03ebc4abc7ee8bbdc17e694b83e6294840281c7d0bc8aa86ab786e5389923b44

Analysis

max time kernel
100s
max time network
17s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
12/08/2024, 11:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

faa55cc2c4ad1d49136da1677052765b.doc
Size

41KB
MD5

faa55cc2c4ad1d49136da1677052765b
SHA1

a6e90be00314a163c7b25928e9d12a20123e610c
SHA256

03ebc4abc7ee8bbdc17e694b83e6294840281c7d0bc8aa86ab786e5389923b44
SHA512

2a101c468ced5681cda4f5344e80971df8abf0977abd724507d5507a5bf7b9074bdf2f309156beec37b77cbad6efe999b2961b9166edca5b86acaa6e82a6bb46
SSDEEP

384:oJWhFmearBxn9n+iPoVlcwM6yRiSvhmLXG4ffrJDU/iDNsxz99:4VxnB+lUh14nFDU6DWxz99

Score

4^/10

discovery

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1628	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1628	WINWORD.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1628	WINWORD.EXE
1628	WINWORD.EXE
1628	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1628 wrote to memory of 2428	1628	WINWORD.EXE	29
PID 1628 wrote to memory of 2428	1628	WINWORD.EXE	29
PID 1628 wrote to memory of 2428	1628	WINWORD.EXE	29
PID 1628 wrote to memory of 2428	1628	WINWORD.EXE	29

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\faa55cc2c4ad1d49136da1677052765b.doc"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{36642227-F649-4B31-9BD3-4C8735E68C24}.FSD

Filesize
128KB

MD5
90e12a19884a487f7ce1660581101ba3

SHA1
8a93c2446131b6a840d4bb99047233d35cd91e3d

SHA256
25253925e37f9176692f1f06ff916ae45edf98166472c6fc1d77b1b538c9d8a5

SHA512
91ff2c5694f70f5486301cf973b401dfa7266c1fd51bc8601a99ade1f70587ec94cd3357d13264ddc53c8c0ce751d4edf3fb91c9725940b7d3f3167470f583cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
0830b3b8fc0df76e9aaba68b2512c1dd

SHA1
0efa6177243dade46396f4697901d39a9488adaf

SHA256
1d44e44af11a6ec6684589c82f0602d763bdf16b4cccf270400562aed2f1398b

SHA512
a6ca93866f607ea1f4e0484e86b7b7f0345d972d75effc8414e835797f9f62d8cb375ae4c85ae93c50fb6581edf03a3237ed964797e0fbed32ca864e3491d88b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{290843A8-748C-4033-B57A-F76B55C78006}.FSD

Filesize
128KB

MD5
d5081c9843a2cef4ef365ef0f9d650b9

SHA1
ebe94b959989b278074459fe2748469238bec20f

SHA256
093c5e7eeaf8d56a55304bdd7c76602a8111dd4d25cf51d2271b3571c2d1b246

SHA512
8fc2ec1a625f427beed66774001d332e1a16ae23fb35772c16b0cafa7810fb36193b88f14d58a54653ebeab4c260ed0824e68e6619bb9e59094b5c9eb0a0872d

Download Submit
C:\Users\Admin\AppData\Local\Temp\{378376D6-EC29-4F67-9280-F5A90A05FD8C}

Filesize
128KB

MD5
a36926b64aabe3e1d5f5190f1ffa2b24

SHA1
b56136f6e7d16a1f4db3c1581d55b48de3b2fd34

SHA256
070062c57000969cb9bcfdab282971fa78556896f188346bb6867322c7337f3b

SHA512
a8b5fc01c6ec9bfde140af403f752c91bb32e3353c0b8fc99fd37ca50c5449cf1c5072181692e434b0ca2b4e4b378cefe3dde108be250d3d157f1eaa231f6db1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
0159c758599b3ad3a149f2833cacf95f

SHA1
f012d27833235018a7c8ee7660804a080bb0d6f0

SHA256
be5090ff66d0c0a2b487805de534172a6bc6f7e4f8bdf0b02d223ddb5c5be189

SHA512
600e39af45cd9f1c882ecac22825fdbadd34c1bfe70e653444eb8b75b841e83a35fe85e177afcc5e2202948503d79735b44db842f363cd34808a9b6bf9d555f9

Download Submit
memory/1628-0-0x000000002F411000-0x000000002F412000-memory.dmp

Filesize
4KB

Download
memory/1628-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1628-2-0x00000000714AD000-0x00000000714B8000-memory.dmp

Filesize
44KB

Download
memory/1628-66-0x00000000714AD000-0x00000000714B8000-memory.dmp

Filesize
44KB

Download
memory/1628-83-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1628-84-0x00000000714AD000-0x00000000714B8000-memory.dmp

Filesize
44KB

Download