41338484b40346fce109892bab06f90118fd592241950ff8481cc812c264afbc

Analysis

max time kernel
143s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
30/08/2023, 09:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MT103.rtf
Size

2.7MB
MD5

0e94677f6640d3cda39138601e7dd82b
SHA1

ee39f7527ce696a2998b6312cf8807fc4a3f6ea3
SHA256

4fa32c417f3c773dac915a446b84d135130f548fd1c36626bea1d83dfa710523
SHA512

f6b2db33927975a7db3ef341b6abe7bd7053d1b950f0f3c3ab846bc40b39d26229d78503b7a6759511876ffc8753cb09b0b6e201e86eda7c70d88182878db85d
SSDEEP

24576:0csbD+4ybRtDAVrA5cYJKAK2hyin32lMO:S

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	3232	1140	excelcnv.exe	81

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1088	3980	WerFault.exe	88
4516	3232	WerFault.exe	96

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\{BD38CE1E-2381-4D72-951B-D63C6A91E3E2}\A.X:Zone.Identifier	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1140	WINWORD.EXE
1140	WINWORD.EXE

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
1140	WINWORD.EXE
1140	WINWORD.EXE
1140	WINWORD.EXE
400	EXCEL.EXE
400	EXCEL.EXE
400	EXCEL.EXE
400	EXCEL.EXE
1140	WINWORD.EXE
1140	WINWORD.EXE
1140	WINWORD.EXE
1140	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1140 wrote to memory of 3232	1140	WINWORD.EXE	96
PID 1140 wrote to memory of 3232	1140	WINWORD.EXE	96

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\MT103.rtf" /o ""
1⤵
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1140
- C:\Program Files\Microsoft Office\Root\Office16\excelcnv.exe
  "C:\Program Files\Microsoft Office\Root\Office16\excelcnv.exe" -Embedding
  2⤵
  - Process spawned unexpected child process
  PID:3232
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 3232 -s 424
    3⤵
    - Program crash
    PID:4516

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:400

C:\Program Files\Microsoft Office\Root\Office16\excelcnv.exe
"C:\Program Files\Microsoft Office\Root\Office16\excelcnv.exe" -Embedding
1⤵
PID:3980
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3980 -s 160
  2⤵
  - Program crash
  PID:1088

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 3980 -ip 3980
1⤵
PID:3876

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 468 -p 3232 -ip 3232
1⤵
PID:4260

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE

Filesize
471B

MD5
79439d4b719500100b4059b53838a0ec

SHA1
a8d2ca4e4c7462680dd358a6561322951c8cdc12

SHA256
8ce2fd851bc3def501ce0d19ada2ff68de20b860827214bffad3eea7192c2a1a

SHA512
0f87a45abb6ccccf827dbc6c59bca7d75efc57d9f4203415fc1612630041fc2b162712ea64eeba5eb82a6f3be46aa7d888f294f77ab6af777224285a3e5eeda2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE

Filesize
416B

MD5
4bf20d2231f2c560bc33cff77acba682

SHA1
fab7f909ffe24700cb3c9ae3c174a24eacb94721

SHA256
f0735a98e7e9c16b6490a3a628062f0913e9f7a6b45654db0a5a0c8b8844b5dd

SHA512
ac5096abf1099f1d2363e9f8cdd3015e865f52d1584433d50f26b594a2c5871acba722a4fde04c5fcda985e77d86a1212de55bb28f5b361aa1eae95c28686dd8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\47B4DE1B-2457-4A33-9C4C-D1E6A516D915

Filesize
156KB

MD5
9951f16d2550be2123930c0b32043dcd

SHA1
7dda0a8e64e78bd7d5774a32a78c2813d56121f3

SHA256
3ed336492eb442a9ab90a980870e6e9fb4dbcda4b01d2ad843464c91b4ad250d

SHA512
5dced896d394f9a60fe625d4823fad8784ad1dbb233788692c6110dd98c295e7dea96c366143a926657bce9a362132f99380e5f50dc4b998f4cb07595859f001

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\70AD44F.emf

Filesize
25KB

MD5
e36b6261e06d7383b8e5599ef5173f34

SHA1
faae09ffc95a8276a09a16f1dcaaa4db9b4edd91

SHA256
08666166b6f367e2832fa367749c0ee722aca082166650814e93c07cd624c574

SHA512
24a77c12050af79026b2187c0ba7348ed927a437abfd72e7405051332491d72a992f7fce7de5990067f9bbb450392caf331e79889127584d1202fa315b947c12

Download Submit
memory/400-77-0x00007FFD1CCB0000-0x00007FFD1CCC0000-memory.dmp

Filesize
64KB

Download
memory/400-76-0x00007FFD1CCB0000-0x00007FFD1CCC0000-memory.dmp

Filesize
64KB

Download
memory/400-44-0x00007FFD5CC30000-0x00007FFD5CE25000-memory.dmp

Filesize
2.0MB

Download
memory/400-79-0x00007FFD5CC30000-0x00007FFD5CE25000-memory.dmp

Filesize
2.0MB

Download
memory/400-78-0x00007FFD1CCB0000-0x00007FFD1CCC0000-memory.dmp

Filesize
64KB

Download
memory/400-43-0x00007FFD5CC30000-0x00007FFD5CE25000-memory.dmp

Filesize
2.0MB

Download
memory/400-75-0x00007FFD1CCB0000-0x00007FFD1CCC0000-memory.dmp

Filesize
64KB

Download
memory/400-47-0x00007FFD5CC30000-0x00007FFD5CE25000-memory.dmp

Filesize
2.0MB

Download
memory/400-45-0x00007FFD5CC30000-0x00007FFD5CE25000-memory.dmp

Filesize
2.0MB

Download
memory/400-42-0x00007FFD5CC30000-0x00007FFD5CE25000-memory.dmp

Filesize
2.0MB

Download
memory/400-41-0x00007FFD5CC30000-0x00007FFD5CE25000-memory.dmp

Filesize
2.0MB

Download
memory/400-40-0x00007FFD5CC30000-0x00007FFD5CE25000-memory.dmp

Filesize
2.0MB

Download
memory/400-38-0x00007FFD5CC30000-0x00007FFD5CE25000-memory.dmp

Filesize
2.0MB

Download
memory/400-27-0x00007FFD5CC30000-0x00007FFD5CE25000-memory.dmp

Filesize
2.0MB

Download
memory/400-28-0x00007FFD5CC30000-0x00007FFD5CE25000-memory.dmp

Filesize
2.0MB

Download
memory/400-30-0x00007FFD5CC30000-0x00007FFD5CE25000-memory.dmp

Filesize
2.0MB

Download
memory/400-32-0x00007FFD5CC30000-0x00007FFD5CE25000-memory.dmp

Filesize
2.0MB

Download
memory/400-34-0x00007FFD5CC30000-0x00007FFD5CE25000-memory.dmp

Filesize
2.0MB

Download
memory/400-36-0x00007FFD5CC30000-0x00007FFD5CE25000-memory.dmp

Filesize
2.0MB

Download
memory/400-37-0x00007FFD5CC30000-0x00007FFD5CE25000-memory.dmp

Filesize
2.0MB

Download
memory/1140-10-0x00007FFD5CC30000-0x00007FFD5CE25000-memory.dmp

Filesize
2.0MB

Download
memory/1140-4-0x00007FFD1CCB0000-0x00007FFD1CCC0000-memory.dmp

Filesize
64KB

Download
memory/1140-14-0x00007FFD5CC30000-0x00007FFD5CE25000-memory.dmp

Filesize
2.0MB

Download
memory/1140-13-0x00007FFD1AAA0000-0x00007FFD1AAB0000-memory.dmp

Filesize
64KB

Download
memory/1140-5-0x00007FFD5CC30000-0x00007FFD5CE25000-memory.dmp

Filesize
2.0MB

Download
memory/1140-134-0x00007FFD5CC30000-0x00007FFD5CE25000-memory.dmp

Filesize
2.0MB

Download
memory/1140-12-0x00007FFD5CC30000-0x00007FFD5CE25000-memory.dmp

Filesize
2.0MB

Download
memory/1140-11-0x00007FFD5CC30000-0x00007FFD5CE25000-memory.dmp

Filesize
2.0MB

Download
memory/1140-3-0x00007FFD1CCB0000-0x00007FFD1CCC0000-memory.dmp

Filesize
64KB

Download
memory/1140-133-0x00007FFD5CC30000-0x00007FFD5CE25000-memory.dmp

Filesize
2.0MB

Download
memory/1140-0-0x00007FFD1CCB0000-0x00007FFD1CCC0000-memory.dmp

Filesize
64KB

Download
memory/1140-1-0x00007FFD5CC30000-0x00007FFD5CE25000-memory.dmp

Filesize
2.0MB

Download
memory/1140-2-0x00007FFD5CC30000-0x00007FFD5CE25000-memory.dmp

Filesize
2.0MB

Download
memory/1140-16-0x00007FFD5CC30000-0x00007FFD5CE25000-memory.dmp

Filesize
2.0MB

Download
memory/1140-15-0x00007FFD1AAA0000-0x00007FFD1AAB0000-memory.dmp

Filesize
64KB

Download
memory/1140-67-0x00007FFD5CC30000-0x00007FFD5CE25000-memory.dmp

Filesize
2.0MB

Download
memory/1140-7-0x00007FFD1CCB0000-0x00007FFD1CCC0000-memory.dmp

Filesize
64KB

Download
memory/1140-9-0x00007FFD5CC30000-0x00007FFD5CE25000-memory.dmp

Filesize
2.0MB

Download
memory/1140-8-0x00007FFD5CC30000-0x00007FFD5CE25000-memory.dmp

Filesize
2.0MB

Download
memory/1140-6-0x00007FFD1CCB0000-0x00007FFD1CCC0000-memory.dmp

Filesize
64KB

Download
memory/3232-84-0x00007FFD5CC30000-0x00007FFD5CE25000-memory.dmp

Filesize
2.0MB

Download
memory/3232-85-0x00007FFD5CC30000-0x00007FFD5CE25000-memory.dmp

Filesize
2.0MB

Download
memory/3232-86-0x00007FFD5A350000-0x00007FFD5A619000-memory.dmp

Filesize
2.8MB

Download
memory/3232-87-0x00007FFD5CC30000-0x00007FFD5CE25000-memory.dmp

Filesize
2.0MB

Download
memory/3232-83-0x00007FFD5CC30000-0x00007FFD5CE25000-memory.dmp

Filesize
2.0MB

Download
memory/3980-71-0x00007FFD5CC30000-0x00007FFD5CE25000-memory.dmp

Filesize
2.0MB

Download
memory/3980-62-0x00007FFD1CCB0000-0x00007FFD1CCC0000-memory.dmp

Filesize
64KB

Download
memory/3980-61-0x00007FFD5A350000-0x00007FFD5A619000-memory.dmp

Filesize
2.8MB

Download
memory/3980-57-0x00007FFD5CC30000-0x00007FFD5CE25000-memory.dmp

Filesize
2.0MB

Download
memory/3980-56-0x00007FFD5CC30000-0x00007FFD5CE25000-memory.dmp

Filesize
2.0MB

Download