Overview

overview

7

Static

static

7

HotelMIS_special.exe

windows7-x64

7

HotelMIS_special.exe

windows10-2004-x64

7

$PLUGINSDI...ns.dll

windows7-x64

3

$PLUGINSDI...ns.dll

windows10-2004-x64

3

ConfigServer.exe

windows7-x64

1

ConfigServer.exe

windows10-2004-x64

1

GuiTk115.dll

windows7-x64

3

GuiTk115.dll

windows10-2004-x64

3

MFC71.dll

windows7-x64

1

MFC71.dll

windows10-2004-x64

1

help.doc

windows7-x64

4

help.doc

windows10-2004-x64

1

hotelMIS.exe

windows7-x64

1

hotelMIS.exe

windows10-2004-x64

1

libmySQL.dll

windows7-x64

3

libmySQL.dll

windows10-2004-x64

3

license.rtf

windows7-x64

4

license.rtf

windows10-2004-x64

1

msvcp71.dll

windows7-x64

3

msvcp71.dll

windows10-2004-x64

3

msvcr71.dll

windows7-x64

3

msvcr71.dll

windows10-2004-x64

3

mysqld.exe

windows7-x64

1

mysqld.exe

windows10-2004-x64

1

share/char...s.html

ubuntu-18.04-amd64

1

share/char...s.html

debian-9-armhf

1

share/char...s.html

debian-9-mips

1

share/char...s.html

debian-9-mipsel

1

tmpl/ReportDay.xls

windows7-x64

1

tmpl/ReportDay.xls

windows10-2004-x64

1

tmpl/ReportSsy.xls

windows7-x64

1

tmpl/ReportSsy.xls

windows10-2004-x64

1

Analysis

  • max time kernel
    121s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    23-07-2024 10:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    license.rtf

  • Size

    55KB

  • MD5

    961ae0fb01407fc89aaa5bf634257616

  • SHA1

    e268e6cdecad3d181e3597907b98c77baa3a17da

  • SHA256

    c807466525f0cc5d203d902d63d6357f953d5bddcbbece4abac8f61a9427304d

  • SHA512

    ab105c3ca59e3c58c38144fde138c76fa28fd063f1da21cf89f068b7ba829437b3a1eb7e0badad8635c95a8165650e7212cb06482ceecf4afb262406980b8efe

  • SSDEEP

    384:nAl5XLig8T6v370++IqUSsTEmuyuu3Eh4lGf5sEGtBlAzP4GfGuLsj3muA:Y5Xh0+FqUDUh4cBeDlAzzuO

Score
4/10

Malware Config

Signatures

  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\license.rtf"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2432
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2772

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
      Filesize

      19KB

      MD5

      9c4f99ee056cbbdbaa1ee42d82d261d4

      SHA1

      d13bb512c020d34b1ee301bc369bd7d7b50ffdb3

      SHA256

      4bea7be644c19d10edfca44273fe0c7fbdc528e494cef60f962c4710e9df7d94

      SHA512

      590a844b870f7e0ce744bf15384cea82f7d9ffa89ca695e5696f0d8c9bfeccbc63f00af94edae8e5bf7ce3b982aeb9ad00089b9254df4224a460ccd9c0d784c1

      Download Submit

    • memory/2432-0-0x000000002FF81000-0x000000002FF82000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2432-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2432-2-0x0000000070D9D000-0x0000000070DA8000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2432-6-0x0000000070D9D000-0x0000000070DA8000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2432-24-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2432-25-0x0000000070D9D000-0x0000000070DA8000-memory.dmp

      Filesize

      44KB

      Download