Overview
overview
10Static
static
10Challenge_...m.docx
windows7-x64
4Challenge_...m.docx
windows10-2004-x64
1Challenge_...1.docx
windows7-x64
4Challenge_...1.docx
windows10-2004-x64
1Challenge_...y.docx
windows7-x64
4Challenge_...y.docx
windows10-2004-x64
1Challenge_...1.docx
windows7-x64
4Challenge_...1.docx
windows10-2004-x64
1tools/numb...ing.py
ubuntu-18.04-amd64
1tools/numb...ing.py
debian-9-armhf
1tools/numb...ing.py
debian-9-mips
1tools/numb...ing.py
debian-9-mipsel
1decoder_add1.py
ubuntu-18.04-amd64
1decoder_add1.py
debian-9-armhf
1decoder_add1.py
debian-9-mips
1decoder_add1.py
debian-9-mipsel
1decoder_ah.py
ubuntu-18.04-amd64
1decoder_ah.py
debian-9-armhf
1decoder_ah.py
debian-9-mips
1decoder_ah.py
debian-9-mipsel
1decoder_chr.py
ubuntu-18.04-amd64
1decoder_chr.py
debian-9-armhf
1decoder_chr.py
debian-9-mips
1decoder_chr.py
debian-9-mipsel
1decoder_rol1.py
ubuntu-18.04-amd64
1decoder_rol1.py
debian-9-armhf
1decoder_rol1.py
debian-9-mips
1decoder_rol1.py
debian-9-mipsel
1decoder_xor1.py
ubuntu-18.04-amd64
1decoder_xor1.py
debian-9-armhf
1decoder_xor1.py
debian-9-mips
1decoder_xor1.py
debian-9-mipsel
1Analysis
-
max time kernel
130s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
08-04-2024 01:13
Static task
static1
Behavioral task
behavioral1
Sample
Challenge_FIles/Employee_W2_Form.docx
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Challenge_FIles/Employee_W2_Form.docx
Resource
win10v2004-20240319-en
Behavioral task
behavioral3
Sample
Challenge_FIles/Employees_Contact_Audit_Oct_2021.docx
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Challenge_FIles/Employees_Contact_Audit_Oct_2021.docx
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
Challenge_FIles/Work_From_Home_Survey.docx
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
Challenge_FIles/Work_From_Home_Survey.docx
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
Challenge_FIles/income_tax_and_benefit_return_2021.docx
Resource
win7-20240220-en
Behavioral task
behavioral8
Sample
Challenge_FIles/income_tax_and_benefit_return_2021.docx
Resource
win10v2004-20231215-en
Behavioral task
behavioral9
Sample
tools/numbers-to-string.py
Resource
ubuntu1804-amd64-20240226-en
Behavioral task
behavioral10
Sample
tools/numbers-to-string.py
Resource
debian9-armhf-20240226-en
Behavioral task
behavioral11
Sample
tools/numbers-to-string.py
Resource
debian9-mipsbe-20240226-en
Behavioral task
behavioral12
Sample
tools/numbers-to-string.py
Resource
debian9-mipsel-20240226-en
Behavioral task
behavioral13
Sample
decoder_add1.py
Resource
ubuntu1804-amd64-20240226-en
Behavioral task
behavioral14
Sample
decoder_add1.py
Resource
debian9-armhf-20240226-en
Behavioral task
behavioral15
Sample
decoder_add1.py
Resource
debian9-mipsbe-20240226-en
Behavioral task
behavioral16
Sample
decoder_add1.py
Resource
debian9-mipsel-20240226-en
Behavioral task
behavioral17
Sample
decoder_ah.py
Resource
ubuntu1804-amd64-20240226-en
Behavioral task
behavioral18
Sample
decoder_ah.py
Resource
debian9-armhf-20240226-en
Behavioral task
behavioral19
Sample
decoder_ah.py
Resource
debian9-mipsbe-20240226-en
Behavioral task
behavioral20
Sample
decoder_ah.py
Resource
debian9-mipsel-20240226-en
Behavioral task
behavioral21
Sample
decoder_chr.py
Resource
ubuntu1804-amd64-20240226-en
Behavioral task
behavioral22
Sample
decoder_chr.py
Resource
debian9-armhf-20240226-en
Behavioral task
behavioral23
Sample
decoder_chr.py
Resource
debian9-mipsbe-20240226-en
Behavioral task
behavioral24
Sample
decoder_chr.py
Resource
debian9-mipsel-20240226-en
Behavioral task
behavioral25
Sample
decoder_rol1.py
Resource
ubuntu1804-amd64-20240226-en
Behavioral task
behavioral26
Sample
decoder_rol1.py
Resource
debian9-armhf-20240226-en
Behavioral task
behavioral27
Sample
decoder_rol1.py
Resource
debian9-mipsbe-20240226-en
Behavioral task
behavioral28
Sample
decoder_rol1.py
Resource
debian9-mipsel-20240226-en
Behavioral task
behavioral29
Sample
decoder_xor1.py
Resource
ubuntu1804-amd64-20240226-en
Behavioral task
behavioral30
Sample
decoder_xor1.py
Resource
debian9-armhf-20240226-en
Behavioral task
behavioral31
Sample
decoder_xor1.py
Resource
debian9-mipsbe-20240226-en
Behavioral task
behavioral32
Sample
decoder_xor1.py
Resource
debian9-mipsel-20240226-en
General
-
Target
Challenge_FIles/Employees_Contact_Audit_Oct_2021.docx
-
Size
12KB
-
MD5
d5742309ba8146be9eab4396fde77e4e
-
SHA1
8aaa79ee4a81d02e1023a03aee62a47162a9ff04
-
SHA256
ed2b9e22aef3e545814519151528b2d11a5e73d1b2119c067e672b653ab6855a
-
SHA512
37367ea06191c8a949f6c092bc4137736b344cc9892bf8a19e149557919d9276fb1301009a700cede0f2ca05d6827c827992817aee7b8968a5429e433fe0c8ba
-
SSDEEP
192:60L6GkWglL+bzW6mlHRrZu87Fym3tZknRIhRHNwC3Eo+ETdlexwDvx/jVm9CoDFn:603kpLTZJHm+Eo+ETd4weCoDFLFd
Malware Config
Signatures
-
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Processes:
WINWORD.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE -
NTFS ADS 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Temp\Challenge_FIles\mhtml:http:\175.24.190.249\note.html!x-usc:http:\175.24.190.249\note.html WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 3008 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WINWORD.EXEdescription pid process Token: SeShutdownPrivilege 3008 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 3008 WINWORD.EXE 3008 WINWORD.EXE
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Challenge_FIles\Employees_Contact_Audit_Oct_2021.docx"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{E3F04C8D-A647-4D76-87D6-34633079AF93}.FSDFilesize
128KB
MD526c3243c5a4ecdd37a72188976f8a07f
SHA14ca5583950583aa335423d0b12d16c8c8221383d
SHA256d5af99dee7851225946b8c1b26914dc7c964ba9118bfd5161a8255a87ff49b49
SHA51234301d8ce3b836b88c0eda80e1e401325f788694d2ea7d4688ee345cb382b96af6b64170791eaefeb4c09da5cf9b31043364e7928655f7603db62277060da06a
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSDFilesize
128KB
MD56cddef2a38b43208b20d005f667d8c82
SHA1ed05ca23a37eb556d5958d596af03917c2be887c
SHA256cc5d3098ccace086a9fb3ea3a092761337e1508957f2430e598aa006562a27d5
SHA512532c6b0dcfa34f44bbb75ce054466d5383a9423879fe0139da0168b3e987a0cf67943e8a3092368fb9724d92ab78b974d562fd081248a41697d0f674ff047a52
-
C:\Users\Admin\AppData\Local\Temp\{EB52117F-2B9B-4C26-B95C-651F17CA9DC0}Filesize
128KB
MD5f5b932e3d662d9a27315e02f88896f57
SHA167c9f4260a02c09fe28473dab0f69543a8e4438a
SHA256f77a214b3d2f99e8cc2c859b924ec4dbf969434b0ba250c7f112943aa642453a
SHA512402ade09f97567b9c560b795f485040ca73f3354373dab39170460a6167b8989c96e06631c2f82a424b94cddaa779827e4e7cd5b01f8b88a3680a0cb0fe053c7
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotmFilesize
20KB
MD5bf0ca9c0659777c893db33c89084aa27
SHA10fdc70c399406c6d33591eccc29aed2d16ce9c47
SHA2560d15d6258653c4524cc9b26f3b418bfc6dd52dd7767958db3b8a8113d9abf9ed
SHA5123c84977e9d70c73ae170b1432134ccb16f5e612d8cc5ea670757984c4c6d48ff78794cf3fde8e57b9bc1bc59cdb6d427815c683c2c6bcf0e0cfbddf92c2ffac3
-
memory/3008-0-0x000000002F701000-0x000000002F702000-memory.dmpFilesize
4KB
-
memory/3008-1-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/3008-2-0x00000000712DD000-0x00000000712E8000-memory.dmpFilesize
44KB
-
memory/3008-10-0x00000000712DD000-0x00000000712E8000-memory.dmpFilesize
44KB
-
memory/3008-91-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/3008-94-0x00000000712DD000-0x00000000712E8000-memory.dmpFilesize
44KB