43fd4f99f4121ae1c321154612d720660bac3407252c6b0ee2e269519a64b203

General

Target

e25c5110-11f8-4948-2c27-08dcb6c2a63e.docx
Size

179KB
MD5

af451f49111d54cab74320ab65bc4783
SHA1

b39fd9a64df62b97b91227966a0cf0a72d2d5c72
SHA256

43fd4f99f4121ae1c321154612d720660bac3407252c6b0ee2e269519a64b203
SHA512

f467f991db2aec88f59090784f9b3616b5d36a0fd393896ac703cd4c7b451398e9e071a3131b62dba1a1ab68e82dd18ef8fd53d741201e37ebb0b36660b459c3
SSDEEP

3072:ciY5rj1ATug+mhTZMxjcFQ9csn4qAzYjDp/shKuikycBSRjR/Vx7XU4Tto:m5r/g+qZMpcFSQzYHut4d1Bo

Score

7^/10

discovery

Malware Config

Signatures

Abuses OpenXML format to download file from external location

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2640	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2640	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2640	WINWORD.EXE
2640	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2640 wrote to memory of 2776	2640	WINWORD.EXE	32
PID 2640 wrote to memory of 2776	2640	WINWORD.EXE	32
PID 2640 wrote to memory of 2776	2640	WINWORD.EXE	32
PID 2640 wrote to memory of 2776	2640	WINWORD.EXE	32

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\e25c5110-11f8-4948-2c27-08dcb6c2a63e.docx"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{03F7B97D-7AEE-469C-9B34-F292B19C99DC}.FSD

Filesize
128KB

MD5
ddc06d7de46daf21d6e68110af644248

SHA1
419857fee1b94d9ae2a213961a78c322e4920055

SHA256
debf7213d7885a876e36b9e8430612ef1d4948a47e7c86f41464d193b903f3ed

SHA512
8d39d6f98560040ccf9f9d4deaf4eaa1d368099c2ad4858fb4644be000c2a336eeab23367b8d48aa2e2c3d65348dba45dfa93513cde152590878b4e78423df5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
99cd4a664bcda257c4b1eb76d62d6824

SHA1
ade4c7f8ba338dcbe95a539441c2858d1747a0dd

SHA256
6b1faa962c54d587fec6e2c64203525c544495acece1edbae37f2a00fc5db311

SHA512
4a36b66e3645e8d8ae7d3145da1be52f1f9c72227ffef82c888435a5d598448c224f43839b87e155ce18438d249fba00ce75b91d749511a7e2c949ad904df114

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{C4C81DAE-6B0E-4573-B1BB-F51B1658C3F5}.FSD

Filesize
128KB

MD5
6a75da6a749179ef5284ad8d11a55059

SHA1
97427215a7fa42e389591d555989a7047b08f253

SHA256
6a8da3dc9746d0c4a1ef3bfd344472d8a5596d1ef1a93d55ce41961fe768a820

SHA512
07de5afe4e3315b775d2b7fe54d9582175235837b565da98bfc1789d7132883fce2eb3dab69c47a1a1b6736ce0ee460fddc3cd51e7542f570f1225193cb81996

Download Submit
C:\Users\Admin\AppData\Local\Temp\{5215CED4-1239-4EC8-84D1-1E54A957DE69}

Filesize
128KB

MD5
203b2b74982c8ddd281d9cb6284eebea

SHA1
8f5260be56d20abad19d34b20a15fb5e7f6849d0

SHA256
e7d74d70e3e6146aeea8226294ffb7d13f9e6982f2e46c2583af6adc17a0bd3e

SHA512
37970ef579c5fb2ab5dce9715b19dd089e31d3884418c31cd0f6b65744c2b0ac98ff93b73199964cb9b1c45deb5b79039f6c2987c1ef6ea6de1316e9e31fabcd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
57093b5e869c6752ef76a5803f9fb7eb

SHA1
905d3f4eff9899f6e0d6265f2e1405d8b57fac5a

SHA256
0af314ae4a4a23fd33e7bca979dc66566dd3f84ff65db3780d022c49ba6ddb05

SHA512
793334327d5bab47fe237679287148302b2d872e8075de6a84274daf29f4de3210dbfc654f63602494bae7e1e0d7fea0c29b2f89d1da497d0a9e774982600fe6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/2640-0-0x000000002F651000-0x000000002F652000-memory.dmp

Filesize
4KB

Download
memory/2640-2-0x000000007154D000-0x0000000071558000-memory.dmp

Filesize
44KB

Download
memory/2640-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2640-75-0x000000007154D000-0x0000000071558000-memory.dmp

Filesize
44KB

Download
memory/2640-98-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2640-99-0x000000007154D000-0x0000000071558000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing