Overview

overview

8

Static

static

8

MessageBG_1610.doc

windows11-21h2-x64

4

Resubmissions

11-08-2024 23:13

240811-27ve9stdpk 8

11-08-2024 22:45

240811-2pebbsxaqe 8

Analysis

  • max time kernel
    906s
  • max time network
    497s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    11-08-2024 22:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    MessageBG_1610.doc

  • Size

    56KB

  • MD5

    5df199efa402d5aaa11fd8756b4e399a

  • SHA1

    f0efcbb72247c047bd34635022962b3c48910b0b

  • SHA256

    e9f05ac2087835df5d2d82b18d2a6f73a4eedc3a279d16682d725daf474acf40

  • SHA512

    be60466f3d9918eeac26cb578d18a3f3a485bc961b8f24a8f83a9cd0d49690b3fdacb8423c7d0586444e4e96fe0f7366c290d2c63a40e3bd0b0267cb47e6d380

  • SSDEEP

    768:sMbVsvVEOx48w+5z0IEJp9sqUnreUC8wgbstOIiahAl+xw+t:sMbVsvVEOxyBWb0GQxrt

Score
4/10

Malware Config

Signatures

  • Drops file in Program Files directory 18 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\MessageBG_1610.doc" /o ""
    1⤵
    • Drops file in Program Files directory
    • Checks processor information in registry
    • Enumerates system info in registry
    • NTFS ADS
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1884
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2240

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\185535B7.wmf
      Filesize

      444B

      MD5

      23fd1269744503889b079ebb43443e9a

      SHA1

      7f0523fd772a95f6fbe53b6e048bb30e4c8f17cf

      SHA256

      b478bd0dab39bfe96f718df5eaed704f09dd200310c794fbe0b05a6fa3352740

      SHA512

      de7ffdb133ac197f2b976a5cdfffded4f9007e01f4c8b2a202d69510a7c1de6a1201a836869d3ddbdd47d52d73afc707b152c2f31795acb523662fc75abecd88

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\E0AF9FDD.wmf
      Filesize

      444B

      MD5

      4aded04f791e52195bd18347486d5d85

      SHA1

      f3ce3181e7e19a93dd78053c589855581b131759

      SHA256

      00a19ad5eb511616b843b18a653d986beb507934b35b3fedede02205a17059c1

      SHA512

      cabbe71cb651d84e0f163d7c471eaa8c07c759edbf7f373f790d9b35451bc2c6b74990913e11be6b3685f70ba90703333b469cf0e7ce275de6e7075c663aeee4

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{A0055961-D19C-4899-9685-893FD490AAA3}.tmp
      Filesize

      1024B

      MD5

      5d4d94ee7e06bbb0af9584119797b23a

      SHA1

      dbb111419c704f116efa8e72471dd83e86e49677

      SHA256

      4826c0d860af884d3343ca6460b0006a7a2ce7dbccc4d743208585d997cc5fd1

      SHA512

      95f83ae84cafcced5eaf504546725c34d5f9710e5ca2d11761486970f2fbeccb25f9cf50bbfc272bd75e1a66a18b7783f09e1c1454afda519624bc2bb2f28ba4

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MessageBG_1610.doc
      Filesize

      76KB

      MD5

      3a2f32f7e394122ac815ed3f8077d85e

      SHA1

      174735a0d651c144182eea99c2924e6c5fe6692d

      SHA256

      6d9118d170dead07e281079f870e55b1d6a72d40f2548878508a7838c01845b2

      SHA512

      36f9b2f5df0801cb6a9263452376fc27f33e6ebd780c65bd0da0aa9dcc0178cde2fe5577286fb49b80e80bb911a3550c20921988d6ec80b5f95df8ac7bb23ba9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\TCDD4CE.tmp\sist02.xsl
      Filesize

      245KB

      MD5

      f883b260a8d67082ea895c14bf56dd56

      SHA1

      7954565c1f243d46ad3b1e2f1baf3281451fc14b

      SHA256

      ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

      SHA512

      d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Office\MSO0127.acl
      Filesize

      12KB

      MD5

      8454bce97bb936c1dee92e3331024bfe

      SHA1

      9b3a44daeeb574716eb09e34f449ddaac66a6edb

      SHA256

      b4887aa604c5829838f3f4c6e17fcebec4245e5353d957d458727021ff4d90f7

      SHA512

      b43a54d4ce1f362129387626c02bf3c5038114ca204b100a6a6bb44732b431198b0424a71e5c0a72cc017ca0e7db8a19635203b49593d92400f175db0273fc5f

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
      Filesize

      3KB

      MD5

      86b7d659f3028ecbdf2af97f282e72e9

      SHA1

      ca6756e6341ea040f4dda533c67416403916e15a

      SHA256

      72967f459f5854c0f89a4a58f3e8b01554ec6226d199415a8d0e9ee351d6346a

      SHA512

      9e28153f624987a45b14106cf6d90ceae22f4edd8c7e85bc9188e704bb1f57fa6b02a4a2b4210563330e8e3e31d77519d3ac4198e33fcbe891672dfcbab715d5

      Download Submit

    • memory/1884-6-0x00007FF9F0A60000-0x00007FF9F0C69000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/1884-7-0x00007FF9F0A60000-0x00007FF9F0C69000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/1884-10-0x00007FF9F0A60000-0x00007FF9F0C69000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/1884-9-0x00007FF9AE580000-0x00007FF9AE590000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1884-11-0x00007FF9F0A60000-0x00007FF9F0C69000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/1884-15-0x00007FF9F0A60000-0x00007FF9F0C69000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/1884-14-0x00007FF9F0A60000-0x00007FF9F0C69000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/1884-13-0x00007FF9AE580000-0x00007FF9AE590000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1884-12-0x00007FF9F0A60000-0x00007FF9F0C69000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/1884-8-0x00007FF9F0A60000-0x00007FF9F0C69000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/1884-2-0x00007FF9B0AF0000-0x00007FF9B0B00000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1884-4-0x00007FF9B0AF0000-0x00007FF9B0B00000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1884-5-0x00007FF9F0B03000-0x00007FF9F0B04000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1884-405-0x00007FF9F0A60000-0x00007FF9F0C69000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/1884-3-0x00007FF9B0AF0000-0x00007FF9B0B00000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1884-0-0x00007FF9B0AF0000-0x00007FF9B0B00000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1884-1-0x00007FF9B0AF0000-0x00007FF9B0B00000-memory.dmp

      Filesize

      64KB

      Download