Overview

overview

10

Static

static

10

3D2383F5C9...F.docx

windows7-x64

7

3D2383F5C9...F.docx

windows10-2004-x64

1

Analysis

  • max time kernel
    102s
  • max time network
    35s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    14-03-2023 14:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3D2383F5C9472C92CB1C24F28D46D9959A2C03382CDC09A41C0732DCD3CAAE9F.docx

  • Size

    10KB

  • MD5

    696658e8bd6141fe2045b504babc619b

  • SHA1

    e03616792372b69cc77910ec4adff5ce3d7aec5c

  • SHA256

    3d2383f5c9472c92cb1c24f28d46d9959a2c03382cdc09a41c0732dcd3caae9f

  • SHA512

    f35dc7c43320741cbcbb960d856fe008a131679686fdbdae6db10a1fcbdad013090863a2aedd7b4678179fe6cfbd6cda572fe2467c54cf861789f41c3ae10fb3

  • SSDEEP

    192:ScIMmtP0xfUW70vG/b3kgOi4Osus+1pReDnc37ZHazG:SPX+si10ni4OuyeDnMsy

Score
7/10

Malware Config

Signatures

  • Abuses OpenXML format to download file from external location 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\3D2383F5C9472C92CB1C24F28D46D9959A2C03382CDC09A41C0732DCD3CAAE9F.docx"
    1⤵
    • Abuses OpenXML format to download file from external location
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1604
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:872

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{CE276444-6558-4AFD-A0F4-6852EA00AEA3}.FSD
      Filesize

      128KB

      MD5

      7b8c7acabcbf318dafcc7fd6312aeb7a

      SHA1

      8f61a622ad673a503afa4ca1d97a99a2350046a3

      SHA256

      be8f9ae0b72672c881dce8c4b245cedc70e7d4cc2fc1848e5bcc7e423e2063f7

      SHA512

      699e27d8d93ca9e7f68f9f3cd76eab28ef487579332c5264c1f49bdfc4f53ec983ba86b05d9438217f5d6f113b7c854bb0469417e32f2d0d102b9408b169e0aa

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
      Filesize

      128KB

      MD5

      cbc98c9e9683691311e796550bfcdf86

      SHA1

      74b66da5216e40e913abcc66efe29873deb8d22a

      SHA256

      678f1364dba1af1d666f7633c3becf8f0544be5bac50aaf7afb0a675d94352ac

      SHA512

      3d299ae7434348863e685d982dc8189f5bd9ced73c7484163408f8494c7fd89d989f41a5fa5366be8113a44cd8a192d5df123ece7b3d711bfcbde8d18847b3f9

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{BCBCBA28-162D-405C-858C-29A6A686AE08}.FSD
      Filesize

      128KB

      MD5

      bb7d8b8a802b72e8731344217601af40

      SHA1

      b5e736e5f4f92dd2ca0208641a604d2817d3bdaf

      SHA256

      19db24f282c709150f9547ab702505800342651641a3b35ef81685ba353b5732

      SHA512

      13be4afde4d223e906d5e6a6229b0ac39d4a454901c56280d170cb601eedf06dfbddefcbebcceb1cd8e536ad7a51d8eb4d1cba319715330024c1e0ede0c7a7a2

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\{8CC449B5-87B0-4704-BECF-C533C47A5348}
      Filesize

      128KB

      MD5

      b72441e5a64b8bdc24edc1a2c1cc4041

      SHA1

      c5664193362914a644fa6357ee743aed90aea136

      SHA256

      ac93e92b87fee8b0f4f95143b768548def916ef33ed254dac1beca52af4953c2

      SHA512

      b815e0269fcaee9c0309f9db92d280ff8cc84bfe60425199eedb575734042279aabe3a04699bbef24b2390e63322faa4808663ee57b5d774e5a217117e0368c8

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
      Filesize

      20KB

      MD5

      5ce5e7e61561b0ace9094cffb28d656f

      SHA1

      30fb9f9ac09034439c040d5505c51d6658452ec9

      SHA256

      eec2ccbfd8ee01b19f8a040a7fbb8f388f6cfaf0d918bbc7a57d2f89e518b38e

      SHA512

      455244021d1c818dd83eb3dd3a1342bdce387e95b9ec79d44ea289b1138e9bb2a214132a055a9a02eec0fab9369d08902af54ac9b1c000c3a0b8e91d9695d1f3

      Download Submit

    • memory/1604-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1604-139-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download