31475717735f9aee20def2a4044b42a52cb92e8cf885b92a042099a273688135

Analysis

max time kernel
1750s
max time network
1562s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
12-12-2023 02:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Challenge_FIles/income_tax_and_benefit_return_2021.docx
Size

23KB
MD5

55998cb43459159a5ed4511f00ff3fc8
SHA1

9bec2182cc5b41fe8783bb7ab6e577bac5c19f04
SHA256

d0e1f97dbe2d0af9342e64d460527b088d85f96d38b1d1d4aa610c0987dca745
SHA512

8f04951f9efb5acdad0a625d9f63154089d552fe4281ca53a759cc0a0468b8d9c76af863e34ed6e00802225a4408bcda1110a6efce30357e6173973ea5bf7838
SSDEEP

384:Q6UDg00MWEg9fPCPyH111/elBqhveoNHfn5yAehqbhtgyhdCxi556BjsbIwRq:QcMWE04uebyvNv5yHcttg6dwc5YQb5w

Score

1^/10

Malware Config

Signatures

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE

NTFS ADS 1 IoCs

Processes:

WINWORD.EXE

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Challenge_FIles\mhtml:http:\hidusi.com\e8c76295a5f9acb7\side.html!x-usc:http:\hidusi.com\e8c76295a5f9acb7\side.html	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

2440 WINWORD.EXE
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

WINWORD.EXE

pid process

2440 WINWORD.EXE
2440 WINWORD.EXE
2440 WINWORD.EXE

pid	process
2440	WINWORD.EXE

pid	process
2440	WINWORD.EXE
2440	WINWORD.EXE
2440	WINWORD.EXE

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Challenge_FIles\income_tax_and_benefit_return_2021.docx"
1⤵
- Modifies Internet Explorer settings
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2440

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{6F818C24-4418-4A1F-A67F-E7069F4A0F7B}.FSD
Filesize
128KB

MD5
a3aa88027f4e6f97e932fc251622e7f0

SHA1
a2b7637889cc100cbd280561f51996caedd69b8c

SHA256
e8ad86025e6675685ef50dbe6467633e90925cb123d0be2d49ca8ba38305bba1

SHA512
19e618c68793e535adcd2caa8f9a6f56a983a3650948484386ab7a406a63421a9692f4ee7b978d465040746de269f5e8be47ed7b736e6cdfa6b1e7108042ba48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize
128KB

MD5
a7a0c6b74da98cdd734c7538855d74fa

SHA1
fc9245434cc054d330c0543d4ca875ef627c6228

SHA256
08cee37b73bc518430c3a54faaefd4c23b908531b56d1cc6963693c95aa1b33e

SHA512
887e08bcf432b366bd77789053d23373e7c7ad6d23d57cb66d8ed5857bdbbe2c317652bba4390f7a27101877a63b24f581bbc41cb4a3f1783861d23ccbcb40c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{99EED0AD-6025-4E07-8B62-12539EC4AA82}.FSD
Filesize
128KB

MD5
6c182477ad907cf0fc6a6e87bf75dcba

SHA1
3333d341ffa22e661968bdc783c583efb91eeb75

SHA256
7cc3a6974b5aea9139268ee1807abefe93d956b6446013032d4db3716b73c327

SHA512
25c500750a0062e4f719d3a746e8604812a5a9d1efa824e97c798aae390ada7f6f08f0635ce4c0ed95395e3002133068625c75bd237b187a0c422c957c29599e

Download Submit
C:\Users\Admin\AppData\Local\Temp\{E5BD8A6E-B60D-494D-B96F-02ACABB5F7AB}
Filesize
128KB

MD5
7f30fc7af6b7264b5f09693007c80b4e

SHA1
01af0b264af37ab95546eabd4a92bd98d75ddcaa

SHA256
2c5aa475f5d813740ef2af5dfae427f93959a17b426f6d292f293b1372d54bce

SHA512
fef2fc3867fb97e7a4bd708220d5565fcec9b6434f0840e90dab53d630725d01bfeac3d646aef14cc8b52a482fc9bd1be714987098b97e9b5e1f1a28ad69b889

Download Submit
memory/2440-0-0x000000002F211000-0x000000002F212000-memory.dmp

Filesize
4KB

Download
memory/2440-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2440-2-0x0000000070C3D000-0x0000000070C48000-memory.dmp

Filesize
44KB

Download
memory/2440-69-0x0000000070C3D000-0x0000000070C48000-memory.dmp

Filesize
44KB

Download