31475717735f9aee20def2a4044b42a52cb92e8cf885b92a042099a273688135

Analysis

max time kernel
121s
max time network
124s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
24-07-2023 22:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Challenge_FIles/Work_From_Home_Survey.docx
Size

26KB
MD5

41dacae2a33ee717abcc8011b705f2cb
SHA1

4b35d14a2eab2b3a7e0b40b71955cdd36e06b4b9
SHA256

84674acffba5101c8ac518019a9afe2a78a675ef3525a44dceddeed8a0092c69
SHA512

11f7177dc3c8a804ff6450477e15aadd20fddac98205008db25a4f6ef69a54b7cb7c9dd0d7bdf1b1d317f306482d86ad5ef150530194de7d8dbe344203962648
SSDEEP

768:8HVoVneOa0HD/vb9EVoiJWq8UCei96T8vuX3m86RAFvg5e:8QVvbvb9wnIq8OitP88eY5e

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

NTFS ADS 1 IoCs

Processes:

WINWORD.EXE

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Challenge_FIles\mhtml:http:\trendparlye.com\wiki0509.html!x-usc:http:\trendparlye.com\wiki0509.html	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

2180 WINWORD.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WINWORD.EXE

description pid process

Token: SeShutdownPrivilege 2180 WINWORD.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

2180 WINWORD.EXE
2180 WINWORD.EXE

pid	process
2180	WINWORD.EXE

description	pid	process
Token: SeShutdownPrivilege	2180	WINWORD.EXE

pid	process
2180	WINWORD.EXE
2180	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 2180 wrote to memory of 2128	2180	WINWORD.EXE	splwow64.exe
PID 2180 wrote to memory of 2128	2180	WINWORD.EXE	splwow64.exe
PID 2180 wrote to memory of 2128	2180	WINWORD.EXE	splwow64.exe
PID 2180 wrote to memory of 2128	2180	WINWORD.EXE	splwow64.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Challenge_FIles\Work_From_Home_Survey.docx"
1⤵
- Drops file in Windows directory
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2180

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:2128

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{0F38D64A-85BF-4C4B-8E3B-6D7456F4A203}.FSD
Filesize
128KB

MD5
d9f798fb5eccb2e3ab99d9bf0db88ce4

SHA1
1aeb12fd76afb8ee6dac8692863edccdabb43072

SHA256
b53af3945e022d24fa1577aedb242856b0d6f4ddbf2ff034059a6568466443d1

SHA512
b16cb686849862173db67692ca26d3c2931969e585475e439d14dfa784046329ba02d08965f4292a4ba7959e94f97101f425d3ce43d355653259ab793fd8cac8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize
128KB

MD5
50eda8cc4545af6fa01ecbc1894cb2b9

SHA1
c21d4e84681270a6205d5c3a9743b853166279a0

SHA256
7df6bf10381d3af300fa34481831a916160374a42e40888ac73ca2a706bc52a7

SHA512
d4c5d885ff121216aa82a1b7ed0e65f0c4e5953e47fddb1c3f5c9078b1d5e3e4e9eaa252d8034a16ce358d1d97b5acba4bbb999f3aedd63fa052e46a87da8720

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{A49DF8DE-338A-41F8-BF4F-58411C7F69ED}.FSD
Filesize
128KB

MD5
4de892fb6dd5f57279d33417a334c9fb

SHA1
08bb5335f15028824be7ee4f96240a2669ba502a

SHA256
d3cc2f5553aed546b51897868be1da370eeaec0d9a76a56bf54dc112f6ec40ea

SHA512
e7891b9d99983deaee3a145282ade3d3c029ce8a85ec573274ff4b568cc5359ba3fe1294c5ca4250ce7561d8011d4ef010114b125515e85f148301e1e796af9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\{C273A219-C534-4BB1-AD8A-099B11D5392E}
Filesize
128KB

MD5
1f02650acc7b59872ae7ab59cf96d5d0

SHA1
fee408cb29caee630a0bb555bdff7d36749e3815

SHA256
27dacc0112c2cc7e6a63b50318624b90ebb2e787f695134313c7cc8dc699c22b

SHA512
15d56a93375bae9c187b4858a2a78e807ef3a2e98a3131ab34cf9a87bc8f4aadcbd4f02e8b26a2f529c173ded60995c764f58c7a01af8669562c816753058a43

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
Filesize
20KB

MD5
ddc3b0bbb2b08d7677c64c0ab3c7c7f0

SHA1
48bacd8341d30ae858367e1248294b37a4398652

SHA256
a0779be6d7085d978a9ff90ac0fb28bd9b122ad3a0a84e93bf38cff174691d3a

SHA512
d8c274a47305e80a088113f90bcc6ae808ad9fe6485fea2f76b139cd22ea994db0f9575d61cac23dc6a03c33305f87db15d09163522fbf8eb9329781e94fd857

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/2180-55-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2180-56-0x00000000713CD000-0x00000000713D8000-memory.dmp

Filesize
44KB

Download
memory/2180-54-0x000000002F980000-0x000000002FADD000-memory.dmp

Filesize
1.4MB

Download
memory/2180-118-0x000000002F980000-0x000000002FADD000-memory.dmp

Filesize
1.4MB

Download
memory/2180-123-0x00000000713CD000-0x00000000713D8000-memory.dmp

Filesize
44KB

Download
memory/2180-156-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2180-157-0x00000000713CD000-0x00000000713D8000-memory.dmp

Filesize
44KB

Download