0efbc73c4e417d1153c08bdf7e101ee744a3f34c8241b073c2e0dfe34cd6139a

Analysis

max time kernel
31s
max time network
32s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
14/08/2024, 10:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RFQ, SPECIFICHE E DISEGNI.docx
Size

89KB
MD5

678a5620c1a6144e6572baf64065c3ef
SHA1

8485b42751328b5aa0bbc88b01600e8f17cebbcd
SHA256

0efbc73c4e417d1153c08bdf7e101ee744a3f34c8241b073c2e0dfe34cd6139a
SHA512

53fb3a8029e9ad7f8e4f4b2861b856563fbef62c7339a73c868a8c986cb27ab75ee528b1c4fa4c9007c031676a07946ee0263d56aa106de86790e7b1d2139a2f
SSDEEP

1536:CH3mtb7ih7kPw17kG1Nc2FjOppKdA6KJvarn82+C4kAh6rhFRmxN/Sh+e:CHWt3ixkw17kcrOppKdsvarh4h69vmHu

Score

7^/10

discovery

Malware Config

Signatures

Abuses OpenXML format to download file from external location

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2672	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2672	WINWORD.EXE
2672	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2672 wrote to memory of 1144	2672	WINWORD.EXE	32
PID 2672 wrote to memory of 1144	2672	WINWORD.EXE	32
PID 2672 wrote to memory of 1144	2672	WINWORD.EXE	32
PID 2672 wrote to memory of 1144	2672	WINWORD.EXE	32

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\RFQ, SPECIFICHE E DISEGNI.docx"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2672
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{1CD5C518-65EA-4A3B-AFB2-90D7A137F3C4}.FSD

Filesize
128KB

MD5
7e86f4ceb067497fa46bb5ae63314460

SHA1
0982411c86aadc9e83aea46874a4a6f34a7e4c87

SHA256
def4565aa5318587f279d4c6aac3ff743e897d3879b39cce869246d41425cbf8

SHA512
188cd74a482cb930290622939266b48b85bb01431c9b2056d9df722df8b7a9224e5e1fe0dc70be8fb8fdf2449c7449b3b4ee665760c9d6bdcead83d37f1d06fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
97393c2489a0085a5cce23e4d5327c0d

SHA1
a3bdbb3f5b311a44dd7afdb5744ad832bec66ae2

SHA256
2618802b107bc7a145a9cbf897ae74bfce085539f79228982e693c12491923db

SHA512
aa4af46b7c9ddd35a80a2696f6659c5142d57db0b99869a9082295c76d8871076ee01afb4846d08e0b9d5f878caa31bfe9550db4a2f71c359f3ee4709b5b917f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{82BAF72A-C1D7-4903-A1FB-BE217E2B545F}.FSD

Filesize
128KB

MD5
7de790c24b492121a9eb68f37bc5e6cd

SHA1
b2cf522c1004adda23041297d8d44a91ea6182c9

SHA256
c3bc2cb7a8cff0d546da1613fa75621dd2182fe0fb6b9343c4ed1306f384abe6

SHA512
80ac89ba9567f0ac998bf1e739cf54a214d61097e91d9332730a1bdaf7d74448a779b27a7c421788ec5e3aaf3709c06a3373e815c165c97ffac8513ca7d79d2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\{0C2B9661-66D5-4105-82C8-C50C83D81C62}

Filesize
128KB

MD5
db21c19582f3c9dfe0e114cfe82b292e

SHA1
771a098e011cbb5589295a47d83b43f261ce9982

SHA256
5657571f7bbfce0ba18b17c4c109bdf5299a1716dc817a7dafed50ee8dd09645

SHA512
ac29f5e19b9ad0163c10e448f3ee9c12318dfa4ebbdde569af77993bb6479c835a0971d50a451af8a802fda26f87f5f6eaf5272315b185be3125677fbe75abeb

Download Submit
memory/2672-0-0x000000002FCB1000-0x000000002FCB2000-memory.dmp

Filesize
4KB

Download
memory/2672-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2672-2-0x0000000070B8D000-0x0000000070B98000-memory.dmp

Filesize
44KB

Download
memory/2672-88-0x0000000070B8D000-0x0000000070B98000-memory.dmp

Filesize
44KB

Download