b19dbf5dfb65ec5d211a7c18a47f2d0a5127009ecda9058a6b95fc95cb7f6ac2

Analysis

max time kernel
118s
max time network
123s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
25/08/2023, 09:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b19dbf5dfb65ec5d211a7c18a47f2d0a5127009ecda9058a6b95fc95cb7f6ac2.exe
Size

437KB
MD5

859773f013b331c33b9912518f177881
SHA1

ae6a2f08b46095a9425c0bce997938d2c6a1f6b8
SHA256

b19dbf5dfb65ec5d211a7c18a47f2d0a5127009ecda9058a6b95fc95cb7f6ac2
SHA512

955b49828419ec5e3e3520c18ec4d73bc720728aeea358bf591cdb1a0d2cf0a57332aa7e43b75a3a8d85cbd9b17e9e66cf46123971b61e039ed359c56d8a83f7
SSDEEP

3072:7GOX9U0i7k1KdDnPQ5CXjDCofsmos5QvYx4Ove9wm+JuoY46js09/JCly6FfEVpE:iGXiQ0dDnI5CXHCofR536DXohM6lyIo

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2824	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2824	WINWORD.EXE
2824	WINWORD.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1456 wrote to memory of 2824	1456	b19dbf5dfb65ec5d211a7c18a47f2d0a5127009ecda9058a6b95fc95cb7f6ac2.exe	29
PID 1456 wrote to memory of 2824	1456	b19dbf5dfb65ec5d211a7c18a47f2d0a5127009ecda9058a6b95fc95cb7f6ac2.exe	29
PID 1456 wrote to memory of 2824	1456	b19dbf5dfb65ec5d211a7c18a47f2d0a5127009ecda9058a6b95fc95cb7f6ac2.exe	29
PID 1456 wrote to memory of 2824	1456	b19dbf5dfb65ec5d211a7c18a47f2d0a5127009ecda9058a6b95fc95cb7f6ac2.exe	29
PID 2824 wrote to memory of 1096	2824	WINWORD.EXE	34
PID 2824 wrote to memory of 1096	2824	WINWORD.EXE	34
PID 2824 wrote to memory of 1096	2824	WINWORD.EXE	34
PID 2824 wrote to memory of 1096	2824	WINWORD.EXE	34

C:\Users\Admin\AppData\Local\Temp\b19dbf5dfb65ec5d211a7c18a47f2d0a5127009ecda9058a6b95fc95cb7f6ac2.exe
"C:\Users\Admin\AppData\Local\Temp\b19dbf5dfb65ec5d211a7c18a47f2d0a5127009ecda9058a6b95fc95cb7f6ac2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1456
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\JobDetail.docx"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:1096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
d93823c2130bbd991477e66dc622639d

SHA1
c1291dbcf1755f44b26caadb92742dba5587bb4b

SHA256
040aac259a837d7240ebf11c01da33ff771115444db2ef6640ff058043c407de

SHA512
b6350254b6a1d85253d3d1c40d3602c8d2a7fb0371252eac0d000c36d55d83dcc77f5d9fa730fa387efe954c374fcbb7e15152b10a23cb22e2a6ba6ec5c0817b

Download Submit
memory/2824-0-0x000000002FDE0000-0x000000002FF3D000-memory.dmp

Filesize
1.4MB

Download
memory/2824-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2824-2-0x00000000712AD000-0x00000000712B8000-memory.dmp

Filesize
44KB

Download
memory/2824-15-0x000000002FDE0000-0x000000002FF3D000-memory.dmp

Filesize
1.4MB

Download
memory/2824-16-0x00000000712AD000-0x00000000712B8000-memory.dmp

Filesize
44KB

Download
memory/2824-38-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2824-39-0x00000000712AD000-0x00000000712B8000-memory.dmp

Filesize
44KB

Download