Overview

overview

7

Static

static

3

images/新...��.url

windows7-x64

1

images/新...��.url

windows10-2004-x64

1

setup.exe

windows7-x64

7

setup.exe

windows10-2004-x64

7

安装与�...��.htm

windows7-x64

1

安装与�...��.htm

windows10-2004-x64

1

软件最�...��.rtf

windows7-x64

4

软件最�...��.rtf

windows10-2004-x64

1

Analysis

  • max time kernel
    101s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    15/07/2024, 20:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    软件最终用户许可协议.rtf

  • Size

    45KB

  • MD5

    512e9294770aa35fe9521002cb806d66

  • SHA1

    43b83c1746deed8f66a3eb1e8f5c816031a63440

  • SHA256

    422017b74b784353f40d4058ef38eea605abd1f7e409fe8b652c57360071d1e9

  • SHA512

    480ca110415c22bf037363b9c4117855915a3f8e91ffdff13192fbe38171c21caf85fcee33c96490702d4bb5b24056edec4766b4e7c2d2f28c740a248ee68c4b

  • SSDEEP

    192:cONPQflhdIe3rLt0N0yPfyXb57/evDvtdsts5bJ64UMwrzl7nxtIrgH070wNJEyQ:c6QhjLmLjrdxjVDZxG56oOGxGoxLB

Score
4/10

Malware Config

Signatures

  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\软件最终用户许可协议.rtf"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2780
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2228

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
      Filesize

      19KB

      MD5

      011a071444dd467fd7101d47676947bc

      SHA1

      fed570b2b7d722ed49a8052dca10c8ab5d8ff6b9

      SHA256

      c00e79f90e7832eb0f7ef7e9c323cd7bfb0c134109b5cbdb7c2efa2622c6574b

      SHA512

      e5f0311e8080d808586d819aa4629700f338f3c68534f8f20c3799430a9a199c6229138a85d2286f686bfa74912deba78c37827abbd434ba17f63f9117f37118

      Download Submit

    • memory/2780-0-0x000000002F781000-0x000000002F782000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2780-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2780-2-0x00000000718ED000-0x00000000718F8000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2780-5-0x00000000718ED000-0x00000000718F8000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2780-23-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download