31475717735f9aee20def2a4044b42a52cb92e8cf885b92a042099a273688135

Analysis

max time kernel
144s
max time network
124s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
24-07-2023 22:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Challenge_FIles/Employees_Contact_Audit_Oct_2021.docx
Size

12KB
MD5

d5742309ba8146be9eab4396fde77e4e
SHA1

8aaa79ee4a81d02e1023a03aee62a47162a9ff04
SHA256

ed2b9e22aef3e545814519151528b2d11a5e73d1b2119c067e672b653ab6855a
SHA512

37367ea06191c8a949f6c092bc4137736b344cc9892bf8a19e149557919d9276fb1301009a700cede0f2ca05d6827c827992817aee7b8968a5429e433fe0c8ba
SSDEEP

192:60L6GkWglL+bzW6mlHRrZu87Fym3tZknRIhRHNwC3Eo+ETdlexwDvx/jVm9CoDFn:603kpLTZJHm+Eo+ETd4weCoDFLFd

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

NTFS ADS 1 IoCs

Processes:

WINWORD.EXE

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Challenge_FIles\mhtml:http:\175.24.190.249\note.html!x-usc:http:\175.24.190.249\note.html	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

2056 WINWORD.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

2056 WINWORD.EXE
2056 WINWORD.EXE

pid	process
2056	WINWORD.EXE

pid	process
2056	WINWORD.EXE
2056	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 2056 wrote to memory of 3052	2056	WINWORD.EXE	splwow64.exe
PID 2056 wrote to memory of 3052	2056	WINWORD.EXE	splwow64.exe
PID 2056 wrote to memory of 3052	2056	WINWORD.EXE	splwow64.exe
PID 2056 wrote to memory of 3052	2056	WINWORD.EXE	splwow64.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Challenge_FIles\Employees_Contact_Audit_Oct_2021.docx"
1⤵
- Drops file in Windows directory
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2056

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:3052

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{888D8792-DBE2-42D1-BD7B-BB1D4CD1EC4D}.FSD
Filesize
128KB

MD5
1b8c6e0a74c0ce01e578f4eba09fbbfb

SHA1
8bc89d0ca85e1706c42d62936c90af5165e4afe2

SHA256
cbd346a6e05408c9e7bd7053fd5d4e260bcfcdc498d586af191cbaffa85b9f7c

SHA512
20961342798d97073167ff14d95cc068e02d36e18a24a117fdec74c5b30b9b34353044886f0c255b7b9a20183e5e292aaf1e87b9b6783f82f29bc60913cd7176

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize
128KB

MD5
db231adb77de5b6344e1cea895b77e4e

SHA1
17bc3eb35566be3f45e04cd82d630d5674bf7fdc

SHA256
952e59977bfa169d07e9c74554c9def86ab27e75f4aebc60493aaa3f964b72e1

SHA512
4f8739758986475e34f127d044811963d553671592f2bc69473c3b6158b49831183911906bae3d1d9d52543d1c25044393a8fea53fada1e09c6b772087eb1932

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{38590B37-1664-457C-BF2C-EB41582774DA}.FSD
Filesize
128KB

MD5
78327e9667fdd8033b0dac33ac79f39b

SHA1
e00c6181f70eeb22e121dfbab02d6a283f8d875f

SHA256
b034f2a98b7941faff292080171f115708f51edcc4728133e0df4c51d113d51d

SHA512
f77814bd00ba808bb4fc630a935d52618ef4858a013d689b9c2bf6369ad6f180d2561b6b70bbdb178340c41cec9cd519e6e135dc6126d141b2595d83f42c1523

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3VKWFGCX\note[1].htm
Filesize
8KB

MD5
064c4d10430072833b6b65b2cce02cf3

SHA1
45c600e484875f7d8b5b8692f250975d6652e331

SHA256
5fc8fe9f3743c5f36080525dd12c62f7da4d6ce590772e2aa41be879f67cd575

SHA512
e59c82c735d7448a92e066db38b951bcbcafa637396fb9327ca186cde9cb87400a2b0a56f741d706c2567061583a137da171537a27207db217b7f8788b7b9531

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5F2DF7B7.dat
Filesize
52B

MD5
07ffeff17a8a1a1209ab3c2690d569d4

SHA1
37cb513fabddcdbbaa2e7296b31a4bc9832e1b01

SHA256
57cfa30bb860b95b7012ed62427025959b671d270aaf67fc406fbc3c4f3c48d4

SHA512
743591e7bfe9936eee057c9d1769595d48c90ba28057d8ebd0f7299b8fcacd7b8fa50af30bd0b8b6e09f77ade16b47d6f0abb079d60e975443a57c514099ad86

Download Submit
C:\Users\Admin\AppData\Local\Temp\{EE420B42-FEC5-428C-9853-DC42AFDDF1DA}
Filesize
128KB

MD5
4fa649dce6a316a2e39dbe42e73cb33b

SHA1
8738b8fb75ccac0f503a2711ffb34bc61930c2e2

SHA256
12ee105b746aa4324ceb203cecfa14b221eb8e6192468c917d1d86828a7821bb

SHA512
09ce0a4cadf1f54c6b4c111529e9db54d55f7353d6ad90af96a1b91f1a862c60836dcf13dec9dd19ac51503b82faf07cba1752d57074dae0d57e0fac68e81f10

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/2056-54-0x000000002F4F0000-0x000000002F64D000-memory.dmp

Filesize
1.4MB

Download
memory/2056-55-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2056-56-0x000000007178D000-0x0000000071798000-memory.dmp

Filesize
44KB

Download
memory/2056-160-0x000000002F4F0000-0x000000002F64D000-memory.dmp

Filesize
1.4MB

Download
memory/2056-161-0x000000007178D000-0x0000000071798000-memory.dmp

Filesize
44KB

Download