64d86549103287f488f4086139984d1be9781da6b6efc7902f03a348e664164c

Analysis

max time kernel
101s
max time network
102s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
09-08-2024 15:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

64d86549103287f488f4086139984d1be9781da6b6efc7902f03a348e664164c.docx
Size

179KB
MD5

3189b1177457146d7abefd2b6bb2c46f
SHA1

7bbd37142d3f74050678eb7551956d3fe6e8faa2
SHA256

64d86549103287f488f4086139984d1be9781da6b6efc7902f03a348e664164c
SHA512

cdcc16b3d013e1b95c2ebac1d72fa9994c1feb4f5beb5938f6aad6ee88b595af77a19cbb5dba068aa7867a8511385e62006c5dae39c47912317791a8ac0b5da0
SSDEEP

3072:eiY5rj1ATug+mhTZMxjcFQ9csn4qAzYjDp/shKuikycBSRjR/Vx7XU8AuxA:k5r/g+qZMpcFSQzYHut4dJPA

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
10	2848	EQNEDT32.EXE

Abuses OpenXML format to download file from external location

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EQNEDT32.EXE

Office loads VBA resources, possible macro or embedded object present

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
2848	EQNEDT32.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2216	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2216	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2216	WINWORD.EXE
2216	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2216 wrote to memory of 2272	2216	WINWORD.EXE	33
PID 2216 wrote to memory of 2272	2216	WINWORD.EXE	33
PID 2216 wrote to memory of 2272	2216	WINWORD.EXE	33
PID 2216 wrote to memory of 2272	2216	WINWORD.EXE	33

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\64d86549103287f488f4086139984d1be9781da6b6efc7902f03a348e664164c.docx"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2272

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Launches Equation Editor
PID:2848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
7fb5fa1534dcf77f2125b2403b30a0ee

SHA1
365d96812a69ac0a4611ea4b70a3f306576cc3ea

SHA256
33a39e9ec2133230533a686ec43760026e014a3828c703707acbc150fe40fd6f

SHA512
a9279fd60505a1bfeef6fb07834cad0fd5be02fd405573fc1a5f59b991e9f88f5e81c32fe910f69bdc6585e71f02559895149eaf49c25b8ff955459fd60c0d2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
971c514f84bba0785f80aa1c23edfd79

SHA1
732acea710a87530c6b08ecdf32a110d254a54c8

SHA256
f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

SHA512
43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
351f9fdba85b641b0342e2f5f8f2a393

SHA1
e55562ead8c56efacff77d246012d90479003db8

SHA256
2c544497c091631be75a5b444cfc7f82cda636ae9c70e863d6b0fb68fd90730b

SHA512
95e5d40c1886331af74b936ec1587502b6cf53128e5a138f47cb1c2106aef82681ef8f7d10787b761acc688e9fb408bd974c662fdbccff9ea6c167011a295333

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d3dfb2261b92f4cc4537ff04dd8a9b86

SHA1
47f303eba25bcf51c341953893dacd2714025bca

SHA256
fcc5deae9d76f3666f2d95b9294cbf2c1770c2c04313618887935a76d3d0cabf

SHA512
ff4d7da809f071b8ccbecd5cbfd12361f10dd26e3eed4ef8bb4f62c8e7145ec320c63ffce7c959b857dc8a0dac06a60a9ed1ce9f34bc9c9268a6051f6894a459

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
b507654ea97fe6095f0b94b4f83b9305

SHA1
153d2d11d51e8b370a8e621cee4b7888e5e872bc

SHA256
50343b2ef0c7db81fd4919decaaf61feaeb3c70c9ed1be3e3100092f2ef1aa90

SHA512
69c961bc01a597f8b4e77683c731ee0bfd0d886ad6821adcb94a404ce8e0c59e52993293674751355e76bb81ca79c52238925a2bc9fcce4b0f12d34263b3a03c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{58588490-0F2E-48AC-B456-1DF95AF5F211}.FSD

Filesize
128KB

MD5
6d7f84f4e0b8a9cecc7b0316b73799ae

SHA1
60f558a30c7503227b39ffc2f2bc1dca46d3e03b

SHA256
7308faf0e2e44bbf4103a9870b2d507a9ab44228d21c1ffc196de02d1aac2c06

SHA512
71b810bb53b5397ec4b990489d187061b303d8739f2345cbe80bebe4640ac7298a863b949ca0984ecdc8a124032b784d41fb68d81f77a9a061a2fc9b7a5c0aa4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
727cab1c7adb985ab1b61b05b2e962b8

SHA1
205ad1a1509d42d4e0dddb8cef503a96f775176b

SHA256
f0a8bfbe63c9dbc028caa14568253eb95fb03ecf45138c36f4397516f4ef21b8

SHA512
3b1ce0a62b5257f576b31f574bb10680cbf02cf69864df2b1421084c4e3b0c0ba605055ff53bce0c78e90d745440e1940700eb23081baf68f7b762f8b8a66cea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{6C8981A3-B6C9-4106-817E-8E476AD1D793}.FSD

Filesize
128KB

MD5
61183575549532cbfeab4589e692e7f0

SHA1
962f5d3706762185512698601319a985c93894ad

SHA256
c1dd6a5b55310eae8b7457e987546961e203cdb088b956f0cc117c69f2095141

SHA512
707edd4b6dedc7260e8c1646b1486c4ea4dd7e8d8901a7be87deec4d5966dad90fb645d766aa493732f155e1919642b2fa3584061420405c4d3013dabe4d602f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\40WV1DY9\eWjsdnqwKllAbeP[1].doc

Filesize
886KB

MD5
f7e4812fd83625cdfe19159f6d2fefa9

SHA1
15a20c40783e01f60135619b8358d1f1df0beb14

SHA256
fa22ac754b94cc3093cad88b03f0d2b1aa4b4c52a494c7a0b1db761acffbb5e7

SHA512
51bfab21f0d18c4c7bcdfff776cb771949bdf29f43dab37767fb6d7cc64bb8996d730b39aa949b5f12d991dcd1e7cbbd953301581877bf165fd03c5ed33ef23d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabBC3D.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{42AED452-F7CE-4438-9CF5-29B3FDE2BC2A}

Filesize
128KB

MD5
06eca7e7fc3b5b9bd5c3f2dc811b01b3

SHA1
e3358120485af9abf14219ad455269cecfeaa26f

SHA256
b85358a71cc24aee7771bb6ef888e700a0ecd64fd4271c7e0ebc59ed09b389c3

SHA512
443dcc9f667429890c9077f68fc4bae242634b1722a2ad15312e1de1f6b37b4790dee47f5e9783bfa10050bd5a26415fa7b9079763aa61b7d84895ed097ff76a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
a421ccbba153ed3847f8f08bb78ef8df

SHA1
4f499d9789413789d3634e6b7993a109cbc45188

SHA256
f0a5ab4fa261f6db3e9a2da4f691bd4045ea63ab90b7fdb60a5f3bf61cd90794

SHA512
962c51eceb29bb7c63a9e1e3793439c3fe8f20c4d1ddf11336d37a7b81db88e8d5b6427e6e526b88f15ac017b66a0f04ce42b2718dff829d53f767562eff3521

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\fkslfile21.exe

Filesize
4KB

MD5
b320645a5f89a21ccd475f05d5864b66

SHA1
f610582c93b7bfd2de9e7a708a0052f87257e50f

SHA256
ae3f6046503194124d07db2d7c29254f750b7ce199fac2ca5646abe8411e672d

SHA512
beaf08955f626d6f2acde9ae78db822e754f94c1284c0d0c35b7f455a09c5d27222a4cc5f8ba8b0235abc696cb3ebf4050a9a1e78670b1bb23efd70dd8d837b6

Download Submit
memory/2216-0-0x000000002FCE1000-0x000000002FCE2000-memory.dmp

Filesize
4KB

Download
memory/2216-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2216-2-0x0000000070E5D000-0x0000000070E68000-memory.dmp

Filesize
44KB

Download
memory/2216-154-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2216-19-0x0000000070E5D000-0x0000000070E68000-memory.dmp

Filesize
44KB

Download
memory/2216-155-0x0000000070E5D000-0x0000000070E68000-memory.dmp

Filesize
44KB

Download