Analysis

  • max time kernel
    102s
  • max time network
    34s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    10/03/2023, 13:52

General

  • Target

    GESTION IMMOBILIERE.docx

  • Size

    168KB

  • MD5

    de098d3fd1e8c8dca1596dc308eb88ff

  • SHA1

    00ff381209e7267f2de6f93bd55ccf2e9145c9d4

  • SHA256

    12b408151f5a17a28ad5b6f78fb0bf34e8db78811789cceaea645c0cec6097e5

  • SHA512

    48edd28f0ff5083ace992b7178f3e4bf36dd0030e023acb6e5f003f06350c97e1605af0d15b59850de4267851fcfc91498dd6d334d0c0b579e82bd6d9833345c

  • SSDEEP

    3072:NboIChJ/OKO9XisrxVjYZyGRhRs/olZDfCUCO2aLChs+ePHy1ygv3ybB7uQje:Nb5Owys1VjYZyGRhRoirEOjG2+kHsjv5

Score
4/10

Malware Config

Signatures

  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\GESTION IMMOBILIERE.docx"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1744
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1464

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\ACF5C924.jpeg

      Filesize

      12KB

      MD5

      638a6ee77f31d4af34abfaf2823ad479

      SHA1

      9f27aa5f6c2168d3b95dafe7447c957a88c728ea

      SHA256

      32fa4b8e521885d66b774ae0409d601bfc6a0f784dd2c563bba5691d0735447c

      SHA512

      3572b73138eff0a157b86d10081996a11059da4d6db27171483f5fab4c70c5b5c52dc1303143cd9fec033ae2ed2523888ff960b865f889b5e91a944a70c644be

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

      Filesize

      20KB

      MD5

      5c915b2525e91bf9d352cf5946dbae08

      SHA1

      edbce16d18434c04b03fde90544f96de280cb768

      SHA256

      b471e2004642575794b6f20c72a6609f0f8a152ebe8c5c484ae729de9716d12b

      SHA512

      f6ac69cab0e9b61a7d0f8cd9382abd8fce04a203b813e0440ed48590f8c2b46e6c2027d684a36fc68bb21993fe9d0a33282a78a761ca3babb05befc7b7a47223

    • C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryFR040c.lex

      Filesize

      2B

      MD5

      f3b25701fe362ec84616a93a45ce9998

      SHA1

      d62636d8caec13f04e28442a0a6fa1afeb024bbb

      SHA256

      b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

      SHA512

      98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

    • memory/1744-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/1744-100-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB