f47ed185c87184f8f9b70ecae8bc0bcbfbba601ca52478f5cff1ae0c0f5a56a3

Analysis

max time kernel
121s
max time network
125s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
24-07-2024 06:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dukas022.docx
Size

93KB
MD5

8a0aac20ae081eea8420993173c312ea
SHA1

3b7a41204fae477566a0e04d284064de189b84d3
SHA256

f47ed185c87184f8f9b70ecae8bc0bcbfbba601ca52478f5cff1ae0c0f5a56a3
SHA512

d814bea11ce52dd4e21c83342e0fdd7b14f12ff963d018fb9f05b1ced53fc0c6585ccc42e0c9b5fb85b2a63f991c497986da9ce3b7c7495d70e6d872cdc2063e
SSDEEP

1536:TIzw/hgP0QF6smQKEMzqsQtrm5rbXkvMtLQ6j7jfmMIGSzyn5ivkSVkkKLkJe+VI:80Q8hjOXIrbXyMtE6j/EfvkS8LrcI

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
10	2044	EQNEDT32.EXE

Abuses OpenXML format to download file from external location

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EQNEDT32.EXE

Office loads VBA resources, possible macro or embedded object present

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
2044	EQNEDT32.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2772	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2772	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2772	WINWORD.EXE
2772	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2772 wrote to memory of 1720	2772	WINWORD.EXE	34
PID 2772 wrote to memory of 1720	2772	WINWORD.EXE	34
PID 2772 wrote to memory of 1720	2772	WINWORD.EXE	34
PID 2772 wrote to memory of 1720	2772	WINWORD.EXE	34

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\dukas022.docx"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2772
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1720

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Launches Equation Editor
PID:2044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
7fb5fa1534dcf77f2125b2403b30a0ee

SHA1
365d96812a69ac0a4611ea4b70a3f306576cc3ea

SHA256
33a39e9ec2133230533a686ec43760026e014a3828c703707acbc150fe40fd6f

SHA512
a9279fd60505a1bfeef6fb07834cad0fd5be02fd405573fc1a5f59b991e9f88f5e81c32fe910f69bdc6585e71f02559895149eaf49c25b8ff955459fd60c0d2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
1bfe0a81db078ea084ff82fe545176fe

SHA1
50b116f578bd272922fa8eae94f7b02fd3b88384

SHA256
5ba8817f13eee00e75158bad93076ab474a068c6b52686579e0f728fda68499f

SHA512
37c582f3f09f8d80529608c09041295d1644bcc9de6fb8c4669b05339b0dd870f9525abc5eed53ad06a94b51441275504bc943c336c5beb63b53460ba836ca8d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
9a2baffbf850db7199be68cdedc26cf5

SHA1
df5dedcc718a88f4705e4ae8719640d6c547a482

SHA256
97f8bf321548e21e09d5fe9e99befba08b87944f92c82f5a4f463a8f0d8aafa3

SHA512
613b0f3f015c4dde6ca8f3273ebf9e67eecf46d9ca9ffd4cfd2342ddc2d2af9da9817ab7841e0c878b98334925263715a8dcfd385e39c3e8a7f607615722e199

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
eecfc14874a33a8d838bfd645860d61e

SHA1
c1ed359c1a496782699df57800bec59c88fac5d9

SHA256
a9909f10357562d2328dd120426272573094e0daec423f2b0cd631588d08fe4b

SHA512
1f63967091ff540ffd80d1d8fa31cf23498764a11fd18452f27d4c37c52ed62fcb701871e32181e1ebdc2f29e71db20e9775fd20dee8dea877aaa6667e89a759

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
aa8684faf935603c7031ebe1e974fcca

SHA1
b5e58d418101f9667ff1a510fc0633ec596b0dd2

SHA256
0525c69c6d237792c138be3bf56b0f3acb779c2540540058c73a3aff07a47a3a

SHA512
53be4385e805b2d6116c7b06adeca8b8cf984c72659582ea3667170184bdc3ef7865c055a688224d0fd805a64379d5f929448845e56c3832476f28fc0c13502d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{CDF14A69-A065-4C91-A0E7-8ADD1AF5C3A7}.FSD

Filesize
128KB

MD5
07c1178e8a8ab7cda0d6c9ba6405ba8f

SHA1
fa4b3a8bd7e86548867bfdebef3c329b856e5a7e

SHA256
f2d860fe966b53c3baf3c7ad9b6a2c0c63a2935f720313c9d628477fa254ac5a

SHA512
566e07ead01623ccaa92085849abf3958fcb5a4a46b576af110e7d23cb8fd7706e073902b91f5ddf9ba99af516638eb9d98821d4d52ce7237a7a71920499328b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
66955743a428e711cc964334f859352b

SHA1
4d218bb29f4c6dd75b17d1f8c3490adc877728b5

SHA256
19c22870165164a5754739929c0ca69c367c1b4bff88ac21adcb7a171a03dd72

SHA512
7a274751980a213a3a731acab130d965a4d094cc17b9edfdf364fc6d8620faeb8a7fabc55de8faf2fd812e213934fabe62d60372dcb489f24b12d50b1b8f737a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
b7c4400bd63e24034779fdc8cb6bf1df

SHA1
bfe1f9b6b1dadd25185ef90dba75c306388fd48b

SHA256
f3942b60179491e95fe57196fda5199e8d90595adc188c2a6c7bb9d2b6582798

SHA512
4d1ce05f0a6f49d4279c92cc04da0f95fd01f1791d1dabb5f28c4d9ea1c553290a994fd7ad4c37315cc455ed0fbd97c9de54923c156849367dc18816637ef694

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{36F04008-1BCF-40CA-88D5-13BAAA4DAA11}.FSD

Filesize
128KB

MD5
e157a30b680311b4d25699f345e730c2

SHA1
388c60fb36a7b0018479be3dee95de7bfbdd665a

SHA256
e48f2b185740a61bd80d6a0509c5679529912d653617a3f614f530d5a81141a6

SHA512
aaf0b1913c3803cc9ecd8303bd3dba4ec5cc72ca0704664427a6b96b2a399e36bbfac4f1a72d3ac310d2649bc6cce912dc72d65db9335002c68dd246c02e8fc4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2LF9I1AK\duk[1].doc

Filesize
612KB

MD5
0b98de8b03f4f26b25888b58c19dcaab

SHA1
dcb036ae76f9a236383f1192d94eb7c6c6fa3bd2

SHA256
d25624c26e85dccb4512e601ede7c1617e41b3aa26cc50649123e3ef04ad3071

SHA512
e400a10959c9edbf7d9a78ff5b803303f7e514e1ab1c2e724d9ef594d7185504610dc651e0dabbee0fff2743d5ba91948bbec5a7ed3bb91f4072397683a45bb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF547.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{614418C0-E38A-4CFC-A465-832FF46CDB40}

Filesize
128KB

MD5
916c2db12dda3933603ec1ec49079873

SHA1
c4f9f6f7df7c0d1875df5bb1db8da96ee30132a7

SHA256
d019593a9c782a5ec1b069c46e62895b23d00135337e369933cbaec07c8a21b5

SHA512
f53e80510d02e2b51ed04856bb4b17d1b368bdba791c30aeea71e5326f881e3de6c09c687100494d9f5728bc6970a1a7c55760bff2a1bf6f9c346403a1eb2cea

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
414B

MD5
1e6454df4a3d70f9c944ffb71d023ac8

SHA1
d251f16a401e26b3ecabf5f853588b18c3ca60d1

SHA256
6e79a99a997b999c5abfc873b3c940a4607afca39ddba23ff053a1a3bc0d52cd

SHA512
39c5d35812127a47499e593cf7f6b2a3702b913bd9b8a6e8558c56d17df70ff0dd3a2df95632050fc8db496f79e6c0fb130f8be0b4a5a198e34a94068b52591d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
75495ba8cdd42641e977d606319818c0

SHA1
f50a28ded79996a124e3889cd865c3c464b94eee

SHA256
57e75b232bba317a13de75a71793a21c5e7ab2a5c3790c0f0e33310ada597211

SHA512
943a56efa0b69ff9532c17adaeabc048d097c8c3784fc12a715bb466ab0277ad341b8785cc5af8dbaa0ff8efcd4884f8c7c004f9d5d491541d8bc686353c073e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/2772-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2772-2-0x0000000070CCD000-0x0000000070CD8000-memory.dmp

Filesize
44KB

Download
memory/2772-126-0x0000000070CCD000-0x0000000070CD8000-memory.dmp

Filesize
44KB

Download
memory/2772-0-0x000000002F531000-0x000000002F532000-memory.dmp

Filesize
4KB

Download
memory/2772-149-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2772-150-0x0000000070CCD000-0x0000000070CD8000-memory.dmp

Filesize
44KB

Download