Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
30-07-2024 14:41
Static task
static1
Behavioral task
behavioral1
Sample
112181241c7cb66758507fdce08e40069efa3e82bedb39eb98c833e5291109d3.rtf
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
112181241c7cb66758507fdce08e40069efa3e82bedb39eb98c833e5291109d3.rtf
Resource
win10v2004-20240709-en
General
-
Target
112181241c7cb66758507fdce08e40069efa3e82bedb39eb98c833e5291109d3.rtf
-
Size
94KB
-
MD5
f7c34c11bb5d9cdcece78edae0beff42
-
SHA1
96f2510fbb5c6203e21ead4dd55daaab59a86f4e
-
SHA256
112181241c7cb66758507fdce08e40069efa3e82bedb39eb98c833e5291109d3
-
SHA512
9b733c0d88c98adfe48e45079276ff7e059540445aa576b9eb637ac5c6881586336740384d71ab8a98e24b6f13c76d2ad88dd4437077dabd6a8d7829cd037164
-
SSDEEP
768:GS6MQ5k2WKcczrYFUoNVEbHfwFclPY49Ug+:tSWKccXYtclPYaA
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
EQNEDT32.EXEflow pid process 3 2756 EQNEDT32.EXE 5 2756 EQNEDT32.EXE -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
EQNEDT32.EXEWINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EQNEDT32.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 2632 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 2632 WINWORD.EXE 2632 WINWORD.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 2632 wrote to memory of 2852 2632 WINWORD.EXE splwow64.exe PID 2632 wrote to memory of 2852 2632 WINWORD.EXE splwow64.exe PID 2632 wrote to memory of 2852 2632 WINWORD.EXE splwow64.exe PID 2632 wrote to memory of 2852 2632 WINWORD.EXE splwow64.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\112181241c7cb66758507fdce08e40069efa3e82bedb39eb98c833e5291109d3.rtf"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:2852
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Launches Equation Editor
PID:2756
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
19KB
MD57c73038670c0f237b3ca20dfcc3fda94
SHA1952c8fda4ddc6f3a1719ac6c5e185377829159c3
SHA256a9ffa1170e285416189f2de645cb160372d7f58b50ceb313686afb47be567bad
SHA512bd58c813014da011a9bd17411628e10d1c2d338600090f50c754f13dd585943a58f8915b52ac90b127cffae0c335e9d49bd4add1a5341d53930af89b8d292197