db2859dafd4930e568a0fc88b5a182f77dfc2a02918d394b825bf39509528b42

Analysis

max time kernel
117s
max time network
123s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
05/07/2024, 14:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

yahoo awsrds.docx
Size

471KB
MD5

b0a679367266f43df1ca8c0797b77e50
SHA1

c61f76abb66c32043e42a9ac35d511882cbf98d4
SHA256

db2859dafd4930e568a0fc88b5a182f77dfc2a02918d394b825bf39509528b42
SHA512

d01a37729f23cfcb4f1170c9696f75e7390624a3b196867c392433a3517798822616eb8ba9a4b70868f54b0a966aa311ae990d8f40a0dbf124b4880c642b7e93
SSDEEP

12288:c/yi+vG3xppENx2VHYABxJY5q47g5RNAENx4EuIkbMr+:c/yG/pENx21YABPA3gtAENxy1wr+

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2912	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2912	WINWORD.EXE
2912	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2912 wrote to memory of 1228	2912	WINWORD.EXE	31
PID 2912 wrote to memory of 1228	2912	WINWORD.EXE	31
PID 2912 wrote to memory of 1228	2912	WINWORD.EXE	31
PID 2912 wrote to memory of 1228	2912	WINWORD.EXE	31

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\yahoo awsrds.docx"
1⤵
- Drops file in Windows directory
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2912
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1228

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\668F727E.png

Filesize
37KB

MD5
a18eb7312e0bed39747f7624ee7d1f86

SHA1
07852385df6b0e8d6e112fc030e563ccf2f824fd

SHA256
109a7c0eb0464ac503a76fb2a4e2e95875747a02892228cbb51166bfa8c0462a

SHA512
4cea9a459ed225a48f882d0ac4a2feaf0458b1ff44d097f1a135ceb6409c9b3ddb6fd421de114054580a7e94a12e5ac817901769ea26498e30336ba69e8cb4db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7617D5EB.png

Filesize
2KB

MD5
7e3edd39067da181284e7f5bee02f8b4

SHA1
81633aa80bdf1d6b7e8835704905510a97e071f2

SHA256
8a442f31d6a9c65b686927a0d3db84aa92492e2089900dc85e9fe978fd121db8

SHA512
b4751eb8fcebb7a2126a8a03889b3f45dd001e3bde0ffa228f2dfae34e4723c5f38eb37a2ffac84554cef031b676c1ef105cc6d02f292d326c7528dc924d574e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
d28eed35abf82425f2d9b2f429bbae7b

SHA1
cc51fc622f6b3f4bf566f79d892d09e049c13514

SHA256
6a9fa3efcb92f963c2e064d882fe0f9ee1adbf90d3ca51fc685654fefb87388b

SHA512
816c6b966e6949b0a62290bf8e161aa3517b71cca6977968df389e81218c0aa86d8eac813c79ee03b19ae74816dea6d99a110970c971f332a9b555fba26655aa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/2912-0-0x000000002FCC1000-0x000000002FCC2000-memory.dmp

Filesize
4KB

Download
memory/2912-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2912-2-0x00000000709CD000-0x00000000709D8000-memory.dmp

Filesize
44KB

Download
memory/2912-56-0x00000000709CD000-0x00000000709D8000-memory.dmp

Filesize
44KB

Download
memory/2912-77-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2912-78-0x00000000709CD000-0x00000000709D8000-memory.dmp

Filesize
44KB

Download