efc99e6f3cdd10313c52a8ad099424e3f39ab85b75375b8db82717d61c7f0118

Resubmissions

31/01/2025, 14:57

250131-sbpepsyme1 8

30/09/2024, 18:27

240930-w37bdatbkh 8

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30/09/2024, 18:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

efc99e6f3cdd10313c52a8ad099424e3f39ab85b75375b8db82717d61c7f0118.docm
Size

53KB
MD5

35fee95e38e47d80b470ee1069dd5c9c
SHA1

499741c55cae1c4e76a90a9572fda191ca2d0451
SHA256

efc99e6f3cdd10313c52a8ad099424e3f39ab85b75375b8db82717d61c7f0118
SHA512

c017a5b7e38f7bc79a148ad7984839a5a7faeb2cda62fd4f337af4ff1693e4a25a68c4d22bba0bcdc527b77a3faf250b20b053841b26dca5da5e9a8913cfdec7
SSDEEP

768:pJYfzvmaYEawlszCfXDhQUsjiSqIbo9M79RiOglY0D6I6luuHUueAt4AOVSKq+EY:c7m+S+uiSzQMkY0D6I2ipAt4OdK

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2216	WINWORD.EXE

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\~WRD0000.tmp\:Zone.Identifier:$DATA	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2216	WINWORD.EXE

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2216	WINWORD.EXE

Suspicious use of SetWindowsHookEx 18 IoCs

pid	Process
2216	WINWORD.EXE
2216	WINWORD.EXE
2780	WINWORD.EXE
2780	WINWORD.EXE
2780	WINWORD.EXE
2780	WINWORD.EXE
2780	WINWORD.EXE
2780	WINWORD.EXE
2780	WINWORD.EXE
2780	WINWORD.EXE
2780	WINWORD.EXE
2780	WINWORD.EXE
2780	WINWORD.EXE
2780	WINWORD.EXE
2780	WINWORD.EXE
2780	WINWORD.EXE
2780	WINWORD.EXE
2780	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2216 wrote to memory of 2304	2216	WINWORD.EXE	33
PID 2216 wrote to memory of 2304	2216	WINWORD.EXE	33
PID 2216 wrote to memory of 2304	2216	WINWORD.EXE	33
PID 2216 wrote to memory of 2304	2216	WINWORD.EXE	33

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\efc99e6f3cdd10313c52a8ad099424e3f39ab85b75375b8db82717d61c7f0118.docm"
1⤵
- Deletes itself
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2304

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\efc99e6f3cdd10313c52a8ad099424e3f39ab85b75375b8db82717d61c7f0118.docm

Filesize
50KB

MD5
d382e2b208ec6e4a70a08ec0e6fe2b4d

SHA1
10897df6d3d2056c02556ec239e84e48ee3e144e

SHA256
c6d1590df34fd9bf9c2d98b5f2af9b63cbffca939dadb407b2389d709c1f723a

SHA512
60b6186b51226962b4c9eeb61c62c6ef7b7a287519f7146c5a83d839083027b95e14c745fd5ad8bcc54b926925d2740fd6249764a9364d22874321f92f7ae878

Download Submit
C:\Users\Admin\AppData\Local\Temp\efc99e6f3cdd10313c52a8ad099424e3f39ab85b75375b8db82717d61c7f0118.docm.doc

Filesize
22KB

MD5
63bd43c490a9f55ffff04dfc51349b0f

SHA1
3e0e178869a3ef30710000a1224a88e413bcfd26

SHA256
3d9eeb8f9f5307d89460fc6d941737334b50a765ba28c01ae7475eb72a560343

SHA512
0a9c1af7d04fb27c2491b6f24baa4c8c843e2167747756f85568ed83ac5350ebf8ccb5052c80147bb98bbd6f1e011dc73969667e8ad96a905413f65ded78587c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0809.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/2216-33-0x0000000000670000-0x0000000000770000-memory.dmp

Filesize
1024KB

Download
memory/2216-2-0x00000000717CD000-0x00000000717D8000-memory.dmp

Filesize
44KB

Download
memory/2216-260-0x0000000000670000-0x0000000000770000-memory.dmp

Filesize
1024KB

Download
memory/2216-10-0x0000000000670000-0x0000000000770000-memory.dmp

Filesize
1024KB

Download
memory/2216-9-0x0000000000670000-0x0000000000770000-memory.dmp

Filesize
1024KB

Download
memory/2216-8-0x0000000000670000-0x0000000000770000-memory.dmp

Filesize
1024KB

Download
memory/2216-15-0x0000000000670000-0x0000000000770000-memory.dmp

Filesize
1024KB

Download
memory/2216-19-0x0000000000670000-0x0000000000770000-memory.dmp

Filesize
1024KB

Download
memory/2216-18-0x0000000000670000-0x0000000000770000-memory.dmp

Filesize
1024KB

Download
memory/2216-17-0x0000000000670000-0x0000000000770000-memory.dmp

Filesize
1024KB

Download
memory/2216-16-0x0000000000670000-0x0000000000770000-memory.dmp

Filesize
1024KB

Download
memory/2216-14-0x0000000000670000-0x0000000000770000-memory.dmp

Filesize
1024KB

Download
memory/2216-7-0x0000000000670000-0x0000000000770000-memory.dmp

Filesize
1024KB

Download
memory/2216-29-0x00000000717CD000-0x00000000717D8000-memory.dmp

Filesize
44KB

Download
memory/2216-30-0x0000000000670000-0x0000000000770000-memory.dmp

Filesize
1024KB

Download
memory/2216-34-0x0000000000670000-0x0000000000770000-memory.dmp

Filesize
1024KB

Download
memory/2216-36-0x0000000000670000-0x0000000000770000-memory.dmp

Filesize
1024KB

Download
memory/2216-37-0x0000000000670000-0x0000000000770000-memory.dmp

Filesize
1024KB

Download
memory/2216-35-0x0000000000670000-0x0000000000770000-memory.dmp

Filesize
1024KB

Download
memory/2216-0-0x000000002FA51000-0x000000002FA52000-memory.dmp

Filesize
4KB

Download
memory/2216-12-0x0000000000670000-0x0000000000770000-memory.dmp

Filesize
1024KB

Download
memory/2216-259-0x0000000000670000-0x0000000000770000-memory.dmp

Filesize
1024KB

Download
memory/2216-11-0x0000000000670000-0x0000000000770000-memory.dmp

Filesize
1024KB

Download
memory/2216-46-0x0000000000670000-0x0000000000770000-memory.dmp

Filesize
1024KB

Download
memory/2216-47-0x0000000000670000-0x0000000000770000-memory.dmp

Filesize
1024KB

Download
memory/2216-43-0x0000000000670000-0x0000000000770000-memory.dmp

Filesize
1024KB

Download
memory/2216-45-0x0000000000670000-0x0000000000770000-memory.dmp

Filesize
1024KB

Download
memory/2216-44-0x0000000000670000-0x0000000000770000-memory.dmp

Filesize
1024KB

Download
memory/2216-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2216-59-0x0000000000670000-0x0000000000770000-memory.dmp

Filesize
1024KB

Download
memory/2216-61-0x0000000000670000-0x0000000000770000-memory.dmp

Filesize
1024KB

Download
memory/2216-32-0x0000000000670000-0x0000000000770000-memory.dmp

Filesize
1024KB

Download
memory/2216-64-0x0000000000670000-0x0000000000770000-memory.dmp

Filesize
1024KB

Download
memory/2216-63-0x0000000000670000-0x0000000000770000-memory.dmp

Filesize
1024KB

Download
memory/2216-62-0x0000000000670000-0x0000000000770000-memory.dmp

Filesize
1024KB

Download
memory/2780-49-0x0000000000550000-0x0000000000650000-memory.dmp

Filesize
1024KB

Download
memory/2780-48-0x0000000000550000-0x0000000000650000-memory.dmp

Filesize
1024KB

Download
memory/2780-138-0x00000000717CD000-0x00000000717D8000-memory.dmp

Filesize
44KB

Download
memory/2780-137-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2780-50-0x0000000000550000-0x0000000000650000-memory.dmp

Filesize
1024KB

Download
memory/2780-38-0x000000002FA51000-0x000000002FA52000-memory.dmp

Filesize
4KB

Download
memory/2780-40-0x00000000717CD000-0x00000000717D8000-memory.dmp

Filesize
44KB

Download