576a6dbf6587252004da5e3d04f425486ae7aa91fa0ffeab1982d7d899482572

Analysis

max time kernel
128s
max time network
138s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
20/07/2024, 04:34

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d040e890b58aad20ff1c101a2b4ff4e90b1d18f835cb223a4a8ce4ee13a1f99e.docx
Size

13KB
MD5

e9fb71dd600d96ec09b6aa7143b43a67
SHA1

aa37c5659c8edde33a52a74e91b461e27295c6ff
SHA256

d040e890b58aad20ff1c101a2b4ff4e90b1d18f835cb223a4a8ce4ee13a1f99e
SHA512

9f3e20d1bea9e18cb48bded4a6be00da870781aa73a5c6058f791f2966816b22b7974278b9bd3c362e2a774a17417ea40f646ea52d0b4fd213a305f17537d6ca
SSDEEP

192:Rg3VYycpU9JNf9WV8JYQnPZXutEzSPBkiOS0XZE4M//FYywPJA//YT:Rg3V1cpUTWSJYAx+Q45gpLEYyd/AT

Score

7^/10

Malware Config

Signatures

Abuses OpenXML format to download file from external location

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2064	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2064	WINWORD.EXE
2064	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 1920	2064	WINWORD.EXE	33
PID 2064 wrote to memory of 1920	2064	WINWORD.EXE	33
PID 2064 wrote to memory of 1920	2064	WINWORD.EXE	33
PID 2064 wrote to memory of 1920	2064	WINWORD.EXE	33

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\d040e890b58aad20ff1c101a2b4ff4e90b1d18f835cb223a4a8ce4ee13a1f99e.docx"
1⤵
- Drops file in Windows directory
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1920

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD

Filesize
128KB

MD5
33b5a9f7bad9e4b574d7dbfe56bc2b15

SHA1
a356b67401a59123edce6bc2715c287403e98a86

SHA256
4573781fa6414cb5ed66e9d6dbd43ae6f1f546e3ef6e8683585f6dcb4f9abcb1

SHA512
f557707df95631581dff032c54c6c7ffde1d136aa4a00cc8be07bedf7efe82e01f4684843fa7206398c40e23f852fb225314e5cb5467017901b95c765753efb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{D08278A2-BDB3-4DFE-B439-31794AB5B956}.FSD

Filesize
128KB

MD5
4a29485dc91e9aae06bb46fcfc053c8f

SHA1
9e5d389806f876ab87e8bcd7442979519397fe32

SHA256
2a18caeb2b41607a44b2211b8db7528b15b62b350e906b7b8300e9c29dccc12a

SHA512
853fc24726b2aa541a4cae26b6533235c691e767efd18b8736d7f0d495271df5f9efdad4808f18c3d4606c9fa552b26f77fb1271e77013dc93fe8c75e4aadc80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
11c3bf9aab2dedaf7dfc48aea0259487

SHA1
64395b0d4002276d5ae055a17485f49619c6fba0

SHA256
af68a7d4d6616ceaf1dafa3fc166d76fd255e17bf4d7f16fa8670b926a1e2a23

SHA512
b0c1c5c20677584bf0f78f9f47d71ebebf41c6d7cbe0d5cf7e5084f0516fa5d5cb32bf55b89cf21cb56199b5b45abec2f25f79b31c77215f952125e7588266a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
619f3b3b2a233b9d2c6776042f50ca46

SHA1
3373bdc7b92294fc68607976fbaf0b213af79be4

SHA256
59ca05fd6e932dd134ef5b0db984135b68e8a48c33a7a8b398a9434f101d4492

SHA512
b9fabe927f50bed5d4601f453208603c426867725f289235f9197fc8f42100e035d80aa4718121008a32a6e3c742dce7d14decbccbb3a7d6f8316aad7bc79368

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{88F29379-1476-4211-90CE-9C6A6747FB71}.FSD

Filesize
128KB

MD5
f25804ca16165c14585eb0e62e54f63e

SHA1
be696eada74fb4b6f8ce3f9294f0b1e30a8d16af

SHA256
42bb0280488343f1d7bbb1c614e7573d3d80351c7649f7a3f8e6e8da8f5956fa

SHA512
cc269453f0658729495335e640f17e032ab43eafe5cd940de35f4b2e0cac3c0a51aa115deec8994df61634218fb845f6c5849c9873d3402054a121f1696ed2e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6F2EE782.dat

Filesize
1KB

MD5
a19e3005f2cf4408c6a0ef18419fd9cf

SHA1
2b2fe21480eae6c5bbc3bdc736e1186815fecffc

SHA256
01188acaff9047e8b0e6293aa34350f74b8b27f425323323b3ebd16e0284a26e

SHA512
f2c3dcc37e1868612cf73c976385c00d11c0b52db3846ab8a19d2fdf9cc0a0ec9e704da7607bb56076de7c57743f581d4ba56924994a89e692d20fe16b7ee7aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\{4BC53E99-D5BC-4005-BF64-3332A6E497C6}

Filesize
128KB

MD5
2054abd75d1eee135e268a0b38e12986

SHA1
f888f097f99bfb23c1ae659e1c791fb712029bde

SHA256
bcf1fc810a8fac7b3121c1a33cc53bcb384c39b0f44d01dd6bc382ad486360c1

SHA512
dfcca3a049f136f49d7c7c18885a468a5947a0912308c4f8b6e17fbde74eaacd6c29f3fc13adc663ae30ad000e424e37ba8c448b83d01a343fedabe51e6a580b

Download Submit
memory/2064-0-0x000000002F021000-0x000000002F022000-memory.dmp

Filesize
4KB

Download
memory/2064-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2064-2-0x0000000070B7D000-0x0000000070B88000-memory.dmp

Filesize
44KB

Download
memory/2064-86-0x0000000070B7D000-0x0000000070B88000-memory.dmp

Filesize
44KB

Download