Overview

overview

7

Static

static

1

41c221c4f1...5c.rtf

windows7-x64

7

41c221c4f1...5c.rtf

windows10-2004-x64

1

Analysis

  • max time kernel
    122s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    10/04/2024, 10:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    41c221c4f14a5f93039de577d0a76e918c915862986a8b9870df1c679469895c.rtf

  • Size

    207KB

  • MD5

    18af861c7923df5245f462d37830b486

  • SHA1

    d81b63f942b2a8d37671fada1b869024f1e17811

  • SHA256

    41c221c4f14a5f93039de577d0a76e918c915862986a8b9870df1c679469895c

  • SHA512

    7044af247bf599a7eab7ef75b6a0fdea8a2b680f2889c07e7c89f3f5dc12684c558db3d4e653efd6ca98a9c7e5ddaf5c93f151e3bbb24a392e41ea34a92dc070

  • SSDEEP

    768:MgnpnhOjj8MxfX3EqBjLW5qoX7LICSDmjl2/cqXz3HGSSmLdMjmxPcGecWAS+DUI:MM/hwRXymLdMjiMcWpK++JsLO/mOYPvM

Score
7/10

Malware Config

Signatures

  • Abuses OpenXML format to download file from external location
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\41c221c4f14a5f93039de577d0a76e918c915862986a8b9870df1c679469895c.rtf"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2220
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2520

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{F56FF736-CCDB-4E09-9C90-3B024B12E553}.FSD
      Filesize

      128KB

      MD5

      903ddd3835b8fe57cbfd4bf27646a8ef

      SHA1

      f9bbf5868dc0423832d2c13e47482c09ef7aae8f

      SHA256

      08111d36ce5f2749ab2b24c7c2848519b8f6f7198e9d3a19821efa2c01b3180d

      SHA512

      6a3a0b0b1650a448168baddc1439bfe3d8e665b18d7664e1dfdc20f0504310fd1746bbd6aff3547af54e82edf38c938cd48e9e835b66bcf5bc670a7515d739b6

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
      Filesize

      128KB

      MD5

      8554901e7e882f6ae3f25c466e372056

      SHA1

      e613d4d0f8b144f532892cc8aa800f7a9d3f125e

      SHA256

      e39358c207c14ed5027a3387b289433708c5c49acfcad66b3145d18e7b925e37

      SHA512

      dc7a17e83ea7755acb11399929b17f7abffe1dd55d98c8e8d5c8e24341bf53a04a5d978c1f91363a79aabda4b4858887abae434349945e77066ce4e41cc9fa2e

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{8FD26B3E-5E7D-45AE-9947-1BFEAD7829B7}.FSD
      Filesize

      128KB

      MD5

      387f695480517d6fc44c82a8607f88a9

      SHA1

      27811505fc0754b1ffa94ec7d3f5bc0f3b15554e

      SHA256

      ad0f56cb0dabf954031b44e8bfcb0f17d733d68e2e7caddfcaaa02b33f8b677e

      SHA512

      768349289e02f2d320e6028472484ebf212cd3d1d5816745c94a7bee1725180efa1579f7cf04ef71ee50c901b7f49449e33070df1e59507dfa0116e9c6af03e9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\{86F924E6-02F8-4EBE-BEC4-D7CD2C9A1ED2}
      Filesize

      128KB

      MD5

      40ef4df454ad1b89cf8abd0324cf4e60

      SHA1

      a7f4623d621de0706ff758a437fbbc179762c2c7

      SHA256

      ed6b0b219bf0e25b9a9b87ef2715bac98d2a47bff89206be21a9799cc59c9a77

      SHA512

      844f9c36961d36f39090b5a5e0b4cbc9c08580ea06e9e33e89d2bfc8b3c446d8eb9f5f78e73f7b16de4c9f24e4b27602d356e19c954f695e1ffe00ef5c7c66c5

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
      Filesize

      20KB

      MD5

      c83746d2f36c14df914a97872a17eb09

      SHA1

      31f072eba332f077212c7222795d689c6e41ab37

      SHA256

      88ebb45411e5cf4a26716826c3a0a8885cb8b965138631afcd09e07ee84ff68d

      SHA512

      d08b30b8226f1c9ee379f0aad29d2425e048cd757d963a7ac32af34c007ae752793e3c685fa68c404b5c6d3a1bcd1541d3d413ce8f6f7cfd946158a8db106708

      Download Submit

    • memory/2220-0-0x000000002F731000-0x000000002F732000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2220-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2220-2-0x000000007153D000-0x0000000071548000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2220-68-0x000000007153D000-0x0000000071548000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2220-88-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2220-89-0x000000007153D000-0x0000000071548000-memory.dmp

      Filesize

      44KB

      Download