Analysis
-
max time kernel
56s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
23-07-2024 21:15
Behavioral task
behavioral1
Sample
f693ca0340ebb4ea9680f9e75e9196e56899d605495f8369b9e3a18e52501673.doc
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
f693ca0340ebb4ea9680f9e75e9196e56899d605495f8369b9e3a18e52501673.doc
Resource
win10v2004-20240709-en
General
-
Target
f693ca0340ebb4ea9680f9e75e9196e56899d605495f8369b9e3a18e52501673.doc
-
Size
32KB
-
MD5
42761fdb827ed1ac8163052bb5bea000
-
SHA1
dcc1c7c7848dd170efd3e6a8a357931a690c64aa
-
SHA256
f693ca0340ebb4ea9680f9e75e9196e56899d605495f8369b9e3a18e52501673
-
SHA512
68288a9fd9d26fa814da7b4bafaa6b1a01de9e8159e254ef97b23740666bef85cab2e9d43b83897630e15f3a4793fba9462818338d35c0eca4d54f6c8a4defc8
-
SSDEEP
384:hMQ8iS8px8SMD77t1YaZDZJyxAJZZZMY0jYD:hMk3yXZDZJyxAJZZZMYb
Malware Config
Signatures
-
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 308 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 308 WINWORD.EXE 308 WINWORD.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 308 wrote to memory of 2616 308 WINWORD.EXE 33 PID 308 wrote to memory of 2616 308 WINWORD.EXE 33 PID 308 wrote to memory of 2616 308 WINWORD.EXE 33 PID 308 wrote to memory of 2616 308 WINWORD.EXE 33
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\f693ca0340ebb4ea9680f9e75e9196e56899d605495f8369b9e3a18e52501673.doc"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:308 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:2616
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84