f60290414b54a987b80c3382c51e38e91e663549e0a0cc46014f3126b7c06bf9

Analysis

max time kernel
101s
max time network
36s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
11/07/2023, 09:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Budget Table, Project Plan, KPI, Objective..exe
Size

69.6MB
MD5

330e8bade7d2ce9eb16f64c39cc9e82c
SHA1

ec44787d4c510bfc84937a2d010dc31beb8e2c92
SHA256

f60290414b54a987b80c3382c51e38e91e663549e0a0cc46014f3126b7c06bf9
SHA512

8a38585bb3ed8abdcf066dc0d1644ed391b6a44195332e62d509e9df1cddfe4f7b2d309474018750c808d465bd8118bfad8184878b80eb67332f7309d9c302f4
SSDEEP

786432:f7Ug7CerF/P1Q6nEL/t2zT/Ly/V5jiVaiWy:zFVRtQ6EL/t2zTQ5piWy

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2940	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2996	Budget Table, Project Plan, KPI, Objective..exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2996	Budget Table, Project Plan, KPI, Objective..exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2940	WINWORD.EXE
2940	WINWORD.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2996 wrote to memory of 2940	2996	Budget Table, Project Plan, KPI, Objective..exe	28
PID 2996 wrote to memory of 2940	2996	Budget Table, Project Plan, KPI, Objective..exe	28
PID 2996 wrote to memory of 2940	2996	Budget Table, Project Plan, KPI, Objective..exe	28
PID 2996 wrote to memory of 2940	2996	Budget Table, Project Plan, KPI, Objective..exe	28
PID 2940 wrote to memory of 2120	2940	WINWORD.EXE	30
PID 2940 wrote to memory of 2120	2940	WINWORD.EXE	30
PID 2940 wrote to memory of 2120	2940	WINWORD.EXE	30
PID 2940 wrote to memory of 2120	2940	WINWORD.EXE	30

C:\Users\Admin\AppData\Local\Temp\Budget Table, Project Plan, KPI, Objective..exe
"C:\Users\Admin\AppData\Local\Temp\Budget Table, Project Plan, KPI, Objective..exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2996
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\2d520e9d-cc9a-487d-9148-7d0d70a42a1c.docx"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2940
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:2120

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2d520e9d-cc9a-487d-9148-7d0d70a42a1c.docx

Filesize
20KB

MD5
f07ac8355e5fd541bdb9596dc9fa55eb

SHA1
6e287822f711eaefe704fc00cec2c8134bfbfe6a

SHA256
a4d3a1865b55edd037c7fd08c41221f7621679304a727cd73e5d04e8add696d3

SHA512
ad46b8f72d5cd12076d52aa014a67e31a34a12f25a3d982d2efb5b4286a661fb671d8ffb7c786923dedee089db5bcbf95b89dc7d840649aea628aa0e620acdcc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
32ed66178ea47b4e87a54f93d2d96172

SHA1
84ffa3526a414d681798d4d3349024076b05e150

SHA256
59fd2a6f021b10b0e8152129841f24252e4e511ca1059b974b6906649a14aa06

SHA512
40b1483a08a67359f277da8a44b4b194c61bf369e353e94e5ec6ee7b5589118b3f7bfad63270a978f69c5f2127a6a046000450f4ea5e6367db34f1b1b723d6d5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/2940-74-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2940-125-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2996-64-0x0000000001E70000-0x0000000001EB0000-memory.dmp

Filesize
256KB

Download
memory/2996-71-0x0000000000340000-0x0000000000352000-memory.dmp

Filesize
72KB

Download
memory/2996-68-0x0000000001EB0000-0x0000000001EF7000-memory.dmp

Filesize
284KB

Download
memory/2996-93-0x00000000229B0000-0x00000000229B7000-memory.dmp

Filesize
28KB

Download
memory/2996-90-0x00000000229C0000-0x00000000229D3000-memory.dmp

Filesize
76KB

Download
memory/2996-87-0x0000000022B60000-0x0000000022B8A000-memory.dmp

Filesize
168KB

Download
memory/2996-55-0x0000000180000000-0x0000000180A22000-memory.dmp

Filesize
10.1MB

Download
memory/2996-61-0x0000000022900000-0x0000000022982000-memory.dmp

Filesize
520KB

Download
memory/2996-58-0x00000000002E0000-0x0000000000306000-memory.dmp

Filesize
152KB

Download