Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
25/09/2024, 19:11
Static task
static1
Behavioral task
behavioral1
Sample
EROOT.docx
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
EROOT.docx
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
ERoot_1.3.1.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
ERoot_1.3.1.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
Eroot 1.2.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
Eroot 1.2.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
Eroot 1.3.3.exe
Resource
win7-20240729-en
Behavioral task
behavioral8
Sample
Eroot 1.3.3.exe
Resource
win10v2004-20240802-en
General
-
Target
EROOT.docx
-
Size
402KB
-
MD5
116b479d6ddd69cd6f3003fe7f3e680c
-
SHA1
38cfdaa2baed93be0c8a157327688b0d1218b0c5
-
SHA256
c3508f3a554f606adc2ee25736181c64fe6da8d351fd6cfb8a963af8f221189b
-
SHA512
7c3f193fd00338f7c10a04789423bceccadb46c627da13b0c75d942b847c26e014fe907142020525fd73f48bd55609521cb003d70570b724ba148422270f5fe5
-
SSDEEP
6144:LPVgB6IWj6F84miZquPsW5LlTfDxZshwkGpuBGYmbq/aMglTfDxZshwkGpuBGGtp:DVW6IWjOI+UWlxfAMuwYaMgxfAMuwSJ
Malware Config
Signatures
-
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1600 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1600 WINWORD.EXE 1600 WINWORD.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1600 wrote to memory of 2808 1600 WINWORD.EXE 31 PID 1600 wrote to memory of 2808 1600 WINWORD.EXE 31 PID 1600 wrote to memory of 2808 1600 WINWORD.EXE 31 PID 1600 wrote to memory of 2808 1600 WINWORD.EXE 31
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\EROOT.docx"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:2808
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
19KB
MD50eb5e9c5242e8d3bb6e6e4273024aaa4
SHA1238f3db378feddda85f3dda3335ae9296a71214e
SHA256244ec1f3520d65f127ddb366f09b1621d6d4e8c6ac23885f6eb15b485629112b
SHA512b35941abc5e6c70ce40e0e50f922f9c82b1ea4a31215025f188438f01dfe8f87471ca7fadc992505272b175bef78bf594de57038bf755db15e9fcad143f8fe9e