24c9956c1ab785a7f0eb7892cf01f5a59a5957ee701923ef245f3270f1e6f23d

General

Target

Po docs.docx
Size

332KB
MD5

4ab013e98625a60cbae24218f511e8ca
SHA1

4590cda6a76d5ea59381018a92b5abc4ceff1777
SHA256

24c9956c1ab785a7f0eb7892cf01f5a59a5957ee701923ef245f3270f1e6f23d
SHA512

44ada7025ef814315066a5753e98c9316d8a43bc1030f843b8edcacfe7035bfe0fb2b409df316c83571870217da37116a4e70cd210295783b7d29ef1b1dc80e6
SSDEEP

6144:D0y2p9danlYOU5lMpm1DfLi/CgefKA7Ldy+wLrwIlLiQAkExPy+Mc/RCed17n:fWAlYOUlAm17Li/CfCbXwIBAkExPCcY+

Score

7^/10

discovery

Malware Config

Signatures

Abuses OpenXML format to download file from external location

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2516	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2516	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2516	WINWORD.EXE
2516	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2516 wrote to memory of 1184	2516	WINWORD.EXE	31
PID 2516 wrote to memory of 1184	2516	WINWORD.EXE	31
PID 2516 wrote to memory of 1184	2516	WINWORD.EXE	31
PID 2516 wrote to memory of 1184	2516	WINWORD.EXE	31

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Po docs.docx"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2516
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{5AA77FB8-7412-4A58-9F20-C4B2359B1B22}.FSD

Filesize
128KB

MD5
8ad46ea039459c4c02de492bb416bcb4

SHA1
0d4d897a263a49c4feb64bc47fbc7c155ebcd1cc

SHA256
9efc8668cbc9389fc584d5c2af78ea6066063487a2c150f9166d5e08984c4466

SHA512
a7d46935f689ba7afaf398febc9cfeff7d310c3bc69b729f8f5674d4995843490f42552e37e380c4ae77d61f26e4c2e5555cb521566b9893fabbafa4ac4af736

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
a85cdbefa7b6146ba00ef186f9df9990

SHA1
09ef36aab41320736db48fd9f21dc2a036b50b1d

SHA256
155749f73a60aeb80f575d46c2c57f306c58fe3a5428f1ef089b37e27cf6dd61

SHA512
b43a4ad4790ff930c2aefe8f164808900a4bbf4f9c26998b1ca4c59cb6a16cebe23518b2f45e368829f365614f6b6b8567930042bf05f9d80900bd334e31e1e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{1151C90F-B6EF-423F-805D-A3C6A7C17EC1}.FSD

Filesize
128KB

MD5
044acd6ff7f546dca8cd520aa6071748

SHA1
157b07460cfb6d222dc70d000e885c8a449a4c05

SHA256
e045b9ce47538ed6f8e07ffbb777e4b289d0c50361f178be3c46b438311c0610

SHA512
365bb0af77f66af8bd78c7d20b7f64c110d666270c5572e9c2662d4a3317bc612df2ce8d4462195d0ddc09db7f462698e0be41d5f66f03f6bc61a81368c2d4b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{1151C90F-B6EF-423F-805D-A3C6A7C17EC1}.FSD

Filesize
128KB

MD5
6f1b9603af4aa9aa2efe0d58be57036d

SHA1
cd5ca5fcf898d5954d6856393bbb35029e4de6ce

SHA256
48df89cac2dd819a1f738a9d24698dc945685e6e47a41f00825d8346132c3516

SHA512
f8c04d23a16216ef0164cfcd8c2c741aaed9ca804d471cae98d638e885c2b8dedcd0a9d75ed0d791a45ff7c29ecf6212a7f86a0ad7c9889023513891cabf4faa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WNZH54VQ\LwtgQ[1].htm

Filesize
3KB

MD5
0808913fd1199b928be99e601027af33

SHA1
6b826c8d555b93eebe63c0082ea92dd8f3f84e22

SHA256
fa3841a48a78a51d42112c7988fafc5b1b03382afb9343732ff428dc714a15b5

SHA512
a3a59f158e457c6f6d87fffa1fdcc5352a8049aab6a23e9a126637905f6ba7d859ad370a8e31b30adc563063088a5ab119c1c98e6be56d117a03735144a8ed25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5CFF3B68.svg

Filesize
4KB

MD5
e5c61878b60131a6ac8e94a80597f81d

SHA1
3b730bc3bbf3e56de4caa2389eac17bac1ad6997

SHA256
194f8974284cad509d798f11b1104d9dda63a550078e29c0725dedfb302024b1

SHA512
30ff13f4dd0153bb426c3e101a57524e7f29f1a2be879d0257f87a47eff8c2e069deadb064949b25b5e4200b5880645c8b71b5fceaec7be002b4d6c1f46fbd04

Download Submit
C:\Users\Admin\AppData\Local\Temp\{270696E2-7A85-4F7A-9167-E853F0250C64}

Filesize
128KB

MD5
e9d8870634abe2b366c07f67b1f35f30

SHA1
5071a6010d64ffb0a810026588ce12b8ab87179a

SHA256
21cade1651063957cf781b643bd8008cca83264a78a19150c406b18e0e2ccb63

SHA512
32fa0fb594de439fbd17414ecec58ef5ed9b70ba3baf9a2e13f54a541c65a7b08c5dffb02a9badd4438d08eb560d7e1da3a41fbefe2b3b7810122c58fd771d6f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
bb0d6c62607fc1f20e1cf8a6cb466947

SHA1
c3f4930bb0a39de40805f18eedc969ebeaf84ef6

SHA256
3e0e26a6d1760946bc10c878412a7a981e3a24554c008b91a8ab4eb2775f1377

SHA512
d3ca94f3d334d5b8c31a05386bc82ce79e21a1f0e8ba33bf6cc915bf043f2ad3d4a5dd749b223b48a53430104725a40ebe5363a0846092cc3e6d97ed4fd1730c

Download Submit
memory/2516-2-0x0000000070E7D000-0x0000000070E88000-memory.dmp

Filesize
44KB

Download
memory/2516-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2516-0-0x000000002F301000-0x000000002F302000-memory.dmp

Filesize
4KB

Download
memory/2516-122-0x0000000070E7D000-0x0000000070E88000-memory.dmp

Filesize
44KB

Download
memory/2516-149-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2516-154-0x0000000070E7D000-0x0000000070E88000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing