Overview
overview
10Static
static
10Challenge_...m.docx
windows7-x64
4Challenge_...m.docx
windows10-2004-x64
1Challenge_...1.docx
windows7-x64
4Challenge_...1.docx
windows10-2004-x64
1Challenge_...y.docx
windows7-x64
4Challenge_...y.docx
windows10-2004-x64
1Challenge_...1.docx
windows7-x64
4Challenge_...1.docx
windows10-2004-x64
1tools/numb...ing.py
ubuntu-18.04-amd64
1tools/numb...ing.py
debian-9-armhf
1tools/numb...ing.py
debian-9-mips
1tools/numb...ing.py
debian-9-mipsel
1decoder_add1.py
ubuntu-18.04-amd64
1decoder_add1.py
debian-9-armhf
1decoder_add1.py
debian-9-mips
1decoder_add1.py
debian-9-mipsel
1decoder_ah.py
ubuntu-18.04-amd64
1decoder_ah.py
debian-9-armhf
1decoder_ah.py
debian-9-mips
1decoder_ah.py
debian-9-mipsel
1decoder_chr.py
ubuntu-18.04-amd64
1decoder_chr.py
debian-9-armhf
1decoder_chr.py
debian-9-mips
1decoder_chr.py
debian-9-mipsel
1decoder_rol1.py
ubuntu-18.04-amd64
1decoder_rol1.py
debian-9-armhf
1decoder_rol1.py
debian-9-mips
1decoder_rol1.py
debian-9-mipsel
1decoder_xor1.py
ubuntu-18.04-amd64
1decoder_xor1.py
debian-9-armhf
1decoder_xor1.py
debian-9-mips
1decoder_xor1.py
debian-9-mipsel
1Analysis
-
max time kernel
130s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
07-04-2024 18:11
Static task
static1
Behavioral task
behavioral1
Sample
Challenge_FIles/Employee_W2_Form.docx
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Challenge_FIles/Employee_W2_Form.docx
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
Challenge_FIles/Employees_Contact_Audit_Oct_2021.docx
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Challenge_FIles/Employees_Contact_Audit_Oct_2021.docx
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
Challenge_FIles/Work_From_Home_Survey.docx
Resource
win7-20240220-en
Behavioral task
behavioral6
Sample
Challenge_FIles/Work_From_Home_Survey.docx
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
Challenge_FIles/income_tax_and_benefit_return_2021.docx
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
Challenge_FIles/income_tax_and_benefit_return_2021.docx
Resource
win10v2004-20240319-en
Behavioral task
behavioral9
Sample
tools/numbers-to-string.py
Resource
ubuntu1804-amd64-20240226-en
Behavioral task
behavioral10
Sample
tools/numbers-to-string.py
Resource
debian9-armhf-20240226-en
Behavioral task
behavioral11
Sample
tools/numbers-to-string.py
Resource
debian9-mipsbe-20240226-en
Behavioral task
behavioral12
Sample
tools/numbers-to-string.py
Resource
debian9-mipsel-20240226-en
Behavioral task
behavioral13
Sample
decoder_add1.py
Resource
ubuntu1804-amd64-20240226-en
Behavioral task
behavioral14
Sample
decoder_add1.py
Resource
debian9-armhf-20240226-en
Behavioral task
behavioral15
Sample
decoder_add1.py
Resource
debian9-mipsbe-20240226-en
Behavioral task
behavioral16
Sample
decoder_add1.py
Resource
debian9-mipsel-20240226-en
Behavioral task
behavioral17
Sample
decoder_ah.py
Resource
ubuntu1804-amd64-20240226-en
Behavioral task
behavioral18
Sample
decoder_ah.py
Resource
debian9-armhf-20240226-en
Behavioral task
behavioral19
Sample
decoder_ah.py
Resource
debian9-mipsbe-20240226-en
Behavioral task
behavioral20
Sample
decoder_ah.py
Resource
debian9-mipsel-20240226-en
Behavioral task
behavioral21
Sample
decoder_chr.py
Resource
ubuntu1804-amd64-20240226-en
Behavioral task
behavioral22
Sample
decoder_chr.py
Resource
debian9-armhf-20240226-en
Behavioral task
behavioral23
Sample
decoder_chr.py
Resource
debian9-mipsbe-20240226-en
Behavioral task
behavioral24
Sample
decoder_chr.py
Resource
debian9-mipsel-20240226-en
Behavioral task
behavioral25
Sample
decoder_rol1.py
Resource
ubuntu1804-amd64-20240226-en
Behavioral task
behavioral26
Sample
decoder_rol1.py
Resource
debian9-armhf-20240226-en
Behavioral task
behavioral27
Sample
decoder_rol1.py
Resource
debian9-mipsbe-20240226-en
Behavioral task
behavioral28
Sample
decoder_rol1.py
Resource
debian9-mipsel-20240226-en
Behavioral task
behavioral29
Sample
decoder_xor1.py
Resource
ubuntu1804-amd64-20240226-en
Behavioral task
behavioral30
Sample
decoder_xor1.py
Resource
debian9-armhf-20240226-en
Behavioral task
behavioral31
Sample
decoder_xor1.py
Resource
debian9-mipsbe-20240226-en
Behavioral task
behavioral32
Sample
decoder_xor1.py
Resource
debian9-mipsel-20240226-en
General
-
Target
Challenge_FIles/Employees_Contact_Audit_Oct_2021.docx
-
Size
12KB
-
MD5
d5742309ba8146be9eab4396fde77e4e
-
SHA1
8aaa79ee4a81d02e1023a03aee62a47162a9ff04
-
SHA256
ed2b9e22aef3e545814519151528b2d11a5e73d1b2119c067e672b653ab6855a
-
SHA512
37367ea06191c8a949f6c092bc4137736b344cc9892bf8a19e149557919d9276fb1301009a700cede0f2ca05d6827c827992817aee7b8968a5429e433fe0c8ba
-
SSDEEP
192:60L6GkWglL+bzW6mlHRrZu87Fym3tZknRIhRHNwC3Eo+ETdlexwDvx/jVm9CoDFn:603kpLTZJHm+Eo+ETd4weCoDFLFd
Malware Config
Signatures
-
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE -
NTFS ADS 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Temp\Challenge_FIles\mhtml:http:\175.24.190.249\note.html!x-usc:http:\175.24.190.249\note.html WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 2168 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WINWORD.EXEdescription pid process Token: SeShutdownPrivilege 2168 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 2168 WINWORD.EXE 2168 WINWORD.EXE
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Challenge_FIles\Employees_Contact_Audit_Oct_2021.docx"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{9B0792E4-BAB2-4D92-89AC-7F641555DB6C}.FSDFilesize
128KB
MD560a041d7695cbcb31a5413291728221f
SHA1ffad3a3c8f5dcd630b6761491b2a5e5667af4e28
SHA256ee57e7db6eebcc106569efa533abc0631fe20b79bf4dc469454df1ac5c1e5f54
SHA512fb1381a1f5612901b32be654bd8b56496ce42beb4dc85fedd31f7863771ee8509717157b5622ffb29ed23e9d9c7ee9a6a5998fcd8175e0351fbd70aaa6e0fb4a
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSDFilesize
128KB
MD5d6e97c38fe1ab633913ed849a762610d
SHA126f3b8f4654f027c9b2366fc72960e3d1fce0381
SHA2567f0500ce7c1238414b845374746b8f6ac8be9c5d586a5b7bf0e135132fbe900e
SHA5123e219581ac1020e7811d2f3971aec953e82471786bd176b3f1fc9bf940c4d7f2c5f8937b7063ed2426c0a7946bcad4540fb8f92528ff6121370b57c5ff56aaa2
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{60E006C5-B7E0-4030-9B9A-B099AEBB5A72}.FSDFilesize
128KB
MD5f919cd6fe34f95a92849469c74da5fc8
SHA1a526fbeded36061cacabcc01bdff037dd7e478df
SHA2569007927dc468ea075d7dc84117851698fa6cbb1aaf12f1eac2e08123eaf21e6a
SHA5127d060e46f04839f4cb64aef6b984be8ebf18d5270ca0bb868c3cf92988e599e1c8166b7a6dab974590d403fef9e41052d0384e15760e678bcbda6ed7110a6a1b
-
C:\Users\Admin\AppData\Local\Temp\{7F594E78-64BC-4B32-BDC3-71E223BF3B92}Filesize
128KB
MD54a968315d74f71162bc8c89e9d1d6b57
SHA170ebbf6be0e1e48fe0beea1d55e2355b85ce5377
SHA256323ecdd894703e3426965ad18b1dd113d4d116b8528f604989f2da510db5f99d
SHA512dbe7e8dde9ab9ed5dc846e80d17c8c01a1011e67e6865e41f3b93803e7368a74e153aeaca82779b1dfcf43e341141367164d95c87d8b800b8e1f323a9b9d887b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotmFilesize
20KB
MD505a41f4ae0aaa49e32df57481df63bb1
SHA188672051528a129f171d5013bf4d1bb2eadf4102
SHA256bf8a63a40aa65b170203ae31bfa50930516d329ec53c5a69cc4f85385f126d58
SHA51296d2c9194e4e2ec1ff34ccc7bfe5246b36d982f9d6f3547e7fc9b9856519874e4b41902e538705230cd5d83ec7a4de6ff5704be230ff43cd1b0d4835be3342d8
-
memory/2168-0-0x000000002F051000-0x000000002F052000-memory.dmpFilesize
4KB
-
memory/2168-1-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2168-2-0x0000000070A9D000-0x0000000070AA8000-memory.dmpFilesize
44KB
-
memory/2168-10-0x0000000070A9D000-0x0000000070AA8000-memory.dmpFilesize
44KB
-
memory/2168-91-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2168-94-0x0000000070A9D000-0x0000000070AA8000-memory.dmpFilesize
44KB