6fdccfbcf36463c0d9212d148dd946d0669e334099fe35b0db00317ab837b7bd

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
25/08/2024, 23:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

$PLUGINSDIR/EULA.rtf
Size

17KB
MD5

0369fd4801819cf7ecec362224c518a7
SHA1

98520ff7afce25000f4c293f7b4b925a368b101d
SHA256

bbfb052969657e005eb1db1e998f2cbd45fd7f44b214fe262a6c5c94443be20f
SHA512

1b4fe3af2ced6614d97358c1f571240c451f91712281dfa01d286a4ad66081aeec0a45ad5b0bf04f83e499977a38ca9d93943b1bd92ceae5a2c02f5f628201a3
SSDEEP

192:zEf8chvUt1wrN2NcerasvDh/ndI0jyGjQLTKQN686NCHyjvtsoeVQTcOHmNoBlRH:zkRUorMfaGFg4WTd6BjvWQlRFyvmsV2

Score

4^/10

discovery

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1976	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1976	WINWORD.EXE
1976	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 2996	1976	WINWORD.EXE	31
PID 1976 wrote to memory of 2996	1976	WINWORD.EXE	31
PID 1976 wrote to memory of 2996	1976	WINWORD.EXE	31
PID 1976 wrote to memory of 2996	1976	WINWORD.EXE	31

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\EULA.rtf"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
50776dbbc0e12223e78dee0983a193a1

SHA1
d9a00980bf5592d0e78c11c8258e62341d6df1bd

SHA256
ed5b82ba35d1455eac5c3baf471f582da2ce10b85a74cc70f46757c914e2bd5f

SHA512
9bc66b169b7164d45fc68ad9979b6dd1f5e917a57ede2a4cc9bacdcdeff099ba2182461e8195ad727c7fd5ab7cf5de461d017b551f40c94e92ea3d876b5fc6ad

Download Submit
memory/1976-0-0x000000002F3B1000-0x000000002F3B2000-memory.dmp

Filesize
4KB

Download
memory/1976-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1976-2-0x0000000070B4D000-0x0000000070B58000-memory.dmp

Filesize
44KB

Download
memory/1976-9-0x0000000070B4D000-0x0000000070B58000-memory.dmp

Filesize
44KB

Download
memory/1976-27-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download