9511ad9bbaed8b92fe55279b8c968eaa759060296d697c076c281d474bbc7045

Analysis

max time kernel
118s
max time network
159s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
18/07/2023, 20:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9511AD9BBAED8B92FE55279B8C968EAA759060296D697C076C281D474BBC7045.docx
Size

225KB
MD5

68b586a3dc90f21af5b595a484e4521f
SHA1

8cd5578134bfd5baf99be08ec0fffc734356f000
SHA256

9511ad9bbaed8b92fe55279b8c968eaa759060296d697c076c281d474bbc7045
SHA512

a5173b1a923df346c0a0a5fb4fe42a4db95b5c6870ed471e9f41ae89fda15582a8b36a6c6c093f972c7df59a7c64101e9cf9e0afc13ba8a6d75200a784d18f7d
SSDEEP

6144:LENYC2Csx+1i6vnq4RTfICxIaZbmwOSHMXC0KK:LE32Cs81ZvnDRHLZ5pMy0KK

Score

7^/10

Malware Config

Signatures

Abuses OpenXML format to download file from external location

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1512	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1512	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1512	WINWORD.EXE
1512	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1512 wrote to memory of 1904	1512	WINWORD.EXE	33
PID 1512 wrote to memory of 1904	1512	WINWORD.EXE	33
PID 1512 wrote to memory of 1904	1512	WINWORD.EXE	33
PID 1512 wrote to memory of 1904	1512	WINWORD.EXE	33

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\9511AD9BBAED8B92FE55279B8C968EAA759060296D697C076C281D474BBC7045.docx"
1⤵
- Drops file in Windows directory
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1512
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1904

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{4F97F0C9-B7E1-4779-98E0-DD329936E4B9}.FSD

Filesize
128KB

MD5
501d03e3cf18437acc26957eabe513ff

SHA1
b1c2a2798a7430d464bf7a0bc5133aa91a2e5742

SHA256
c2a9d23ea447cf1c8e1a6aa09db2521877615136aea07611a71370db0a35b303

SHA512
11ab40bd539ad2622f0b15c1a9e23fd170ed5b24d8dadc92b7d8ca515d093e4b70901984c43ac5e44c257733d25023d9fc21a4e3b4267cc79d85b7a33a9f3eac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
b86037ba094ea8d72d8792b44f2a8852

SHA1
367bba9a792a947119061df22960001a5f9a13db

SHA256
49e3a31f2927b91a6fedbf76c58b5d9521f0934cce83a057c04a914dd7d23563

SHA512
b2ec9a547cdb50d2e13b51f5a3596eb410c552f304c7ede8d6dd2bfc4b410736c552eee348ed50ad88f9b0dca931e06dbe20d3674c85654391d608f6fd702c65

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FE1ABD16.emf

Filesize
1.1MB

MD5
ab8320aa77c2be1ec5737017300ba5a9

SHA1
80159f83f2f3e308f945e3b9e77f3dd46e3bb949

SHA256
6de1f8c01f5373930f7d3398a748fbc64f295951bb4e2da046e16f9f46287f36

SHA512
e9775425c946c1f8e50ff0a784c2243c5e6f6a0e3a12e96541475abd90b8f9394f71b02df36ce6e5232a1d9a0471a2713cdbeedc73fb6e92a67b408f91e44452

Download Submit
C:\Users\Admin\AppData\Local\Temp\{EADCA3A9-798D-4A70-97BD-B5B91777C393}

Filesize
128KB

MD5
c2387cb9a251371f007bc7b4a6b30d07

SHA1
6fc43e7adae00f2c7a143e1d935b9491fb0421e2

SHA256
fc29711c4f1536bde6016cbc4d807189a68458b5108dd2149034a7995cd08e99

SHA512
27b14742f3e35f9a47cec880c5dc1948d6d24ccf26509041ece38cbcd6575989064afa99ae28cd6a15603a22292b52f8a097384c3e6cdabb8beaff2adab92116

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
9485759b2716fbcb3d22bed775669ad6

SHA1
5bedfd95408e93ba89ad47ae8d6678c713184c20

SHA256
2ce72682274fa986c7a52d1755d69f317e035c98ed5d9e1baa817fa1355ff31a

SHA512
963cebf6b2e0e3620d51e082f66f71a6fe1b686fbc1ee30c3b96bb4bb683e062c1481265c1d6a4871b0489f72500631ccfd3d3617916cd5839ec3b98fc7086ae

Download Submit
memory/1512-54-0x000000002F170000-0x000000002F2CD000-memory.dmp

Filesize
1.4MB

Download
memory/1512-55-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1512-56-0x0000000070B8D000-0x0000000070B98000-memory.dmp

Filesize
44KB

Download
memory/1512-130-0x000000002F170000-0x000000002F2CD000-memory.dmp

Filesize
1.4MB

Download
memory/1512-131-0x0000000070B8D000-0x0000000070B98000-memory.dmp

Filesize
44KB

Download
memory/1512-172-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1512-177-0x0000000070B8D000-0x0000000070B98000-memory.dmp

Filesize
44KB

Download