2a46c969a78724c32695e85dcb3dea405bded2eca713667e1717a4b74e379f33

Analysis

max time kernel
120s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
22/08/2024, 00:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

用户手册.doc
Size

1.6MB
MD5

e84cec71e3f56033429815d2c26ddad1
SHA1

26b710585826a4d27a442c3ea6d91d7c23392cd1
SHA256

ddfe35c39d0b895f2d18eda747a8debd68698960bd4d6a51c83816362af50d48
SHA512

7d528bc7ed094e5f385dbd513b2d8afc7e2b45bbca4b8b2e3daec7ccd0a30a0b9cb56371dd0e6ce5cbda8298d07448382c0c44f7753fc4c35babbce3812a10a0
SSDEEP

49152:LazlPRrE22UreoruasPZcku7295Y/yye:L8lPwQ5gWkWmUe

Score

4^/10

discovery

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2136	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2136	WINWORD.EXE
2136	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2136 wrote to memory of 2740	2136	WINWORD.EXE	32
PID 2136 wrote to memory of 2740	2136	WINWORD.EXE	32
PID 2136 wrote to memory of 2740	2136	WINWORD.EXE	32
PID 2136 wrote to memory of 2740	2136	WINWORD.EXE	32

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\用户手册.doc"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
0cc7dd9ad35004b264777ff894bdf7b1

SHA1
2e64ca41a5fd52518aedf23aa5e83aa2eb7f9f40

SHA256
931ba0472641161edded6e6117f40548e03dbbddf5cf238cc2af690421592591

SHA512
4d9b2b9be4622152d5ae2cbb3684c3f71c48b0fbd6ba45fb46659136b072dffdee93b1b7f526e88ef6347ba923cf44b79145b9305e1082d6e8ab3ea867c908a7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/2136-0-0x000000002FE21000-0x000000002FE22000-memory.dmp

Filesize
4KB

Download
memory/2136-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2136-2-0x0000000070B5D000-0x0000000070B68000-memory.dmp

Filesize
44KB

Download
memory/2136-18-0x0000000070B5D000-0x0000000070B68000-memory.dmp

Filesize
44KB

Download
memory/2136-36-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2136-37-0x0000000070B5D000-0x0000000070B68000-memory.dmp

Filesize
44KB

Download