Analysis

  • max time kernel
    119s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    10/04/2024, 10:22

General

  • Target

    388f212dfca2bfb5db0a8b9958a43da6860298cdd4fcd53ed2c75e3b059ee622.docm

  • Size

    257KB

  • MD5

    c34bb2fdbce2524c8aa74fe8149952a9

  • SHA1

    159345bbeabf12c423f418f7788e525c5f377b2a

  • SHA256

    388f212dfca2bfb5db0a8b9958a43da6860298cdd4fcd53ed2c75e3b059ee622

  • SHA512

    c1d8798ea907cf4386da9b73b9c85a75af49def54e921d3f76463c3d23bd8c257bef33e0920e64f712ae29a9616f1eb8d9cb7879045b3a52441229371f1f06a0

  • SSDEEP

    6144:k3dDZWGnv6NPtk+q1w4znZSXrQxTQNv8D6ktI9GqXFG:k3dDZWGy4Dw4zZSXrgTQNv8DtWn1G

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\388f212dfca2bfb5db0a8b9958a43da6860298cdd4fcd53ed2c75e3b059ee622.docm"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2908
    • C:\ProgramData\W0il\Earthquake.exe
      C:\ProgramData\W0il\Earthquake.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      PID:2748
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2680

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\PROGRA~3\W0il\EARTHQ~1.ZIP

            Filesize

            23KB

            MD5

            61e3c6f922174246f3f3640dd48202b8

            SHA1

            4e993a5fa4379ebad13cd0bb49d7d7c130f06889

            SHA256

            5a60bfb4fcfaf9e42f00fe20c47a4bed3b1ea9d7e00965324e1d89b8c964c981

            SHA512

            1f4602071e2023289131712fc74ec6fd158c38fc06912d570b29c2ae693d1b89bb96f662fc8ccbcd649ee4d3b60e70a19cf1c46b80f1918adccfbfd6f8ae3e04

          • C:\ProgramData\W0il\Earthquake.exe

            Filesize

            47KB

            MD5

            6719878be963ffde6226ee9c8613695e

            SHA1

            9cb1bcf30b978862ae09f4fd486b666bf12cc8ce

            SHA256

            e2cf71c78d198fdc0017b7bfd6ce8115301174302b3eaaf50cfc384db96bc573

            SHA512

            6eab4b02db726fae59d7153a758c8382f642e5c60613041eea788f51e016e514626a893f1735d5ec17e8b2a930e240ed4e7554e6d0be5f13d04f49c6649a2257

          • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

            Filesize

            20KB

            MD5

            5d941b794cbf4b1b7151bd47dbfc7fce

            SHA1

            8dcf87f5a803655867189ccf2a5d24f00ffb0c8b

            SHA256

            57c444f065aa02879f34a6c5c61e3f97c0176f9fbfe425cec9a45ae813c1010f

            SHA512

            cedfd10d30eeb5f1e982522766555a2067e3597c5274b7caf9e71f39829752a0ba4c33943762cf553f7c7985a7fa925fd892ed44057e592b1465fd19d29b599d

          • C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

            Filesize

            2B

            MD5

            f3b25701fe362ec84616a93a45ce9998

            SHA1

            d62636d8caec13f04e28442a0a6fa1afeb024bbb

            SHA256

            b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

            SHA512

            98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

          • memory/2748-83-0x000007FEF5110000-0x000007FEF5AAD000-memory.dmp

            Filesize

            9.6MB

          • memory/2748-82-0x0000000000410000-0x0000000000490000-memory.dmp

            Filesize

            512KB

          • memory/2748-81-0x000007FEF5110000-0x000007FEF5AAD000-memory.dmp

            Filesize

            9.6MB

          • memory/2748-55-0x0000000000410000-0x0000000000490000-memory.dmp

            Filesize

            512KB

          • memory/2748-54-0x000007FEF5110000-0x000007FEF5AAD000-memory.dmp

            Filesize

            9.6MB

          • memory/2748-53-0x0000000000410000-0x0000000000490000-memory.dmp

            Filesize

            512KB

          • memory/2748-52-0x000007FEF5110000-0x000007FEF5AAD000-memory.dmp

            Filesize

            9.6MB

          • memory/2908-21-0x0000000004F30000-0x0000000005030000-memory.dmp

            Filesize

            1024KB

          • memory/2908-8-0x0000000006760000-0x0000000006860000-memory.dmp

            Filesize

            1024KB

          • memory/2908-25-0x0000000004F30000-0x0000000005030000-memory.dmp

            Filesize

            1024KB

          • memory/2908-22-0x0000000004F30000-0x0000000005030000-memory.dmp

            Filesize

            1024KB

          • memory/2908-0-0x000000002FB11000-0x000000002FB12000-memory.dmp

            Filesize

            4KB

          • memory/2908-9-0x00000000007C0000-0x00000000008C0000-memory.dmp

            Filesize

            1024KB

          • memory/2908-15-0x0000000004F30000-0x0000000005030000-memory.dmp

            Filesize

            1024KB

          • memory/2908-56-0x0000000070ADD000-0x0000000070AE8000-memory.dmp

            Filesize

            44KB

          • memory/2908-57-0x0000000004F30000-0x0000000005030000-memory.dmp

            Filesize

            1024KB

          • memory/2908-59-0x00000000007C0000-0x00000000008C0000-memory.dmp

            Filesize

            1024KB

          • memory/2908-62-0x0000000004F30000-0x0000000005030000-memory.dmp

            Filesize

            1024KB

          • memory/2908-35-0x0000000002400000-0x0000000002401000-memory.dmp

            Filesize

            4KB

          • memory/2908-78-0x0000000004F30000-0x0000000005030000-memory.dmp

            Filesize

            1024KB

          • memory/2908-79-0x0000000004F30000-0x0000000005030000-memory.dmp

            Filesize

            1024KB

          • memory/2908-80-0x0000000002400000-0x0000000002401000-memory.dmp

            Filesize

            4KB

          • memory/2908-7-0x00000000007C0000-0x00000000008C0000-memory.dmp

            Filesize

            1024KB

          • memory/2908-6-0x00000000007C0000-0x00000000008C0000-memory.dmp

            Filesize

            1024KB

          • memory/2908-2-0x0000000070ADD000-0x0000000070AE8000-memory.dmp

            Filesize

            44KB

          • memory/2908-84-0x0000000004F30000-0x0000000005030000-memory.dmp

            Filesize

            1024KB

          • memory/2908-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

            Filesize

            64KB

          • memory/2908-103-0x000000005FFF0000-0x0000000060000000-memory.dmp

            Filesize

            64KB

          • memory/2908-104-0x0000000070ADD000-0x0000000070AE8000-memory.dmp

            Filesize

            44KB