52c3f20d0519b4e85a154145042e66963411a4582998067525076ca85489b89b

Analysis

max time kernel
119s
max time network
123s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
18/07/2023, 10:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PO PL101114.docx
Size

10KB
MD5

0465827232105643cb826e49a1c2f634
SHA1

40173b5eb8a674ad5c70f81cd6d95f386ff0cdbb
SHA256

52c3f20d0519b4e85a154145042e66963411a4582998067525076ca85489b89b
SHA512

bddfbfd2eb36263a4c9b4385f728ddcc3501710433e42d0c8896f30758f86a823e73a08d866cdfd5bc560e7646e23959f4f900e0b0e8f1f95cf74e36381a5e0a
SSDEEP

192:nya0NM7VLWBARgZVPCK44AG9xXSJ+Ej7tJY/KwoKAT9WYncWe6V:nyXM7VLWBANK4499xXSJf7tJY/AEYnXV

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
7	2448	EQNEDT32.EXE

Downloads MZ/PE file
Abuses OpenXML format to download file from external location

Executes dropped EXE 1 IoCs

pid	Process
2712	lognen587138.exe

Loads dropped DLL 6 IoCs

pid	Process
2448	EQNEDT32.EXE
2352	WerFault.exe
2352	WerFault.exe
2352	WerFault.exe
2352	WerFault.exe
2352	WerFault.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2352	2712	WerFault.exe	29

Office loads VBA resources, possible macro or embedded object present

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
2448	EQNEDT32.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2240	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2240	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2240	WINWORD.EXE
2240	WINWORD.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2448 wrote to memory of 2712	2448	EQNEDT32.EXE	29
PID 2448 wrote to memory of 2712	2448	EQNEDT32.EXE	29
PID 2448 wrote to memory of 2712	2448	EQNEDT32.EXE	29
PID 2448 wrote to memory of 2712	2448	EQNEDT32.EXE	29
PID 2240 wrote to memory of 800	2240	WINWORD.EXE	35
PID 2240 wrote to memory of 800	2240	WINWORD.EXE	35
PID 2240 wrote to memory of 800	2240	WINWORD.EXE	35
PID 2240 wrote to memory of 800	2240	WINWORD.EXE	35
PID 2712 wrote to memory of 2352	2712	lognen587138.exe	36
PID 2712 wrote to memory of 2352	2712	lognen587138.exe	36
PID 2712 wrote to memory of 2352	2712	lognen587138.exe	36
PID 2712 wrote to memory of 2352	2712	lognen587138.exe	36

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\PO PL101114.docx"
1⤵
- Drops file in Windows directory
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:800

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2448
- C:\Users\Admin\AppData\Roaming\lognen587138.exe
  "C:\Users\Admin\AppData\Roaming\lognen587138.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 660
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2352

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{0C123469-B3F8-4F0C-9CA1-1B64068B51D7}.FSD

Filesize
128KB

MD5
4d2caa066b9c545176d35c07df0ed55b

SHA1
bd8051b9d549e8463e991a793a38dc3a36128445

SHA256
6d67130126243528055b152d04d275a94b1a5f6d035a464da6cb3cc78aaec18a

SHA512
1fc4c4109a2b869270992080709e7f3cace838399f4483748318d181bd3c15a17ea81e85681f665f6b66d01a32a40ad327dba7a05b18e9cf325796c81d95cd12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
823a71f0d2a1ac031ab801503f64d600

SHA1
26250073129e5dd760de9bf832014a4adba0420e

SHA256
56207f16f2b12fea4ce0f9df295c4fbb0f7c762f7abdbd9604912668cac8c550

SHA512
9a8f3fe25bdccb054a90076b72feefe54c8e3d79637ab256aff7144fa06211cf541b90c036e94d48ac2d66e16d15203e8f58174e280fc4009f0b3bcb9edfc0bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{D07196F3-3AA2-469E-AD6D-535B8707C4BD}.FSD

Filesize
128KB

MD5
b269271e0527a7ee0d5535f453bb6ea9

SHA1
70143d3554bbcb0938a5df98870adc70681c4fe6

SHA256
390d085e0d4ed966469d6afaa4f07b095b7b8d18d8a3b7c8b5d5d94b76178c22

SHA512
0fbda9774b00a522e3cc41c4af2224ba22df3aa3c7ff258c0d7c8eafbde41c7e6e1925e0f1876d671543e73b33ee5805142e18ded25ee1515999a272a1417f45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U6AGJ71Z\logszx[1].doc

Filesize
39KB

MD5
ce8cdd4546f3c1d22d3c0c3834c2a73b

SHA1
a2aaeef225ee75044c04e604f7492151777756ff

SHA256
aa3cf6cca9a6b711b17a92b8fa323514b0926971babfa48f6997661f5bf5e5b8

SHA512
45e0ce2b95ad416c42964e7a2550c75621e3b9867ff009851d52ca138cf3edba17d17b94c32a3f0c650fc36b6992aea062cfca025a0a103ba623e22c8a9bc56d

Download Submit
C:\Users\Admin\AppData\Local\Temp\{91EDE03D-A03E-433D-9BE5-C01B8A28D2F2}

Filesize
128KB

MD5
1205cae88a87790ff0578b0ba34079f4

SHA1
45ba52c233ba34a5fb279412cbe86e9fc5d61b00

SHA256
779bbdc3df9227e5dbfb0f40bc61e4c3e92f8f72cae67dd1ac8c7ea51bc65e36

SHA512
eca34c3ea586d32e2fa5a368bc3109d2d58f2a23997920f642f5e1488de566315e782d83827fe67eb7ad46a3d2b890e70d0c8e3ec6346dc5ed9bba51c8f630ca

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
6f3060e441c75f4e1823d2e9787fe746

SHA1
42a2d2f90bc964cdfc6d5d8713f3239a3c627449

SHA256
c25fd0cfcee000d2c110a12e42bf6e1ba4f3d5a468bc2ee93b1fab9ba0081e24

SHA512
3dba14f112e06b3c6799bc2e9f948edec971113774080279fa6aed52cd092d2074e0821f8b37b1b26f566fe63d3356116b76313d2cc613283258c5d576837750

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\lognen587138.exe

Filesize
616KB

MD5
2bbe7bfa4829bf0bcdc2952b93bd9bd9

SHA1
ee0d230a52247fea2169a14a906ce21d28b8eb8b

SHA256
ef63e0dd98836048f72145f44b71d716b14262817d75574aa04731ebcf231c90

SHA512
f067a0a98320d4cca6e4f972d75e1802607a50bc1d913391c711f2a7a89bffe67aeafe4755f1d0002b48bb6912a986ed7cc4ca3c4f41456a05b7f6fc86f2b12a

Download Submit
C:\Users\Admin\AppData\Roaming\lognen587138.exe

Filesize
616KB

MD5
2bbe7bfa4829bf0bcdc2952b93bd9bd9

SHA1
ee0d230a52247fea2169a14a906ce21d28b8eb8b

SHA256
ef63e0dd98836048f72145f44b71d716b14262817d75574aa04731ebcf231c90

SHA512
f067a0a98320d4cca6e4f972d75e1802607a50bc1d913391c711f2a7a89bffe67aeafe4755f1d0002b48bb6912a986ed7cc4ca3c4f41456a05b7f6fc86f2b12a

Download Submit
C:\Users\Admin\AppData\Roaming\lognen587138.exe

Filesize
616KB

MD5
2bbe7bfa4829bf0bcdc2952b93bd9bd9

SHA1
ee0d230a52247fea2169a14a906ce21d28b8eb8b

SHA256
ef63e0dd98836048f72145f44b71d716b14262817d75574aa04731ebcf231c90

SHA512
f067a0a98320d4cca6e4f972d75e1802607a50bc1d913391c711f2a7a89bffe67aeafe4755f1d0002b48bb6912a986ed7cc4ca3c4f41456a05b7f6fc86f2b12a

Download Submit
\Users\Admin\AppData\Roaming\lognen587138.exe

Filesize
616KB

MD5
2bbe7bfa4829bf0bcdc2952b93bd9bd9

SHA1
ee0d230a52247fea2169a14a906ce21d28b8eb8b

SHA256
ef63e0dd98836048f72145f44b71d716b14262817d75574aa04731ebcf231c90

SHA512
f067a0a98320d4cca6e4f972d75e1802607a50bc1d913391c711f2a7a89bffe67aeafe4755f1d0002b48bb6912a986ed7cc4ca3c4f41456a05b7f6fc86f2b12a

Download Submit
\Users\Admin\AppData\Roaming\lognen587138.exe

Filesize
616KB

MD5
2bbe7bfa4829bf0bcdc2952b93bd9bd9

SHA1
ee0d230a52247fea2169a14a906ce21d28b8eb8b

SHA256
ef63e0dd98836048f72145f44b71d716b14262817d75574aa04731ebcf231c90

SHA512
f067a0a98320d4cca6e4f972d75e1802607a50bc1d913391c711f2a7a89bffe67aeafe4755f1d0002b48bb6912a986ed7cc4ca3c4f41456a05b7f6fc86f2b12a

Download Submit
\Users\Admin\AppData\Roaming\lognen587138.exe

Filesize
616KB

MD5
2bbe7bfa4829bf0bcdc2952b93bd9bd9

SHA1
ee0d230a52247fea2169a14a906ce21d28b8eb8b

SHA256
ef63e0dd98836048f72145f44b71d716b14262817d75574aa04731ebcf231c90

SHA512
f067a0a98320d4cca6e4f972d75e1802607a50bc1d913391c711f2a7a89bffe67aeafe4755f1d0002b48bb6912a986ed7cc4ca3c4f41456a05b7f6fc86f2b12a

Download Submit
\Users\Admin\AppData\Roaming\lognen587138.exe

Filesize
616KB

MD5
2bbe7bfa4829bf0bcdc2952b93bd9bd9

SHA1
ee0d230a52247fea2169a14a906ce21d28b8eb8b

SHA256
ef63e0dd98836048f72145f44b71d716b14262817d75574aa04731ebcf231c90

SHA512
f067a0a98320d4cca6e4f972d75e1802607a50bc1d913391c711f2a7a89bffe67aeafe4755f1d0002b48bb6912a986ed7cc4ca3c4f41456a05b7f6fc86f2b12a

Download Submit
\Users\Admin\AppData\Roaming\lognen587138.exe

Filesize
616KB

MD5
2bbe7bfa4829bf0bcdc2952b93bd9bd9

SHA1
ee0d230a52247fea2169a14a906ce21d28b8eb8b

SHA256
ef63e0dd98836048f72145f44b71d716b14262817d75574aa04731ebcf231c90

SHA512
f067a0a98320d4cca6e4f972d75e1802607a50bc1d913391c711f2a7a89bffe67aeafe4755f1d0002b48bb6912a986ed7cc4ca3c4f41456a05b7f6fc86f2b12a

Download Submit
\Users\Admin\AppData\Roaming\lognen587138.exe

Filesize
616KB

MD5
2bbe7bfa4829bf0bcdc2952b93bd9bd9

SHA1
ee0d230a52247fea2169a14a906ce21d28b8eb8b

SHA256
ef63e0dd98836048f72145f44b71d716b14262817d75574aa04731ebcf231c90

SHA512
f067a0a98320d4cca6e4f972d75e1802607a50bc1d913391c711f2a7a89bffe67aeafe4755f1d0002b48bb6912a986ed7cc4ca3c4f41456a05b7f6fc86f2b12a

Download Submit
memory/2240-201-0x0000000070B4D000-0x0000000070B58000-memory.dmp

Filesize
44KB

Download
memory/2240-200-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2240-56-0x0000000070B4D000-0x0000000070B58000-memory.dmp

Filesize
44KB

Download
memory/2240-55-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2240-167-0x000000002FAF0000-0x000000002FC4D000-memory.dmp

Filesize
1.4MB

Download
memory/2240-168-0x0000000070B4D000-0x0000000070B58000-memory.dmp

Filesize
44KB

Download
memory/2240-54-0x000000002FAF0000-0x000000002FC4D000-memory.dmp

Filesize
1.4MB

Download
memory/2712-166-0x00000000005E0000-0x00000000005EE000-memory.dmp

Filesize
56KB

Download
memory/2712-171-0x0000000000610000-0x000000000061A000-memory.dmp

Filesize
40KB

Download
memory/2712-169-0x000000006A370000-0x000000006AA5E000-memory.dmp

Filesize
6.9MB

Download
memory/2712-150-0x0000000000D00000-0x0000000000DA0000-memory.dmp

Filesize
640KB

Download
memory/2712-156-0x0000000004DF0000-0x0000000004E30000-memory.dmp

Filesize
256KB

Download
memory/2712-151-0x000000006A370000-0x000000006AA5E000-memory.dmp

Filesize
6.9MB

Download