Overview
overview
10Static
static
10Challenge_...m.docx
windows7-x64
4Challenge_...m.docx
windows10-2004-x64
5Challenge_...1.docx
windows7-x64
4Challenge_...1.docx
windows10-2004-x64
1Challenge_...y.docx
windows7-x64
4Challenge_...y.docx
windows10-2004-x64
1Challenge_...1.docx
windows7-x64
4Challenge_...1.docx
windows10-2004-x64
1tools/numb...ing.py
ubuntu-18.04-amd64
1tools/numb...ing.py
debian-9-armhf
1tools/numb...ing.py
debian-9-mips
1tools/numb...ing.py
debian-9-mipsel
1decoder_add1.py
ubuntu-18.04-amd64
1decoder_add1.py
debian-9-armhf
1decoder_add1.py
debian-9-mips
1decoder_add1.py
debian-9-mipsel
1decoder_ah.py
ubuntu-18.04-amd64
1decoder_ah.py
debian-9-armhf
1decoder_ah.py
debian-9-mips
1decoder_ah.py
debian-9-mipsel
1decoder_chr.py
ubuntu-18.04-amd64
1decoder_chr.py
debian-9-armhf
1decoder_chr.py
debian-9-mips
1decoder_chr.py
debian-9-mipsel
1decoder_rol1.py
ubuntu-18.04-amd64
1decoder_rol1.py
debian-9-armhf
1decoder_rol1.py
debian-9-mips
1decoder_rol1.py
debian-9-mipsel
1decoder_xor1.py
ubuntu-18.04-amd64
1decoder_xor1.py
debian-9-armhf
1decoder_xor1.py
debian-9-mips
1decoder_xor1.py
debian-9-mipsel
1Analysis
-
max time kernel
121s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
24-07-2023 22:32
Static task
static1
Behavioral task
behavioral1
Sample
Challenge_FIles/Employee_W2_Form.docx
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
Challenge_FIles/Employee_W2_Form.docx
Resource
win10v2004-20230703-en
Behavioral task
behavioral3
Sample
Challenge_FIles/Employees_Contact_Audit_Oct_2021.docx
Resource
win7-20230712-en
Behavioral task
behavioral4
Sample
Challenge_FIles/Employees_Contact_Audit_Oct_2021.docx
Resource
win10v2004-20230703-en
Behavioral task
behavioral5
Sample
Challenge_FIles/Work_From_Home_Survey.docx
Resource
win7-20230712-en
Behavioral task
behavioral6
Sample
Challenge_FIles/Work_From_Home_Survey.docx
Resource
win10v2004-20230703-en
Behavioral task
behavioral7
Sample
Challenge_FIles/income_tax_and_benefit_return_2021.docx
Resource
win7-20230712-en
Behavioral task
behavioral8
Sample
Challenge_FIles/income_tax_and_benefit_return_2021.docx
Resource
win10v2004-20230703-en
Behavioral task
behavioral9
Sample
tools/numbers-to-string.py
Resource
ubuntu1804-amd64-20230621-en
Behavioral task
behavioral10
Sample
tools/numbers-to-string.py
Resource
debian9-armhf-20221111-en
Behavioral task
behavioral11
Sample
tools/numbers-to-string.py
Resource
debian9-mipsbe-en-20211208
Behavioral task
behavioral12
Sample
tools/numbers-to-string.py
Resource
debian9-mipsel-20221125-en
Behavioral task
behavioral13
Sample
decoder_add1.py
Resource
ubuntu1804-amd64-20230621-en
Behavioral task
behavioral14
Sample
decoder_add1.py
Resource
debian9-armhf-en-20211208
Behavioral task
behavioral15
Sample
decoder_add1.py
Resource
debian9-mipsbe-20221111-en
Behavioral task
behavioral16
Sample
decoder_add1.py
Resource
debian9-mipsel-20221125-en
Behavioral task
behavioral17
Sample
decoder_ah.py
Resource
ubuntu1804-amd64-20230712-en
Behavioral task
behavioral18
Sample
decoder_ah.py
Resource
debian9-armhf-20221111-en
Behavioral task
behavioral19
Sample
decoder_ah.py
Resource
debian9-mipsbe-20221125-en
Behavioral task
behavioral20
Sample
decoder_ah.py
Resource
debian9-mipsel-en-20211208
Behavioral task
behavioral21
Sample
decoder_chr.py
Resource
ubuntu1804-amd64-20230621-en
Behavioral task
behavioral22
Sample
decoder_chr.py
Resource
debian9-armhf-20221125-en
Behavioral task
behavioral23
Sample
decoder_chr.py
Resource
debian9-mipsbe-en-20211208
Behavioral task
behavioral24
Sample
decoder_chr.py
Resource
debian9-mipsel-20221111-en
Behavioral task
behavioral25
Sample
decoder_rol1.py
Resource
ubuntu1804-amd64-20230621-en
Behavioral task
behavioral26
Sample
decoder_rol1.py
Resource
debian9-armhf-en-20211208
Behavioral task
behavioral27
Sample
decoder_rol1.py
Resource
debian9-mipsbe-20221111-en
Behavioral task
behavioral28
Sample
decoder_rol1.py
Resource
debian9-mipsel-20221125-en
Behavioral task
behavioral29
Sample
decoder_xor1.py
Resource
ubuntu1804-amd64-20230712-en
Behavioral task
behavioral30
Sample
decoder_xor1.py
Resource
debian9-armhf-en-20211208
Behavioral task
behavioral31
Sample
decoder_xor1.py
Resource
debian9-mipsbe-20221125-en
Behavioral task
behavioral32
Sample
decoder_xor1.py
Resource
debian9-mipsel-20221111-en
General
-
Target
Challenge_FIles/Work_From_Home_Survey.docx
-
Size
26KB
-
MD5
41dacae2a33ee717abcc8011b705f2cb
-
SHA1
4b35d14a2eab2b3a7e0b40b71955cdd36e06b4b9
-
SHA256
84674acffba5101c8ac518019a9afe2a78a675ef3525a44dceddeed8a0092c69
-
SHA512
11f7177dc3c8a804ff6450477e15aadd20fddac98205008db25a4f6ef69a54b7cb7c9dd0d7bdf1b1d317f306482d86ad5ef150530194de7d8dbe344203962648
-
SSDEEP
768:8HVoVneOa0HD/vb9EVoiJWq8UCei96T8vuX3m86RAFvg5e:8QVvbvb9wnIq8OitP88eY5e
Malware Config
Signatures
-
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
NTFS ADS 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Temp\Challenge_FIles\mhtml:http:\trendparlye.com\wiki0509.html!x-usc:http:\trendparlye.com\wiki0509.html WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 2180 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WINWORD.EXEdescription pid process Token: SeShutdownPrivilege 2180 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 2180 WINWORD.EXE 2180 WINWORD.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 2180 wrote to memory of 2128 2180 WINWORD.EXE splwow64.exe PID 2180 wrote to memory of 2128 2180 WINWORD.EXE splwow64.exe PID 2180 wrote to memory of 2128 2180 WINWORD.EXE splwow64.exe PID 2180 wrote to memory of 2128 2180 WINWORD.EXE splwow64.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Challenge_FIles\Work_From_Home_Survey.docx"1⤵
- Drops file in Windows directory
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{0F38D64A-85BF-4C4B-8E3B-6D7456F4A203}.FSDFilesize
128KB
MD5d9f798fb5eccb2e3ab99d9bf0db88ce4
SHA11aeb12fd76afb8ee6dac8692863edccdabb43072
SHA256b53af3945e022d24fa1577aedb242856b0d6f4ddbf2ff034059a6568466443d1
SHA512b16cb686849862173db67692ca26d3c2931969e585475e439d14dfa784046329ba02d08965f4292a4ba7959e94f97101f425d3ce43d355653259ab793fd8cac8
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSDFilesize
128KB
MD550eda8cc4545af6fa01ecbc1894cb2b9
SHA1c21d4e84681270a6205d5c3a9743b853166279a0
SHA2567df6bf10381d3af300fa34481831a916160374a42e40888ac73ca2a706bc52a7
SHA512d4c5d885ff121216aa82a1b7ed0e65f0c4e5953e47fddb1c3f5c9078b1d5e3e4e9eaa252d8034a16ce358d1d97b5acba4bbb999f3aedd63fa052e46a87da8720
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{A49DF8DE-338A-41F8-BF4F-58411C7F69ED}.FSDFilesize
128KB
MD54de892fb6dd5f57279d33417a334c9fb
SHA108bb5335f15028824be7ee4f96240a2669ba502a
SHA256d3cc2f5553aed546b51897868be1da370eeaec0d9a76a56bf54dc112f6ec40ea
SHA512e7891b9d99983deaee3a145282ade3d3c029ce8a85ec573274ff4b568cc5359ba3fe1294c5ca4250ce7561d8011d4ef010114b125515e85f148301e1e796af9d
-
C:\Users\Admin\AppData\Local\Temp\{C273A219-C534-4BB1-AD8A-099B11D5392E}Filesize
128KB
MD51f02650acc7b59872ae7ab59cf96d5d0
SHA1fee408cb29caee630a0bb555bdff7d36749e3815
SHA25627dacc0112c2cc7e6a63b50318624b90ebb2e787f695134313c7cc8dc699c22b
SHA51215d56a93375bae9c187b4858a2a78e807ef3a2e98a3131ab34cf9a87bc8f4aadcbd4f02e8b26a2f529c173ded60995c764f58c7a01af8669562c816753058a43
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotmFilesize
20KB
MD5ddc3b0bbb2b08d7677c64c0ab3c7c7f0
SHA148bacd8341d30ae858367e1248294b37a4398652
SHA256a0779be6d7085d978a9ff90ac0fb28bd9b122ad3a0a84e93bf38cff174691d3a
SHA512d8c274a47305e80a088113f90bcc6ae808ad9fe6485fea2f76b139cd22ea994db0f9575d61cac23dc6a03c33305f87db15d09163522fbf8eb9329781e94fd857
-
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lexFilesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
memory/2180-55-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2180-56-0x00000000713CD000-0x00000000713D8000-memory.dmpFilesize
44KB
-
memory/2180-54-0x000000002F980000-0x000000002FADD000-memory.dmpFilesize
1.4MB
-
memory/2180-118-0x000000002F980000-0x000000002FADD000-memory.dmpFilesize
1.4MB
-
memory/2180-123-0x00000000713CD000-0x00000000713D8000-memory.dmpFilesize
44KB
-
memory/2180-156-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2180-157-0x00000000713CD000-0x00000000713D8000-memory.dmpFilesize
44KB