Overview

overview

4

Static

static

1

HEADSPIN.exe

windows7-x64

HEADSPIN.exe

windows10-2004-x64

MC.exe

windows7-x64

MC.exe

windows10-2004-x64

BEEP.vbs

windows7-x64

1

BEEP.vbs

windows10-2004-x64

1

DEL.vbs

windows7-x64

1

DEL.vbs

windows10-2004-x64

1

DISPLAY.vbs

windows7-x64

1

DISPLAY.vbs

windows10-2004-x64

1

N1.exe

windows7-x64

N1.exe

windows10-2004-x64

NRLG.bat

windows7-x64

1

NRLG.bat

windows10-2004-x64

1

NRLG.doc

windows7-x64

4

NRLG.doc

windows10-2004-x64

1

NRLG1.exe

windows7-x64

NRLG1.exe

windows10-2004-x64

REBOOT.vbs

windows7-x64

1

REBOOT.vbs

windows10-2004-x64

1

STOP.vbs

windows7-x64

1

STOP.vbs

windows10-2004-x64

1

TORTUGA.vbs

windows7-x64

1

TORTUGA.vbs

windows10-2004-x64

1

TRASH.vbs

windows7-x64

1

TRASH.vbs

windows10-2004-x64

1

Analysis

  • max time kernel
    121s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    12/09/2024, 18:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NRLG.doc

  • Size

    2KB

  • MD5

    5eb0b30f6f816614e0ce08daa94e33e3

  • SHA1

    3e01474acffd91fd18ac80094db7af506ea3794f

  • SHA256

    bfca2a4a9fd3ce343d2c36f96700ee6bba18474005be7f1c67a682f799e1baca

  • SHA512

    1be0ba0105cd664738bd3555020f33f170f69fcf507828acf261aa39eb5836d34792c90ef8d6238c8ab857e9602c5f208b6a67bc859d63e0171cf5f36d9a0bdc

Score
4/10
discovery

Malware Config

Signatures

  • Drops file in Windows directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Office loads VBA resources, possible macro or embedded object present
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\NRLG.doc"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1916
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2688

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
      Filesize

      19KB

      MD5

      3f143ab7708acdda3ec16b5cc6f068ab

      SHA1

      f24f367a24a33221a417ba73bd84625247b1121b

      SHA256

      a88456b272ecae359ef7677ad9507342b4623d5256d6f7e21905da6356d17df8

      SHA512

      e984e3e599e5ebd084e4d4e91b89f0375cc45a64940c35ffab1b2327fe766a92b124863c077373d58407fb922d98c0ab6ceea3bbf1446417f10a6511cf922175

      Download Submit

    • memory/1916-0-0x000000002FCA1000-0x000000002FCA2000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1916-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1916-2-0x000000007126D000-0x0000000071278000-memory.dmp

      Filesize

      44KB

      Download

    • memory/1916-9-0x000000007126D000-0x0000000071278000-memory.dmp

      Filesize

      44KB

      Download

    • memory/1916-27-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1916-28-0x000000007126D000-0x0000000071278000-memory.dmp

      Filesize

      44KB

      Download