Analysis
-
max time kernel
24s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
24-07-2024 14:03
Behavioral task
behavioral1
Sample
document.doc
Resource
win7-20240704-en
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
document.doc
Resource
win10v2004-20240709-en
4 signatures
150 seconds
General
-
Target
document.doc
-
Size
61KB
-
MD5
4c00d7259e51ec442104ae2bd3c92d7d
-
SHA1
bb0b4c5258f0629613d17c63f9a31f9af8c2d3d0
-
SHA256
46a239bd13dd1d5c71b7c62939025249d079a3b5922dc7826e8fd83e978e8c13
-
SHA512
01927ba69d091f66ae22c138a9d8950ac8a16780adcdfbfeaace0f7d107789dd6f4a0fc23fe980d08014563ceb545c9063257fd5a7b9ecf602bf88b27909c17f
-
SSDEEP
768:NHb8iWx5wYYHeZCbTPvyfa1PPrTLgeKV/nthMl9I:d5c5PYHrTPvyS1Hr5KV48
Score
4/10
Malware Config
Signatures
-
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2120 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2120 WINWORD.EXE 2120 WINWORD.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2120 wrote to memory of 2688 2120 WINWORD.EXE 32 PID 2120 wrote to memory of 2688 2120 WINWORD.EXE 32 PID 2120 wrote to memory of 2688 2120 WINWORD.EXE 32 PID 2120 wrote to memory of 2688 2120 WINWORD.EXE 32
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\document.doc"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:2688
-