8594206acf3c9774c30220d3d9c3bb9f2e2e26faab7b7e8faff25d2087bcfcb1

Analysis

max time kernel
121s
max time network
125s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
19/07/2023, 06:45

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

scan-75748595.docx
Size

10KB
MD5

e539fd8fa4abe006c864acfb5018a463
SHA1

d3b2dbb022a2ae4ac1cf9dc9eeca770c180ae6e4
SHA256

8594206acf3c9774c30220d3d9c3bb9f2e2e26faab7b7e8faff25d2087bcfcb1
SHA512

5fb3cabf2e428445ca6191fcb6219b6f582f1825733dbfa34e98014cb9cc9b534aa8626d03d2568b2cf33263e6c8b503ce95bc4325b244d6d1b375a61cf68522
SSDEEP

192:yya0NqsreWwARgZVPCK44AG9xXSJ+Ej7uJYcKwRKmfSWYKcWemF9cY:yyXqsreWwANK4499xXSJf7uJYcjxYKdX

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
7	1772	EQNEDT32.EXE

Downloads MZ/PE file
Abuses OpenXML format to download file from external location

Executes dropped EXE 1 IoCs

pid	Process
1000	obioelen587138.exe

Loads dropped DLL 6 IoCs

pid	Process
1772	EQNEDT32.EXE
2360	WerFault.exe
2360	WerFault.exe
2360	WerFault.exe
2360	WerFault.exe
2360	WerFault.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2360	1000	WerFault.exe	29

Office loads VBA resources, possible macro or embedded object present

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
1772	EQNEDT32.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2468	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2468	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2468	WINWORD.EXE
2468	WINWORD.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1772 wrote to memory of 1000	1772	EQNEDT32.EXE	29
PID 1772 wrote to memory of 1000	1772	EQNEDT32.EXE	29
PID 1772 wrote to memory of 1000	1772	EQNEDT32.EXE	29
PID 1772 wrote to memory of 1000	1772	EQNEDT32.EXE	29
PID 2468 wrote to memory of 1768	2468	WINWORD.EXE	35
PID 2468 wrote to memory of 1768	2468	WINWORD.EXE	35
PID 2468 wrote to memory of 1768	2468	WINWORD.EXE	35
PID 2468 wrote to memory of 1768	2468	WINWORD.EXE	35
PID 1000 wrote to memory of 2360	1000	obioelen587138.exe	36
PID 1000 wrote to memory of 2360	1000	obioelen587138.exe	36
PID 1000 wrote to memory of 2360	1000	obioelen587138.exe	36
PID 1000 wrote to memory of 2360	1000	obioelen587138.exe	36

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\scan-75748595.docx"
1⤵
- Drops file in Windows directory
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2468
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1768

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1772
- C:\Users\Admin\AppData\Roaming\obioelen587138.exe
  "C:\Users\Admin\AppData\Roaming\obioelen587138.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1000
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1000 -s 660
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2360

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD

Filesize
128KB

MD5
aa85bb692ad0a8882897ef9910fc75ee

SHA1
07f5f94a80396106046c97083cac68468e3386da

SHA256
9b26918db8e4e177ae1a84cf45157dc026069792323c3642c73b8d527ba8cc82

SHA512
fe66e617ecc30a34aea2a84f8bc218dac27cf2bd25c9c41934af15df0ed489e44eac1d678597c2622374595979d529997dd32686e8da5523fc3c59738c214b84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{EF7C8C54-B1B7-4082-BC56-7D83440BE442}.FSD

Filesize
128KB

MD5
c72f252c3f9f70b85a742d312737fc80

SHA1
7dc860cb05590262d8a1d69ca57e8c32d3ba003a

SHA256
4013793d065404202ac2440706b3fc2c11cf6e488d74a309a045b31b9617b5fe

SHA512
0fe4c4d7a47047690a63958c4fa8e13270f6b11daf18842cb89a3d2881ae5dd64c1b7269376748260c6eb5ab6ff143c55588efcce5575f95bed97f940a0c5e78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
7bdc86120409e41f8893b38e5c8d894e

SHA1
0d8485aa2929a1904391885c9155db0a21d19885

SHA256
ab629fdb2c79946de21b1753828668dcd2d0ce6abcaaceac2405ead945b11a5f

SHA512
1b612799a17693ac6109d82a364d22a9afe3eb48ef8c5593dc4fe059a95226024431112ef7d612c139d90fb723f28d91a6368caab1144983ebae60913f35c65b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{191973F5-BDE2-4D04-AFF6-BC226F6AB56F}.FSD

Filesize
128KB

MD5
d9c34f513fc4808d77fabcd54a9f84dc

SHA1
9bac09a047995d3a4a35af5d00e00d7c106f1bfd

SHA256
6318e4905ea259fbc5dafe539e41f4c006f76d7b9968412a74e01a95b40b7d9f

SHA512
b5a5f2e3db5190f9ded67d431ad4fd49d083ec2cbff1be0d9c9ff957c9732a3d8e163750919dbbd94b43b7323273151ee051634363cf373e61077719c6a39d53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\64WRFCMO\obizx[1].doc

Filesize
36KB

MD5
eae3a2b886252835382260e8e59469cd

SHA1
e4367d7b2ab6c119674c785f2f447a38e463ce00

SHA256
592c5d47b909ad9ece554b27fdb17cea5530da799af2bfd84bb3004a5710ca71

SHA512
5e5da60946abe6363c12dbaf0afab099b7a979337477d5acb8e4debc6d346ab004544a7b34c76b1f6f039a5bd3e3b4fc09570f751cb88ecb0f1be4b90e34044b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{77399F6C-F077-4C85-9C22-EA1A2F32C8F4}

Filesize
128KB

MD5
6ec976a0b7055c7870ee5ec555f0008b

SHA1
c09ae9c234054688e50d8c9d71488717d1377c08

SHA256
566903ba632eb0049a56f0662739480c65fbe6520b35ec2000596d974c98d5e3

SHA512
6051d28aaea7de7112e287652fea9a8d0268463067a48fd381e3303a88e7d0a98d6683d39131c1a666523190094d3091cde0a08f2763865ef51aaecf79cf279c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
7736eac1958ac80c1bb6c67730678824

SHA1
f7ad0777ec760208f76e5fffb5b34898d948cc07

SHA256
79c90d0aca7840116debdd2075f0c73d05a85de5ee13b889d30ddc0bbbd38a81

SHA512
db85570d743dcb625e96678a630c0382132f4ac6f94801d46a0d100617549df247a2c025f1934ae32755db4498bb5861c0159d5ee86304e14847d71fafcc38c2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\obioelen587138.exe

Filesize
620KB

MD5
a95f9a75b4460b7983279a879c9ec0f9

SHA1
b2d50a2baca82a5a900a0cdc83921ee33ec5f558

SHA256
f591f3b46cc1844550906abe587a1d82b96b37bac5621c1937ab8b0552258417

SHA512
6217a9a46537df1afb6f837818f4a5a49abaf08cd1310810e3683ef5bbe141b65ff83f82d2142f30f3fa95bce2dcd96e788dd82451f0d144090ed4cb7dee825f

Download Submit
C:\Users\Admin\AppData\Roaming\obioelen587138.exe

Filesize
620KB

MD5
a95f9a75b4460b7983279a879c9ec0f9

SHA1
b2d50a2baca82a5a900a0cdc83921ee33ec5f558

SHA256
f591f3b46cc1844550906abe587a1d82b96b37bac5621c1937ab8b0552258417

SHA512
6217a9a46537df1afb6f837818f4a5a49abaf08cd1310810e3683ef5bbe141b65ff83f82d2142f30f3fa95bce2dcd96e788dd82451f0d144090ed4cb7dee825f

Download Submit
C:\Users\Admin\AppData\Roaming\obioelen587138.exe

Filesize
620KB

MD5
a95f9a75b4460b7983279a879c9ec0f9

SHA1
b2d50a2baca82a5a900a0cdc83921ee33ec5f558

SHA256
f591f3b46cc1844550906abe587a1d82b96b37bac5621c1937ab8b0552258417

SHA512
6217a9a46537df1afb6f837818f4a5a49abaf08cd1310810e3683ef5bbe141b65ff83f82d2142f30f3fa95bce2dcd96e788dd82451f0d144090ed4cb7dee825f

Download Submit
\Users\Admin\AppData\Roaming\obioelen587138.exe

Filesize
620KB

MD5
a95f9a75b4460b7983279a879c9ec0f9

SHA1
b2d50a2baca82a5a900a0cdc83921ee33ec5f558

SHA256
f591f3b46cc1844550906abe587a1d82b96b37bac5621c1937ab8b0552258417

SHA512
6217a9a46537df1afb6f837818f4a5a49abaf08cd1310810e3683ef5bbe141b65ff83f82d2142f30f3fa95bce2dcd96e788dd82451f0d144090ed4cb7dee825f

Download Submit
\Users\Admin\AppData\Roaming\obioelen587138.exe

Filesize
620KB

MD5
a95f9a75b4460b7983279a879c9ec0f9

SHA1
b2d50a2baca82a5a900a0cdc83921ee33ec5f558

SHA256
f591f3b46cc1844550906abe587a1d82b96b37bac5621c1937ab8b0552258417

SHA512
6217a9a46537df1afb6f837818f4a5a49abaf08cd1310810e3683ef5bbe141b65ff83f82d2142f30f3fa95bce2dcd96e788dd82451f0d144090ed4cb7dee825f

Download Submit
\Users\Admin\AppData\Roaming\obioelen587138.exe

Filesize
620KB

MD5
a95f9a75b4460b7983279a879c9ec0f9

SHA1
b2d50a2baca82a5a900a0cdc83921ee33ec5f558

SHA256
f591f3b46cc1844550906abe587a1d82b96b37bac5621c1937ab8b0552258417

SHA512
6217a9a46537df1afb6f837818f4a5a49abaf08cd1310810e3683ef5bbe141b65ff83f82d2142f30f3fa95bce2dcd96e788dd82451f0d144090ed4cb7dee825f

Download Submit
\Users\Admin\AppData\Roaming\obioelen587138.exe

Filesize
620KB

MD5
a95f9a75b4460b7983279a879c9ec0f9

SHA1
b2d50a2baca82a5a900a0cdc83921ee33ec5f558

SHA256
f591f3b46cc1844550906abe587a1d82b96b37bac5621c1937ab8b0552258417

SHA512
6217a9a46537df1afb6f837818f4a5a49abaf08cd1310810e3683ef5bbe141b65ff83f82d2142f30f3fa95bce2dcd96e788dd82451f0d144090ed4cb7dee825f

Download Submit
\Users\Admin\AppData\Roaming\obioelen587138.exe

Filesize
620KB

MD5
a95f9a75b4460b7983279a879c9ec0f9

SHA1
b2d50a2baca82a5a900a0cdc83921ee33ec5f558

SHA256
f591f3b46cc1844550906abe587a1d82b96b37bac5621c1937ab8b0552258417

SHA512
6217a9a46537df1afb6f837818f4a5a49abaf08cd1310810e3683ef5bbe141b65ff83f82d2142f30f3fa95bce2dcd96e788dd82451f0d144090ed4cb7dee825f

Download Submit
\Users\Admin\AppData\Roaming\obioelen587138.exe

Filesize
620KB

MD5
a95f9a75b4460b7983279a879c9ec0f9

SHA1
b2d50a2baca82a5a900a0cdc83921ee33ec5f558

SHA256
f591f3b46cc1844550906abe587a1d82b96b37bac5621c1937ab8b0552258417

SHA512
6217a9a46537df1afb6f837818f4a5a49abaf08cd1310810e3683ef5bbe141b65ff83f82d2142f30f3fa95bce2dcd96e788dd82451f0d144090ed4cb7dee825f

Download Submit
memory/1000-151-0x000000006AD90000-0x000000006B47E000-memory.dmp

Filesize
6.9MB

Download
memory/1000-156-0x0000000004DA0000-0x0000000004DE0000-memory.dmp

Filesize
256KB

Download
memory/1000-150-0x0000000000210000-0x00000000002B0000-memory.dmp

Filesize
640KB

Download
memory/1000-169-0x000000006AD90000-0x000000006B47E000-memory.dmp

Filesize
6.9MB

Download
memory/1000-170-0x0000000004DA0000-0x0000000004DE0000-memory.dmp

Filesize
256KB

Download
memory/1000-172-0x0000000001E90000-0x0000000001E9A000-memory.dmp

Filesize
40KB

Download
memory/1000-166-0x0000000001DB0000-0x0000000001DBE000-memory.dmp

Filesize
56KB

Download
memory/2468-167-0x000000002FC30000-0x000000002FD8D000-memory.dmp

Filesize
1.4MB

Download
memory/2468-54-0x000000002FC30000-0x000000002FD8D000-memory.dmp

Filesize
1.4MB

Download
memory/2468-168-0x000000007156D000-0x0000000071578000-memory.dmp

Filesize
44KB

Download
memory/2468-56-0x000000007156D000-0x0000000071578000-memory.dmp

Filesize
44KB

Download
memory/2468-55-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2468-201-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2468-202-0x000000007156D000-0x0000000071578000-memory.dmp

Filesize
44KB

Download