96ad693e5e306fafb821cf4a0af5cbe86712949bc209d9cf92a4b562271898d1

Analysis

max time kernel
122s
max time network
124s
platform
windows7_x64
resource
win7-20230824-en
resource tags

arch:x64arch:x86image:win7-20230824-enlocale:en-usos:windows7-x64system
submitted
26/08/2023, 15:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

96ad693e5e306fafb821cf4a0af5cbe86712949bc209d9cf92a4b562271898d1_JC.rtf
Size

1.7MB
MD5

016d7a6e39baa14a8fa707b9b4b0825b
SHA1

0ec1830329c2e35995a5bbef5d2011ce75d376b8
SHA256

96ad693e5e306fafb821cf4a0af5cbe86712949bc209d9cf92a4b562271898d1
SHA512

acc84ef437df52b258d7057473253b00f98e93747b58b65526307c666cda85c4dc9d36551568e2b519c4434b32e9808b41d418415c8b8d1f426476bb62f9b558
SSDEEP

24576:tDOv3MAIU9xP5iozXd3bcRiBt9/PE0P1VT1k1fLGsjHd7N4CYZ7Qk/CUNDQbUPX6:B

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
5	2200	EQNEDT32.EXE

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
2200	EQNEDT32.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2164	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2164	WINWORD.EXE
2164	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2164 wrote to memory of 2764	2164	WINWORD.EXE	34
PID 2164 wrote to memory of 2764	2164	WINWORD.EXE	34
PID 2164 wrote to memory of 2764	2164	WINWORD.EXE	34
PID 2164 wrote to memory of 2764	2164	WINWORD.EXE	34

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\96ad693e5e306fafb821cf4a0af5cbe86712949bc209d9cf92a4b562271898d1_JC.rtf"
1⤵
- Drops file in Windows directory
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2164
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2764

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Launches Equation Editor
PID:2200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
080c168647d46cd80f9835e27e870ba2

SHA1
9c9e53e1907132fc2a3078d421535f913185361f

SHA256
cf6ac38ac12574d3320c8f666900ee11e1674899d0ac4bb3a565daf647d7cec7

SHA512
96dd3df8b6236d40f632e8bea13bc9c3e8adb93cfe6bb8bcc950853a5a91d1f54a29a87d5aac64d9cba4266488f6ff9757b78b2d9638e50e281600d64356bd30

Download Submit
memory/2164-0-0x000000002F850000-0x000000002F9AD000-memory.dmp

Filesize
1.4MB

Download
memory/2164-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2164-2-0x0000000070E7D000-0x0000000070E88000-memory.dmp

Filesize
44KB

Download
memory/2164-6-0x000000002F850000-0x000000002F9AD000-memory.dmp

Filesize
1.4MB

Download
memory/2164-11-0x0000000070E7D000-0x0000000070E88000-memory.dmp

Filesize
44KB

Download
memory/2164-30-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2164-31-0x0000000070E7D000-0x0000000070E88000-memory.dmp

Filesize
44KB

Download