055ee838ea3fb020ccfed29bd52104950e986bd785919ea2ef619eb0aab27849

Analysis

max time kernel
120s
max time network
125s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
18/07/2023, 20:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

055EE838EA3FB020CCFED29BD52104950E986BD785919EA2EF619EB0AAB27849.docx
Size

18KB
MD5

14affa7030150460edee724a09eda1e1
SHA1

1ac4b00e69ebd4df5406cd1554f25886289ff66c
SHA256

055ee838ea3fb020ccfed29bd52104950e986bd785919ea2ef619eb0aab27849
SHA512

65b0af5d4f066fe88d677883f7223e23f60dbed75fe0416ec0881ee195f745f13c54f54b3ccd41208182b3666dfdf83b0b5683f37dbc12ca604d7c723f8607a6
SSDEEP

384:sObz5d0CNBCixqxYx67b0tBCD/368Qk50av+1Qn9JPRSRV0yWIB:9YixqxYxCb7368R0G8mvPRSUG

Score

7^/10

Malware Config

Signatures

Abuses OpenXML format to download file from external location

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2604	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2604	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2604	WINWORD.EXE
2604	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2604 wrote to memory of 748	2604	WINWORD.EXE	29
PID 2604 wrote to memory of 748	2604	WINWORD.EXE	29
PID 2604 wrote to memory of 748	2604	WINWORD.EXE	29
PID 2604 wrote to memory of 748	2604	WINWORD.EXE	29

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\055EE838EA3FB020CCFED29BD52104950E986BD785919EA2EF619EB0AAB27849.docx"
1⤵
- Drops file in Windows directory
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2604
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:748

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
52ef157f0f83f129f4c5be03d2beeb1f

SHA1
9e29a89b02094fa197ac33a9008d4337502ef008

SHA256
861f8b47d3fde2751690b4ac8345114920313c760ce85355315a0555cc0fae3a

SHA512
c41e2b6a0ca6fd0d73e895870ebf51d24ee6d000f04dc0b0c83100e294d6f0067efbde4fe98196a4da6a299136de51324443900b8a73011c5440c01afad98e30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{EFF54981-9294-4D72-85A4-7028810B33C7}.FSD

Filesize
128KB

MD5
8308c83fac8555750a60bd3a02553826

SHA1
27102c588e73cc3b000d702d6ed19b030b946e40

SHA256
068d977e5d706be8a95b1be06cd4b72a6864a5e6e881b6a67ede18fbb0c2eca9

SHA512
da1bb887edeff07b26e9ade1146ae1ac88b377c36b79018c31cfd89a37feae1642973bd7403419ca5cdf3adc7d58a2a3514e41b54aa1877063bfdfbdf5f0845e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
c813d3cf2ea1b6c2225023d1f5fb7cf6

SHA1
0ffc19de93d698301b0391516e33c35e24cdb835

SHA256
36b92c70b2e37e8719597e5e449d46b316148daacf10749d0c74c043f05b5343

SHA512
2c3a7c5440493972d0020c86dd61395cdd20a703d5ab0c75b5e4966b4e835cd21daab7770b687192a730328cba8dbddffe2075f06d4a5ecffaa4092c6e5b8faa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{E2180A1E-52C3-4A95-BBB0-04BFB47684DB}.FSD

Filesize
128KB

MD5
592d7a0d00b90054b50a56cf746f24fa

SHA1
454f6f37260764202887ae0faa702d20155aad8e

SHA256
6849bb246f9bca685beb7a79aec84f336f8cff1ce72d76bfaa97c3a78974bba9

SHA512
be67742017cf5970df45e283fd4d016b00383a8b02f5456090cdcdcf3868b059e187690b879990eaa1ff997bbeb5e1b1e58ce7954b7d638f887e7c062e402b13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\64WRFCMO\SHkgF[1].htm

Filesize
6KB

MD5
9602719b9beba586b4abfbdf301b2abc

SHA1
0237116695f008badd5c4aebf15245ddb9085032

SHA256
08ec41521c38bad04e560c919d0d07177ac664829797a7a256eff0e3dfe7b055

SHA512
aaa5ab168a5071af94f1cb02aa298e3df02009e9956aaceacb4a6ef3ff18e7ce41b48356816e7dcb920b3370af5c9be9fa50daa3443e3f8b2a180cc56972bd12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6E50CA0A.svg

Filesize
30KB

MD5
fa3a7a17da17e2630d4bdea832ec63c4

SHA1
e3635adf96a8cc2537afd0c1d9388aa122b9e82e

SHA256
4668402b8facb1f9cbcb3e450f35aab7c30dc98d3b87fd6bfd9403c1066addc8

SHA512
76237f129a7b646147e92dd0d91038da46ba4f0d5abc3749d5aeee04a7641ca2225e7f5b706f2b1b43c01a15806b5e075d4a22d58c4ce668cb59207e9f67fac6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab8E00.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8F2B.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Local\Temp\{8061667E-346B-4C87-B1FD-09B504243AF6}

Filesize
128KB

MD5
eea2453f691bf9ebc4d1b9e37f60eb45

SHA1
bfd889aa31dd4e25d0ec5c6766c8a13cc9860c08

SHA256
44a19ab8ef151222c7b2a05f6bca5dbf42a14cfd00fef5be645b20f26e58717e

SHA512
b0f5ee677dafa1a407acfe377501ea0ba7bb2111172450f00314355e4c2f18647215cac2db9f5482972ba3187eda48d888af770e828359e02cb75a866ebebc4f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
f213473b7194cd2d80550d190efed09c

SHA1
8ed1a12ab5be7924385e60585cbee096e187e191

SHA256
fb43c205d6b0e95e1e8417e5a5bad0dd4140d267b24e11146b18190523316771

SHA512
9ca5fd3fc541a7f00ab996d1c7a3d901ff7ee635f648919587fafd37923c03d9dab14798b190f4f9f224407cb2e225ecc56af124dff83a8bc080a8798ade71f4

Download Submit
memory/2604-56-0x000000007188D000-0x0000000071898000-memory.dmp

Filesize
44KB

Download
memory/2604-55-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2604-249-0x000000002FF90000-0x00000000300ED000-memory.dmp

Filesize
1.4MB

Download
memory/2604-54-0x000000002FF90000-0x00000000300ED000-memory.dmp

Filesize
1.4MB

Download
memory/2604-273-0x000000007188D000-0x0000000071898000-memory.dmp

Filesize
44KB

Download
memory/2604-300-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2604-301-0x000000007188D000-0x0000000071898000-memory.dmp

Filesize
44KB

Download