773a761f49964da9e1f9432fd912864ce070cd96b3686024ce03571fb22647a5

Analysis

max time kernel
138s
max time network
141s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
05/08/2024, 09:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FACTURĂ.docx
Size

141KB
MD5

584410ce253da7a7a165233ca100ca83
SHA1

4be0e18e971f0c8443aba983826312f1a9103f0a
SHA256

773a761f49964da9e1f9432fd912864ce070cd96b3686024ce03571fb22647a5
SHA512

66555af131b8d9474bc3db81227b3ef4e74a7b3bc678b5715a54b52017d99f266729cbc2358425d09bcded014f6682633d30f2e1122a140faa54527c221348ae
SSDEEP

3072:nHjiNnE9xcCSbQcFyjZ9p7p6+1Ghfu+uUsw8Okcf:HedEFSbQ4gZ939Ou+uUsw7ki

Score

7^/10

discovery

Malware Config

Signatures

Abuses OpenXML format to download file from external location

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2264	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2264	WINWORD.EXE
2264	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2264 wrote to memory of 1484	2264	WINWORD.EXE	32
PID 2264 wrote to memory of 1484	2264	WINWORD.EXE	32
PID 2264 wrote to memory of 1484	2264	WINWORD.EXE	32
PID 2264 wrote to memory of 1484	2264	WINWORD.EXE	32

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\FACTURĂ.docx"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2264
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
eb42be63f7aa85dad2f91c2eb6992773

SHA1
b18010d09608ce599672589a1937520df74e3743

SHA256
cdcc091b8b86b399977f702f3ec340b306ecbf464f211eee8a0ba5e63becc219

SHA512
062c1e333d88ce86d372e64e87587a7ed78356092765ff59953d2002c0d8d0e30b1d56a2f2f8a98b8a15d5da5aec820808403adb9198356179c63f31538d8b10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{AE5804B4-DF83-4B38-84A2-69A24A9E79F3}.FSD

Filesize
128KB

MD5
a6ea8ddfaac330f466beb6af5a430eab

SHA1
7dcb9bb92040007253b5c11afd1cce7ba12c3e60

SHA256
ea932a2ed98df836cc8b2f08202e08dd6eab736cb1cc45422b53a5c31a89afa2

SHA512
d05131b9a245c15939da37c1f1895065e9fed9426c349b060dba82a9b1718da78e06bbaf778df4abff6f675d8efebbe0a4d7b2581680a1fd5759be75dc810254

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2433536B.emf

Filesize
16KB

MD5
767d8595d67d70f6c19ed869df119765

SHA1
8ceb76d98dde5e69bf541623ec5ac6f034e6edb8

SHA256
8a05aef60aa3ca524164d3c1c0ac369a2b42d00293b33533cfce3d5576877ef8

SHA512
794ce1be4440925efad4aa7823af3eca8b891109118a5e09414fc5a14e310db8af316d3e552ba22dac9bd0bd692f00955616cfdaec21c872f0a9377f3c61fc21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6F4ADE70.emf

Filesize
60KB

MD5
e474337e81d6ec3982f06e5f3b28a11a

SHA1
0b5a37a2d7f5d89e1dcf85d8145bc78a843bcb95

SHA256
60ecd6087b9a0d8a33354d842944b4d167742d217c48227745092c37d03a54ad

SHA512
bc30f17ff589f8bf9b3e7cf2cc44147a7384e22f00580b78f90e0350e80ab7a5fd02df2a81de02284c05746a1ec8dcf6ac27b45f560108bf45e0c5184cc06f0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{0BA423B2-586F-499A-BBA8-94AFD29565C5}

Filesize
128KB

MD5
9d287c16413e7e28e0810b33634fb9ed

SHA1
be97e384629f53acf5a0391b9fa8cd1d761dc609

SHA256
b47ea41b2b187d6c0a777c92402f27071e3228732dabc076c69ea5ddba9033ab

SHA512
32a48149871ca5c1f802fe944aebdc71498ebdd4be7efcaac4b4bc3ae78773e80fc0362a4e6fea7ca190c82caa2417b4f375e07a3989098d4cabdb88dc5caf92

Download Submit
memory/2264-0-0x000000002F5A1000-0x000000002F5A2000-memory.dmp

Filesize
4KB

Download
memory/2264-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2264-2-0x0000000070E0D000-0x0000000070E18000-memory.dmp

Filesize
44KB

Download
memory/2264-98-0x0000000070E0D000-0x0000000070E18000-memory.dmp

Filesize
44KB

Download