b92c2db67a490623bd44bd650981cff965e3ca60976bc323d7cbca78a8333139

Analysis

max time kernel
121s
max time network
121s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
24/08/2024, 08:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b92c2db67a490623bd44bd650981cff965e3ca60976bc323d7cbca78a8333139.docx
Size

118KB
MD5

0a64157208fba424772acbe777f7ced1
SHA1

7a2cc244ab768d362d0a793f54e8f3bcdbc14924
SHA256

b92c2db67a490623bd44bd650981cff965e3ca60976bc323d7cbca78a8333139
SHA512

2b8cc252916c0f1df6658676313d8285f2dd184a7593e082a4499d336695d4ea673090edd2db6576bc2f56bd59199dd8f47fa9f87a0a2e33473f5c3e540cfa8c
SSDEEP

3072:OyhOcve1C3MdQzpZEeWbaChxbZkG5v7P2LcC:zhhYC3MApSes/FrPTC

Score

7^/10

discovery

Malware Config

Signatures

Abuses OpenXML format to download file from external location

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2864	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2864	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2864	WINWORD.EXE
2864	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2864 wrote to memory of 952	2864	WINWORD.EXE	33
PID 2864 wrote to memory of 952	2864	WINWORD.EXE	33
PID 2864 wrote to memory of 952	2864	WINWORD.EXE	33
PID 2864 wrote to memory of 952	2864	WINWORD.EXE	33

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\b92c2db67a490623bd44bd650981cff965e3ca60976bc323d7cbca78a8333139.docx"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2864
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
d179d33a1c6c63f3faab1662666334a3

SHA1
42fc6539127c9c316248e02157bfedbf6fa20f10

SHA256
6760b4bc6a4c604a295991901d4ebe9695fa3b29ab5c71bab2cd35e1d64a1a47

SHA512
ab348ca2cc8a1cf6d5c3d21756102d1b8b32367ae74959852584bf27069498f36c897f971ff02d6767d21dae1d139fe84986daeeeb17a9f980587429e45708d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{55488900-FF4C-482B-AEE1-A488F6C46E96}.FSD

Filesize
128KB

MD5
6d78ac0efa04cbc46ab893361a8bd1f2

SHA1
d13f5136e6010b4f678cd9d5e754197667c7431d

SHA256
9d68bf19ef22838881ac09de2a59040bddda1a099bd23348da384020a1dd477e

SHA512
fd3f96b6d8a5cd802b0cba9f4504eaef01f4cd7a32cb60a9aa6f31d2bb3f2d09fd2c62e14075c04fe251e34540cccb6d822d11d2a135305bf68dbce0e33ed0d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\{C3ABC4AD-D344-46FF-A57C-05D12361A214}

Filesize
128KB

MD5
9af139314cbd4b322e10800f431c24ad

SHA1
942c01db7b515841a1f25556afefbded75afd15d

SHA256
6703f0c389750a69082ad8fe13764cc913285090df182f0e4c9fc112875bb6b1

SHA512
239554b406aecc42542dc942a3aac5f67b6d29c0c4efc8aef48c337172a395fe7b59a14e097dae698ed7b4b93d0bc48ac507e429fa8a030c382ce6f28d144acf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
199e20ec2125788e741594bdf419a72f

SHA1
da44f69ae9a26adc456adac3cead31bd560ca447

SHA256
a1573e75f25315fc9afcac39a17f04f45faec318c325effc55696640e622fc52

SHA512
08771d3168b449bf251aa5bbb2e87f2baeed1a543b6b226aa486e57985a4334b6e08203ad81dc82251ab807cd14176fba3631e093338761261f17d215bbc31cb

Download Submit
memory/2864-0-0x000000002FD11000-0x000000002FD12000-memory.dmp

Filesize
4KB

Download
memory/2864-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2864-2-0x0000000070E0D000-0x0000000070E18000-memory.dmp

Filesize
44KB

Download
memory/2864-76-0x0000000070E0D000-0x0000000070E18000-memory.dmp

Filesize
44KB

Download
memory/2864-106-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2864-111-0x0000000070E0D000-0x0000000070E18000-memory.dmp

Filesize
44KB

Download