07a74ba9028da2e0dff7ffb089b57d62443d7799e6d0cf8383e3e04959aad3b8

Analysis

max time kernel
101s
max time network
34s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
07/07/2024, 01:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

07a74ba9028da2e0dff7ffb089b57d62443d7799e6d0cf8383e3e04959aad3b8.rtf
Size

183KB
MD5

cc0b1bf6acbc5bf74687b41539a2f5f2
SHA1

d00f6f1e88dbf44138b6567663e04fc1a891c897
SHA256

07a74ba9028da2e0dff7ffb089b57d62443d7799e6d0cf8383e3e04959aad3b8
SHA512

21b04aabdf131140d382f91877de1776d7dfc4216a2fb285bfcf5d04e434ef3660baa1c201cd7262a497335b93e71e5f100b658cc4c4e2a69eb1372a3113eff3
SSDEEP

3072:gA/ssVro41nt9Y4KELzWGFAACFEF1lyE8DXSuM3D1lADmRLYe7oX:gSsUMmXY66GAACFEF1lyIuGD1lHaecX

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	660	EQNEDT32.EXE
5	660	EQNEDT32.EXE

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
660	EQNEDT32.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2508	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2508	WINWORD.EXE
2508	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2508 wrote to memory of 2748	2508	WINWORD.EXE	32
PID 2508 wrote to memory of 2748	2508	WINWORD.EXE	32
PID 2508 wrote to memory of 2748	2508	WINWORD.EXE	32
PID 2508 wrote to memory of 2748	2508	WINWORD.EXE	32

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\07a74ba9028da2e0dff7ffb089b57d62443d7799e6d0cf8383e3e04959aad3b8.rtf"
1⤵
- Drops file in Windows directory
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2508
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2748

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Launches Equation Editor
PID:660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
e534f6a9209b1818774fd53ec9a66b99

SHA1
3cb6f142a88e18f3a6d40d53faf55d788d62817a

SHA256
36870fad8c86a7cf093b6ce9408d4fc4c43c35e5778eac7a62d4fc9829f8d69d

SHA512
09d8294fb4dab0a72a74599e14003bb6a97c6b1aff4ecaf39e7c7dcb227c039575540037c86fd76c0b1ed3efad7da20317aeadb45bab5d33755dd1902c9617a5

Download Submit
memory/2508-0-0x000000002F1C1000-0x000000002F1C2000-memory.dmp

Filesize
4KB

Download
memory/2508-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2508-2-0x000000007122D000-0x0000000071238000-memory.dmp

Filesize
44KB

Download
memory/2508-26-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2508-27-0x000000007122D000-0x0000000071238000-memory.dmp

Filesize
44KB

Download