memory.dmp

Filesize
2.0MB

Download
memory/4044-66-0x00007FFAF8B10000-0x00007FFAF8B20000-memory.dmp

Filesize
64KB

Download
memory/4044-59-0x00007FFB38A90000-0x00007FFB38C85000-memory.dmp

Filesize
2.0MB

Download
memory/4044-64-0x00007FFAF8B10000-0x00007FFAF8B20000-memory.dmp

Filesize
64KB

Download
memory/4044-63-0x00007FFAF8B10000-0x00007FFAF8B20000-memory.dmp

Filesize
64KB

Download
memory/4044-55-0x00007FFB38A90000-0x00007FFB38C85000-memory.dmp

Filesize
2.0MB

Download
memory/4044-67-0x00007FFB38A90000-0x00007FFB38C85000-memory.dmp

Filesize
2.0MB

Download
memory/4044-52-0x00007FFB38A90000-0x00007FFB38C85000-memory.dmp

Filesize
2.0MB

Download
memory/4044-65-0x00007FFAF8B10000-0x00007FFAF8B20000-memory.dmp

Filesize
64KB

Download
memory/4044-50-0x00007FFB38A90000-0x00007FFB38C85000-memory.dmp

Filesize
2.0MB

Download
memory/4044-48-0x00007FFB38A90000-0x00007FFB38C85000-memory.dmp

Filesize
2.0MB

Download
memory/4044-46-0x00007FFAF8B10000-0x00007FFAF8B20000-memory.dmp

Filesize
64KB

Download
memory/4044-47-0x00007FFAF8B10000-0x00007FFAF8B20000-memory.dmp

Filesize
64KB

Download
memory/4044-45-0x00007FFB38A90000-0x00007FFB38C85000-memory.dmp

Filesize
2.0MB

Download
memory/4044-44-0x00007FFAF8B10000-0x00007FFAF8B20000-memory.dmp

Filesize
64KB

Download
memory/4044-43-0x00007FFAF8B10000-0x00007FFAF8B20000-memory.dmp

Filesize
64KB

Download
memory/4440-12-0x00007FFAF6A20000-0x00007FFAF6A30000-memory.dmp

Filesize
64KB

Download
memory/4440-11-0x00007FFB38A90000-0x00007FFB38C85000-memory.dmp

Filesize
2.0MB

Download
memory/4440-33-0x00007FFB38A90000-0x00007FFB38C85000-memory.dmp

Filesize
2.0MB

Download
memory/4440-19-0x00007FFB38A90000-0x00007FFB38C85000-memory.dmp

Filesize
2.0MB

Download
memory/4440-20-0x00007FFB38A90000-0x00007FFB38C85000-memory.dmp

Filesize
2.0MB

Download
memory/4440-21-0x00007FFB38A90000-0x00007FFB38C85000-memory.dmp

Filesize
2.0MB

Download
memory/4440-17-0x00007FFB38A90000-0x00007FFB38C85000-memory.dmp

Filesize
2.0MB

Download
memory/4440-16-0x00007FFB38A90000-0x00007FFB38C85000-memory.dmp

Filesize
2.0MB

Download
memory/4440-15-0x00007FFB38A90000-0x00007FFB38C85000-memory.dmp

Filesize
2.0MB

Download
memory/4440-14-0x00007FFAF6A20000-0x00007FFAF6A30000-memory.dmp

Filesize
64KB

Download
memory/4440-13-0x00007FFB38A90000-0x00007FFB38C85000-memory.dmp

Filesize
2.0MB

Download
memory/4440-10-0x00007FFB38A90000-0x00007FFB38C85000-memory.dmp

Filesize
2.0MB

Download
memory/4440-0-0x00007FFAF8B10000-0x00007FFAF8B20000-memory.dmp

Filesize
64KB

Download
memory/4440-18-0x00007FFB38A90000-0x00007FFB38C85000-memory.dmp

Filesize
2.0MB

Download
memory/4440-8-0x00007FFB38A90000-0x00007FFB38C85000-memory.dmp

Filesize
2.0MB

Download
memory/4440-9-0x00007FFB38A90000-0x00007FFB38C85000-memory.dmp

Filesize
2.0MB

Download
memory/4440-7-0x00007FFB38A90000-0x00007FFB38C85000-memory.dmp

Filesize
2.0MB

Download
memory/4440-6-0x00007FFB38A90000-0x00007FFB38C85000-memory.dmp

Filesize
2.0MB

Download
memory/4440-5-0x00007FFB38B2D000-0x00007FFB38B2E000-memory.dmp

Filesize
4KB

Download
memory/4440-4-0x00007FFAF8B10000-0x00007FFAF8B20000-memory.dmp

Filesize
64KB

Download
memory/4440-3-0x00007FFAF8B10000-0x00007FFAF8B20000-memory.dmp

Filesize
64KB

Download
memory/4440-1-0x00007FFAF8B10000-0x00007FFAF8B20000-memory.dmp

Filesize
64KB

Download
memory/4440-2-0x00007FFAF8B10000-0x00007FFAF8B20000-memory.dmp

Filesize
64KB

Download
memory/4440-89-0x00007FFAF8B10000-0x00007FFAF8B20000-memory.dmp

Filesize
64KB

Download
memory/4440-88-0x00007FFAF8B10000-0x00007FFAF8B20000-memory.dmp

Filesize
64KB

Download
memory/4440-92-0x00007FFB38A90000-0x00007FFB38C85000-memory.dmp

Filesize
2.0MB

Download