cbd47a384b39f793539e45c67dccebd52da0a0db7463ac6280d30889f1c1a823

Resubmissions

02/08/2023, 20:07

230802-yv9gwaah9s 8

02/08/2023, 20:04

230802-ytgepsah8v 8

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
02/08/2023, 20:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

idbk6758400000000000#########534400000000000#59t00000.rtf
Size

32KB
MD5

7eb05bcc9d2d6f3edaa773d3d602b1a1
SHA1

7a18c0ae8230636baa80cf57a142c15268cd60bf
SHA256

cbd47a384b39f793539e45c67dccebd52da0a0db7463ac6280d30889f1c1a823
SHA512

00f1c76d5c33f5423a83494cb13bc67c91f408711a7d0a30710d576e2f2429943682de198f720b8da3d54d1a5407ed270f12f79893da36e985d79edc49c0c038
SSDEEP

768:MriCXz3A4/j6USc2ci0qSZ2UdbRBZjgVnLQfjVNGxo42vY6:M7jlbwcBjPdVjgBx9il

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3	2816	EQNEDT32.EXE

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
2816	EQNEDT32.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2372	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2372	WINWORD.EXE
2372	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 2388	2372	WINWORD.EXE	33
PID 2372 wrote to memory of 2388	2372	WINWORD.EXE	33
PID 2372 wrote to memory of 2388	2372	WINWORD.EXE	33
PID 2372 wrote to memory of 2388	2372	WINWORD.EXE	33

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\idbk6758400000000000#########534400000000000#59t00000.rtf"
1⤵
- Drops file in Windows directory
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2388

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Launches Equation Editor
PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
f754153cc9e0c6a6302333643e55c41d

SHA1
423956913e1143deafc86c55d26f3a9ba6eabc55

SHA256
f9a009f01ab16691242bc56bbf46b24e096fde0601ab6f7d849ddc38352e3ec5

SHA512
ec68b26991a8914ad6f2bd03a57e6dde76bc5501b578228f5540571b17c9ae1aa1955a5381142aa7c6ac775058aeea9b5f8b4298a8f49609fab73ea06c8aa3c3

Download Submit
memory/2372-54-0x000000002F4A0000-0x000000002F5FD000-memory.dmp

Filesize
1.4MB

Download
memory/2372-55-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2372-56-0x000000007165D000-0x0000000071668000-memory.dmp

Filesize
44KB

Download
memory/2372-64-0x000000002F4A0000-0x000000002F5FD000-memory.dmp

Filesize
1.4MB

Download
memory/2372-65-0x000000007165D000-0x0000000071668000-memory.dmp

Filesize
44KB

Download
memory/2372-84-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2372-85-0x000000007165D000-0x0000000071668000-memory.dmp

Filesize
44KB

Download