bcb932970ae4fb497adbcaa218a4281687a4d1c869888d50a149b93830d5a94c

Analysis

max time kernel
56s
max time network
19s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
27-07-2024 21:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bcb932970ae4fb497adbcaa218a4281687a4d1c869888d50a149b93830d5a94c.docx
Size

10KB
MD5

3c9a1cc66d978e195d04915839c2ada1
SHA1

3f4fe8092ad15cdb2a90059059af67a863e82d64
SHA256

bcb932970ae4fb497adbcaa218a4281687a4d1c869888d50a149b93830d5a94c
SHA512

0760ff9cc724d7d713d951c1a102d95afc46dc95e29b442f4e43e6d67196e66af2ec41c3f09208421ddc1b3cca4648206dea59e636fdfc7a56443e6da643bc6e
SSDEEP

192:QEhMCXGheIhu7Z/c+8poF1d3jvvtlfb8t9264wpTRwWvrGxjPbUUFfyczpm:QqvGAImcfa7pr1lfb892hw5RzyxjPbzY

Score

4^/10

discovery

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\http:\diagnostic.htb:43180\223_index_style_fancy.html!	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2228	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2228	WINWORD.EXE
2228	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2228 wrote to memory of 2148	2228	WINWORD.EXE	31
PID 2228 wrote to memory of 2148	2228	WINWORD.EXE	31
PID 2228 wrote to memory of 2148	2228	WINWORD.EXE	31
PID 2228 wrote to memory of 2148	2228	WINWORD.EXE	31

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\bcb932970ae4fb497adbcaa218a4281687a4d1c869888d50a149b93830d5a94c.docx"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD

Filesize
128KB

MD5
52eef78d8992e21667a1eebf950b72a9

SHA1
a1148d8df02e90a84fa8f04269bf241dd277e1a2

SHA256
7ee1a2966dc985d66592140d5ccbcf4b5c08dcaa04812bce3080029b2d468af2

SHA512
7ada90d66f578b95ee3696abe7b1e0130b6fac19de550a3d82ddce965b3e22888c2da28746ff8f24958852011199ca9fa6199ce65fe083114497e944118c86ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{D7A03096-2BC4-41FE-B900-54FEF16805F3}.FSD

Filesize
128KB

MD5
4972a328ffed5967862122ba7b88b90d

SHA1
bd73919325e8b978dfc81985668e67e2abfd4411

SHA256
c17dcfa474d4782dd3b707219bf0426831ee2df933b2e371e56085969d83363c

SHA512
104d515eb653138dc6145b50d26dda107d802afa7371662c91a30d9f1798cc827dc228c49517b8853f262b058f80ede6c7c1e605e8acc21808b1faaec1786d6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
f01df67ca90c2b96f43a3c4d10728d92

SHA1
895a32373a1161bdb48b5a96bfba9897cff67d30

SHA256
e7ff3b90c2761a38d7a43aa0c3b8416fe473172684b9903f8c466296dd799bbd

SHA512
a5aea8712b895cb74358d7332426f51ead906843d67cc8d030ac33bdc949360f5821b0fe8484f3f160de5f47ae244bb139f5ed429da622f2f9de06d48bd51bce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{7713BE93-5DCA-4F6C-A8A6-C0D45ED911AA}.FSD

Filesize
128KB

MD5
b95be5342b634ad382ea89e3a26172b6

SHA1
c3a0a8b438f072318d1da6090d00e268745ac007

SHA256
cdd538721b8fb7ec3fdbd1bb9932ee73f024548c46d7125318d49a1e7e789c45

SHA512
4b5a315fe4431393ec17bf90d2c1460aa0b9bba05beae27f1f9f350aa12b263614652ec4befcb9d78099adea32de451282b66ffd5854dfc1264fdb9fc76938ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\{EF0C2DC9-99AF-4BE6-8D03-B953860533D9}

Filesize
128KB

MD5
d908f294451bd763e79f1c8ce2e326a5

SHA1
6ab5a614d09ebf113c89ab39e0063f2cef93c707

SHA256
2f0c36b6e221697dc29cca89f7c00572ccd51d83fa577c0b192186adf877a148

SHA512
a1bc0d13ef7472997884dc4cb97660725734cb2da97e4b7d6da080e3f487360c2d92cebb4858fef7f68b6b41532735f51560f99d2f18c3d02ee75686d4c23630

Download Submit
memory/2228-0-0x000000002F981000-0x000000002F982000-memory.dmp

Filesize
4KB

Download
memory/2228-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2228-2-0x00000000736AD000-0x00000000736B8000-memory.dmp

Filesize
44KB

Download
memory/2228-62-0x00000000736AD000-0x00000000736B8000-memory.dmp

Filesize
44KB

Download