31475717735f9aee20def2a4044b42a52cb92e8cf885b92a042099a273688135

Analysis

max time kernel
130s
max time network
136s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
07-04-2024 18:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Challenge_FIles/Employees_Contact_Audit_Oct_2021.docx
Size

12KB
MD5

d5742309ba8146be9eab4396fde77e4e
SHA1

8aaa79ee4a81d02e1023a03aee62a47162a9ff04
SHA256

ed2b9e22aef3e545814519151528b2d11a5e73d1b2119c067e672b653ab6855a
SHA512

37367ea06191c8a949f6c092bc4137736b344cc9892bf8a19e149557919d9276fb1301009a700cede0f2ca05d6827c827992817aee7b8968a5429e433fe0c8ba
SSDEEP

192:60L6GkWglL+bzW6mlHRrZu87Fym3tZknRIhRHNwC3Eo+ETdlexwDvx/jVm9CoDFn:603kpLTZJHm+Eo+ETd4weCoDFLFd

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE

NTFS ADS 1 IoCs

Processes:

WINWORD.EXE

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Challenge_FIles\mhtml:http:\175.24.190.249\note.html!x-usc:http:\175.24.190.249\note.html	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

2168 WINWORD.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WINWORD.EXE

description pid process

Token: SeShutdownPrivilege 2168 WINWORD.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

2168 WINWORD.EXE
2168 WINWORD.EXE

pid	process
2168	WINWORD.EXE

description	pid	process
Token: SeShutdownPrivilege	2168	WINWORD.EXE

pid	process
2168	WINWORD.EXE
2168	WINWORD.EXE

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Challenge_FIles\Employees_Contact_Audit_Oct_2021.docx"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2168

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{9B0792E4-BAB2-4D92-89AC-7F641555DB6C}.FSD
Filesize
128KB

MD5
60a041d7695cbcb31a5413291728221f

SHA1
ffad3a3c8f5dcd630b6761491b2a5e5667af4e28

SHA256
ee57e7db6eebcc106569efa533abc0631fe20b79bf4dc469454df1ac5c1e5f54

SHA512
fb1381a1f5612901b32be654bd8b56496ce42beb4dc85fedd31f7863771ee8509717157b5622ffb29ed23e9d9c7ee9a6a5998fcd8175e0351fbd70aaa6e0fb4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize
128KB

MD5
d6e97c38fe1ab633913ed849a762610d

SHA1
26f3b8f4654f027c9b2366fc72960e3d1fce0381

SHA256
7f0500ce7c1238414b845374746b8f6ac8be9c5d586a5b7bf0e135132fbe900e

SHA512
3e219581ac1020e7811d2f3971aec953e82471786bd176b3f1fc9bf940c4d7f2c5f8937b7063ed2426c0a7946bcad4540fb8f92528ff6121370b57c5ff56aaa2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{60E006C5-B7E0-4030-9B9A-B099AEBB5A72}.FSD
Filesize
128KB

MD5
f919cd6fe34f95a92849469c74da5fc8

SHA1
a526fbeded36061cacabcc01bdff037dd7e478df

SHA256
9007927dc468ea075d7dc84117851698fa6cbb1aaf12f1eac2e08123eaf21e6a

SHA512
7d060e46f04839f4cb64aef6b984be8ebf18d5270ca0bb868c3cf92988e599e1c8166b7a6dab974590d403fef9e41052d0384e15760e678bcbda6ed7110a6a1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{7F594E78-64BC-4B32-BDC3-71E223BF3B92}
Filesize
128KB

MD5
4a968315d74f71162bc8c89e9d1d6b57

SHA1
70ebbf6be0e1e48fe0beea1d55e2355b85ce5377

SHA256
323ecdd894703e3426965ad18b1dd113d4d116b8528f604989f2da510db5f99d

SHA512
dbe7e8dde9ab9ed5dc846e80d17c8c01a1011e67e6865e41f3b93803e7368a74e153aeaca82779b1dfcf43e341141367164d95c87d8b800b8e1f323a9b9d887b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
Filesize
20KB

MD5
05a41f4ae0aaa49e32df57481df63bb1

SHA1
88672051528a129f171d5013bf4d1bb2eadf4102

SHA256
bf8a63a40aa65b170203ae31bfa50930516d329ec53c5a69cc4f85385f126d58

SHA512
96d2c9194e4e2ec1ff34ccc7bfe5246b36d982f9d6f3547e7fc9b9856519874e4b41902e538705230cd5d83ec7a4de6ff5704be230ff43cd1b0d4835be3342d8

Download Submit
memory/2168-0-0x000000002F051000-0x000000002F052000-memory.dmp

Filesize
4KB

Download
memory/2168-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2168-2-0x0000000070A9D000-0x0000000070AA8000-memory.dmp

Filesize
44KB

Download
memory/2168-10-0x0000000070A9D000-0x0000000070AA8000-memory.dmp

Filesize
44KB

Download
memory/2168-91-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2168-94-0x0000000070A9D000-0x0000000070AA8000-memory.dmp

Filesize
44KB

Download