45699e3fc86d5cb6ed10d1ac911e61d750d0408c37919ac7f3d9c26c039f1185

General

Target

45699e3fc86d5cb6ed10d1ac911e61d750d0408c37919ac7f3d9c26c039f1185.docx
Size

23KB
MD5

9ffe61adb195f8b83fc714f2c9a47e19
SHA1

cbb0be81e115b81a91e5b3daeb9abcb076af6a74
SHA256

45699e3fc86d5cb6ed10d1ac911e61d750d0408c37919ac7f3d9c26c039f1185
SHA512

5a85af063bd8c87d1fa2644a2530262e000f112958b1322d3b6688155f7b7e2219e1530c2e8d1d7439d525a5e036f6446045975392a85135ade93db12b21db9b
SSDEEP

384:nzmheoflGYm7Jpg2PMaWRbu9Skd3Q19/WlGllljlug1FuyeDXyA1nogkdOIlCPbA:zmh5flGX7Jpg2PMaWRbu/dg1BWlGlllJ

Score

4^/10

discovery

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2624	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2624	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2624	WINWORD.EXE
2624	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2624 wrote to memory of 768	2624	WINWORD.EXE	32
PID 2624 wrote to memory of 768	2624	WINWORD.EXE	32
PID 2624 wrote to memory of 768	2624	WINWORD.EXE	32
PID 2624 wrote to memory of 768	2624	WINWORD.EXE	32

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\45699e3fc86d5cb6ed10d1ac911e61d750d0408c37919ac7f3d9c26c039f1185.docx"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2624
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{71445551-1F08-48C4-B536-F1B43D9600A4}.FSD

Filesize
128KB

MD5
50a72b96dc463af6ff311fcc2b6ec202

SHA1
173b70133e0bdbe0e68db9e5b91d9a8d21cdb85b

SHA256
d24c547c4954e6969f6321f0d75df01e3a1ee899e9b005d29bb647c8f6ceabb0

SHA512
5b00de892ca5c64986a6a7783fd0ef81fe1216ae502936fe8989f8adeb13a582e50883cd5c63df2d6fa8d8b77ce51b78f83d253f51879c2fa467d8b75c1d75b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
6a5c6dfe5296a206bfbcfa41f43aa42d

SHA1
2591b9b68fb3e23614c5986c64c80da2252f0c3f

SHA256
e762dbb91ed75c68ff440191990ae307f404adb740a8fdd26506a73036ab6592

SHA512
8b94e299a8dbc84873fe91a42a03ad2ec7e8f53c14bef44ce79a265c57e3d84f9a041782f297cb3165f40330757bf3b893bbd800fc731d61d8885a28db802610

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{908D6D85-F65E-42EE-B14C-5A02E5A82C18}.FSD

Filesize
128KB

MD5
d478c106b0998be420f03a854f27caac

SHA1
be226c83966e104c060e88aad998942dab7bca1e

SHA256
5eff63d9bf8fe4452a50cb21921da08f05059de11582c7715acf1a9ce5e7bdce

SHA512
bd942133ad63302434927360dc3b25bc2036f198ef8956cf0097a1e14d834450219d978b09bd14d266e5d408e0607df8759c763880e340452f475892ceb2c677

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5093.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar50B5.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{D8518471-B43B-4EED-92F6-DC969379AD90}

Filesize
128KB

MD5
262517f2c68d7590ff10ed10215f8d0d

SHA1
3458744309e00724b792824bdac3a0cb21b554be

SHA256
60ce78aacc30fb86e2f0d29a992bbaf89cab4966b21830d5a3469bf8029d67d2

SHA512
1f1b30cacbbf8fd039a412feb94b46575c652bd45b24daf595dfb768615f168d9dee36ffccf0e165b13d914aafa3e07c9cc0f3d2cd94141d96b16fb364b6f118

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
93967c1bcffdb2534d06124ed27852f8

SHA1
409cdcd9e99a448dfc7942cbe0a4a3ac81d76fbc

SHA256
ad0724869f45c9f6c7f467d1b272ef39881bdc75ab27eba5b0f177a111190978

SHA512
8e182175622c02970ad0306287cfcd5764f506c9e270ed43bcd6e4e4d53e6d1d98253cb8a8d2c46c3a0966704147cc7fe88cd4bcb161f79680e7b61c4d8c514a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/2624-0-0x000000002FBD1000-0x000000002FBD2000-memory.dmp

Filesize
4KB

Download
memory/2624-2-0x0000000070D9D000-0x0000000070DA8000-memory.dmp

Filesize
44KB

Download
memory/2624-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2624-454-0x0000000070D9D000-0x0000000070DA8000-memory.dmp

Filesize
44KB

Download
memory/2624-479-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2624-480-0x0000000070D9D000-0x0000000070DA8000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing