0ab74970f40073e5de46a0f9f9fd8ea83f7082f4e0be27fcd45d249515f91d1c

Analysis

max time kernel
43s
max time network
52s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
21/08/2024, 21:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0ab74970f40073e5de46a0f9f9fd8ea83f7082f4e0be27fcd45d249515f91d1c.docx
Size

10KB
MD5

6b1defc7973541003416b77a1b06ac87
SHA1

c1bde8cbc4e5d405d9ecded4b07c50c374888a1c
SHA256

0ab74970f40073e5de46a0f9f9fd8ea83f7082f4e0be27fcd45d249515f91d1c
SHA512

fa651061ab3042e3590ea846a037f077b410dc23a43de4ef8cc171930cb081c6e6ff1f77d677201c84074abdf58503050a5a8b337262e4f4db0f58ba2ef7895b
SSDEEP

192:OEhM6yD7Z/c+8poF1d3jvvtlN9264wpCGhe3b8rfrGxjPCUUufeU:OqJGcfa7pr1lN92hwkGA3b+fyxjPCzu7

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\http:\172.31.102.226:8000\index.html!	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3024	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3024	WINWORD.EXE
3024	WINWORD.EXE

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\0ab74970f40073e5de46a0f9f9fd8ea83f7082f4e0be27fcd45d249515f91d1c.docx"
1⤵
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{AE0257D1-64E0-41A0-9708-EDD65F83DB18}.FSD

Filesize
128KB

MD5
cecac51b52c114ca3b6bf16f4d04014f

SHA1
cf0addf492f1c47fc8e52bf208f6c23392712d7e

SHA256
1f56c6a1e996c7eb823b3d85678f214e2e1c2ee4862398470c7112c077c4be36

SHA512
98526556301060978a3edb3ddfaaba0128677ebdc788d99c78f05d07d88c22777a2a4abb956ad66ed5f198af21a5c3981f968fcf2dd4f8dc0864b5155448e361

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
7b50c85a72998da2b89d6dfb66dc06d2

SHA1
a7def793a1e654cece1e9ac9d2d2ddb690fde624

SHA256
27a308be2c4fb34d4ac82b26212ecc1b6db92569f5bb3dc2635c980ee8c23dda

SHA512
e06f47f1b0abb6eba92d8ec56c2f8f8cfcbdc65c710853412c5098db5d05e39be7b70727b80aead32828584c7db925422d1234ca00bc66117d3a762031f736cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{3B2CAC01-782A-4135-BDBA-36E718EBC3C7}.FSD

Filesize
128KB

MD5
344eb74250fe55814f4622f5c78cdfdd

SHA1
f9f3e7b742a61f751db53e4e7b5f7a0401866032

SHA256
1dbb73b70a6054451502c48a1c5f8d0ae97fb509d010a03f0c474fe1f8ecd49d

SHA512
60070fcafac914c8f823322c1a16ebad23c291ec74e5429c078c3482011cbe7684ae5239e803ba2c6ccbcbaaeacd0e43bcaf6fe3e22b79d36bb043cb86ed5051

Download Submit
C:\Users\Admin\AppData\Local\Temp\{B412F83F-247D-452C-BD4E-C914A8A71A0C}

Filesize
128KB

MD5
fd04c1c27af320ce11c6347f6cf43f00

SHA1
6a8a63a2ce7285273f9dcf4f8e937298fa20e4bd

SHA256
8dc3b2c4b613d69e7b101d7d997f3d9e691c745dc39c1f2196e06640b72205c7

SHA512
3847fb878f96209994b11c20f7f43bd14b5a1e4a7fe668d8291b9f97e376540c4bb136a7f735ba212a0cda571ee2a5849648fe6395ff9064339d30ccffeceb5b

Download Submit
memory/3024-0-0x000000002FF91000-0x000000002FF92000-memory.dmp

Filesize
4KB

Download
memory/3024-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/3024-2-0x0000000070E8D000-0x0000000070E98000-memory.dmp

Filesize
44KB

Download
memory/3024-4-0x0000000070E8D000-0x0000000070E98000-memory.dmp

Filesize
44KB

Download