593e456b758b8b5545f2e14c56c1f4e52fcd267f89f5f4449b1686b05a22b53b

Analysis

max time kernel
138s
max time network
139s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
29/08/2024, 08:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

INQUIRY.docx
Size

179KB
MD5

85a01b3aa84bd5506d76bad713de99bd
SHA1

979a9a92c2d53acbe306f00595297e61f807b311
SHA256

593e456b758b8b5545f2e14c56c1f4e52fcd267f89f5f4449b1686b05a22b53b
SHA512

c74c5666191ea1cd27aeda18132d954f22f446a342640488b6b752b7af75137e554844dc7e80b1afe860993ce896a79a7d61c5291d937be584a9130945b05f1d
SSDEEP

3072:SiY5rj1ATug+mhTZMxjcFQ9csn4qAzYjDp/shKuikycBSRjR/Vx7XUA5Vo:o5r/g+qZMpcFSQzYHut4dV/o

Score

7^/10

discovery

Malware Config

Signatures

Abuses OpenXML format to download file from external location

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2424	WINWORD.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2424	WINWORD.EXE
2424	WINWORD.EXE
2424	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2424 wrote to memory of 1724	2424	WINWORD.EXE	32
PID 2424 wrote to memory of 1724	2424	WINWORD.EXE	32
PID 2424 wrote to memory of 1724	2424	WINWORD.EXE	32
PID 2424 wrote to memory of 1724	2424	WINWORD.EXE	32

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\INQUIRY.docx"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2424
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{B9274AF5-E74F-4C19-AC88-A4171834CE71}.FSD

Filesize
128KB

MD5
9fd234ee394d7ceba9bb957e84729130

SHA1
748d36b0f91ae760b50ffd4e62bbb15910772ca6

SHA256
df9b5709200e8887254b074f10491b2be0c107cf1e59a91c926d4ca7701efbb8

SHA512
f8ead6b7107b0d2d3faa889f3973fce507419d79bbe75f4385085455575ae51d24bf43d1d7b4b574d04e2d98de49c5e56593d3403cf75b1fff3dcfdddfd10f93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
dce282da6560512a145cd406e92bd4fa

SHA1
476532d9640075ec4324cab7c86c62168d089ada

SHA256
2575dd177b9de24297ab39d70130f8745e2d3eec31e26f553d64fed2df10fe6e

SHA512
068531dcf37c0495f58dc5634baf4fc744922884d94eb2a36250652dcdb3178be12ec5ebdbc4d7ac2fd776ec147b8b8a9f63a25828e6254e2e9376059a860457

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{990D37B9-1059-41CF-8CD8-0ED4F411CBB1}.FSD

Filesize
128KB

MD5
109732ded3c3f7174b774664f057840f

SHA1
7150728ea884cc775bf14338cd001cedd42ce6fc

SHA256
f479f592dc413909889b53a6bbf14362b8908866eecb126b8b13283ee6cd73db

SHA512
478f9637b69c33c4542a4b01afe24e9cc6e2795838d1e098c8bb53b971b4820a72f90b2e5129b882f2466e4aa1aec97a80ac3d10d83242fb5e25dd238425049c

Download Submit
C:\Users\Admin\AppData\Local\Temp\{09AF7624-3C73-4CA0-A516-30031A6B62F6}

Filesize
128KB

MD5
8555b8b0d2f7f260f7448d749955c945

SHA1
0b4b7517bd0adb15d33745eb102dd87996a8c85d

SHA256
b72fc7d160245875a2685afdb09ecae815ca9f08cfe052fcb951111e9af3202c

SHA512
2573027c1a5f568eb1c26be6eedd8dafc370e407d8f136b517dd8f3c04a7ead4e12d0482fb6acf5bcb8aa562686701bd7e3d8e7eb93d5f6355d2122d520cf1f3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/2424-0-0x000000002F281000-0x000000002F282000-memory.dmp

Filesize
4KB

Download
memory/2424-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2424-2-0x0000000070E5D000-0x0000000070E68000-memory.dmp

Filesize
44KB

Download