6a1a08d4c5eb6207cdaf416e31f148a184f1f61a788a378de4c25933d12514cf

Analysis

max time kernel
121s
max time network
121s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
25/08/2024, 10:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c08fcf65f1829d026d9824dfe0541398_JaffaCakes118.rtf
Size

130KB
MD5

c08fcf65f1829d026d9824dfe0541398
SHA1

5bb9f94e5c460dacaee6033fcf2067fc31bac332
SHA256

6a1a08d4c5eb6207cdaf416e31f148a184f1f61a788a378de4c25933d12514cf
SHA512

4993aea1339554963f0f70249c96f4eb9a797262e579bccd9511a215868aa9c79b68a1928f54e1dbfcc8f92df26d1d6b3f8b762907cc20f67aa88a1600a18b6e
SSDEEP

1536:0PpBwu+osFYSH7CetfRQ01nzkBv5YFAqKhWmuKEcJjTLKT+kS:0PkWSWeBzkBv5PnhWmu3ETLwS

Score

6^/10

discovery

Malware Config

Signatures

Process spawned suspicious child process 1 IoCs

This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	352	1584	DW20.EXE	29

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DW20.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwwin.exe

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1584	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1584	WINWORD.EXE
1584	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1584	WINWORD.EXE
1584	WINWORD.EXE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1584 wrote to memory of 352	1584	WINWORD.EXE	30
PID 1584 wrote to memory of 352	1584	WINWORD.EXE	30
PID 1584 wrote to memory of 352	1584	WINWORD.EXE	30
PID 1584 wrote to memory of 352	1584	WINWORD.EXE	30
PID 1584 wrote to memory of 352	1584	WINWORD.EXE	30
PID 1584 wrote to memory of 352	1584	WINWORD.EXE	30
PID 1584 wrote to memory of 352	1584	WINWORD.EXE	30
PID 352 wrote to memory of 2448	352	DW20.EXE	31
PID 352 wrote to memory of 2448	352	DW20.EXE	31
PID 352 wrote to memory of 2448	352	DW20.EXE	31
PID 352 wrote to memory of 2448	352	DW20.EXE	31

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\c08fcf65f1829d026d9824dfe0541398_JaffaCakes118.rtf"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1584
- C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE
  "C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE" -x -s 932
  2⤵
  - Process spawned suspicious child process
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:352
- - C:\Windows\SysWOW64\dwwin.exe
    C:\Windows\system32\dwwin.exe -x -s 932
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\259441971.cvr

Filesize
860B

MD5
4509eaade5cdc565bb3d8aa910a1b369

SHA1
7e6cec11167fdab4856c67bdd9d6881eb1b2798f

SHA256
be4a83a39cb3642eefac479c7adc906cfba5039194fe42e92db1e88fcf9a4ba5

SHA512
5dee354634bf7cf081bdcd9fb2bfdb2dd6028fe30431e4e70bc28ac57026902315877e63abdce1a9a66963e6e00dca6d7d7ee2cdcebf5011c538cd29c77fb5b8

Download Submit
memory/1584-0-0x000000002FBD1000-0x000000002FBD2000-memory.dmp

Filesize
4KB

Download
memory/1584-2-0x0000000070EFD000-0x0000000070F08000-memory.dmp

Filesize
44KB

Download
memory/1584-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1584-7-0x0000000070EFD000-0x0000000070F08000-memory.dmp

Filesize
44KB

Download
memory/2448-6-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2448-8-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download