Analysis Overview
SHA256
fd1ca8e9ebe962f23b55669ea495bdb32073b7359031e80a7067d387c0bfa8dc
Threat Level: Known bad
The file tmtzxc.doc was found to be: Known bad.
Malicious Activity Summary
VIPKeylogger
Downloads MZ/PE file
Blocklisted process makes network request
Executes dropped EXE
Loads dropped DLL
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Drops file in Windows directory
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Office loads VBA resources, possible macro or embedded object present
Enumerates system info in registry
Suspicious use of WriteProcessMemory
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Checks processor information in registry
Suspicious use of AdjustPrivilegeToken
Launches Equation Editor
Suspicious behavior: MapViewOfSection
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-01 14:42
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-01 14:42
Reported
2024-10-01 14:45
Platform
win10v2004-20240802-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Processes
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\tmtzxc.rtf" /o ""
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.32.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | roaming.officeapps.live.com | udp |
| FR | 52.109.68.129:443 | roaming.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | 129.68.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | metadata.templates.cdn.office.net | udp |
| GB | 2.18.63.57:443 | metadata.templates.cdn.office.net | tcp |
| US | 8.8.8.8:53 | binaries.templates.cdn.office.net | udp |
| GB | 2.19.117.74:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.74:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.74:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.74:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.74:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.74:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.74:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.74:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.74:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.74:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.74:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.74:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.74:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.74:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.74:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.74:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.74:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.74:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.74:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.74:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.74:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.74:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.74:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.74:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.74:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.74:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.74:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.74:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.74:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.74:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.74:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.74:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.74:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.74:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.74:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.74:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.74:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.74:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.74:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.74:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.74:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.74:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.74:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.74:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.74:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.74:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.74:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.74:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.74:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.74:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.74:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.117.74:443 | binaries.templates.cdn.office.net | tcp |
| US | 8.8.8.8:53 | 57.63.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
memory/4376-1-0x00007FFBC4F6D000-0x00007FFBC4F6E000-memory.dmp
memory/4376-0-0x00007FFB84F50000-0x00007FFB84F60000-memory.dmp
memory/4376-5-0x00007FFB84F50000-0x00007FFB84F60000-memory.dmp
memory/4376-4-0x00007FFB84F50000-0x00007FFB84F60000-memory.dmp
memory/4376-3-0x00007FFB84F50000-0x00007FFB84F60000-memory.dmp
memory/4376-2-0x00007FFB84F50000-0x00007FFB84F60000-memory.dmp
memory/4376-8-0x00007FFBC4ED0000-0x00007FFBC50C5000-memory.dmp
memory/4376-10-0x00007FFBC4ED0000-0x00007FFBC50C5000-memory.dmp
memory/4376-11-0x00007FFBC4ED0000-0x00007FFBC50C5000-memory.dmp
memory/4376-9-0x00007FFBC4ED0000-0x00007FFBC50C5000-memory.dmp
memory/4376-7-0x00007FFBC4ED0000-0x00007FFBC50C5000-memory.dmp
memory/4376-12-0x00007FFB82890000-0x00007FFB828A0000-memory.dmp
memory/4376-6-0x00007FFBC4ED0000-0x00007FFBC50C5000-memory.dmp
memory/4376-17-0x00007FFBC4ED0000-0x00007FFBC50C5000-memory.dmp
memory/4376-20-0x00007FFB82890000-0x00007FFB828A0000-memory.dmp
memory/4376-19-0x00007FFBC4ED0000-0x00007FFBC50C5000-memory.dmp
memory/4376-18-0x00007FFBC4ED0000-0x00007FFBC50C5000-memory.dmp
memory/4376-16-0x00007FFBC4ED0000-0x00007FFBC50C5000-memory.dmp
memory/4376-15-0x00007FFBC4ED0000-0x00007FFBC50C5000-memory.dmp
memory/4376-14-0x00007FFBC4ED0000-0x00007FFBC50C5000-memory.dmp
memory/4376-13-0x00007FFBC4ED0000-0x00007FFBC50C5000-memory.dmp
memory/4376-34-0x00007FFBC4ED0000-0x00007FFBC50C5000-memory.dmp
memory/4376-35-0x00007FFBC4F6D000-0x00007FFBC4F6E000-memory.dmp
memory/4376-36-0x00007FFBC4ED0000-0x00007FFBC50C5000-memory.dmp
memory/4376-37-0x00007FFBC4ED0000-0x00007FFBC50C5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TCDC71E.tmp\sist02.xsl
| MD5 | f883b260a8d67082ea895c14bf56dd56 |
| SHA1 | 7954565c1f243d46ad3b1e2f1baf3281451fc14b |
| SHA256 | ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353 |
| SHA512 | d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-01 14:42
Reported
2024-10-01 14:45
Platform
win7-20240903-en
Max time kernel
90s
Max time network
95s
Command Line
Signatures
VIPKeylogger
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | N/A |
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\tmtcy20306.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\tmtcy20306.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\tmtcy20306.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.dyndns.org | N/A | N/A |
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\tmtcy20306.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\tmtcy20306.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\tmtcy20306.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2116 set thread context of 2092 | N/A | C:\Users\Admin\AppData\Roaming\tmtcy20306.exe | C:\Users\Admin\AppData\Roaming\tmtcy20306.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Debug\WIA\wiatrace.log | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| File opened for modification | C:\Windows\resources\0409\reproductivity.ini | C:\Users\Admin\AppData\Roaming\tmtcy20306.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\tmtcy20306.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\tmtcy20306.exe | N/A |
Office loads VBA resources, possible macro or embedded object present
Launches Equation Editor
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\tmtcy20306.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\tmtcy20306.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\tmtcy20306.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\tmtzxc.rtf"
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
C:\Users\Admin\AppData\Roaming\tmtcy20306.exe
"C:\Users\Admin\AppData\Roaming\tmtcy20306.exe"
C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
C:\Users\Admin\AppData\Roaming\tmtcy20306.exe
"C:\Users\Admin\AppData\Roaming\tmtcy20306.exe"
Network
| Country | Destination | Domain | Proto |
| US | 154.216.20.22:80 | 154.216.20.22 | tcp |
| US | 8.8.8.8:53 | drive.google.com | udp |
| GB | 172.217.169.46:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 172.217.169.67:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| GB | 142.250.179.227:80 | o.pki.goog | tcp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| GB | 142.250.180.1:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | checkip.dyndns.org | udp |
| US | 193.122.130.0:80 | checkip.dyndns.org | tcp |
| US | 8.8.8.8:53 | reallyfreegeoip.org | udp |
| US | 104.21.67.152:443 | reallyfreegeoip.org | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
Files
memory/2104-0-0x000000002F331000-0x000000002F332000-memory.dmp
memory/2104-1-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/2104-2-0x0000000070BED000-0x0000000070BF8000-memory.dmp
\Users\Admin\AppData\Roaming\tmtcy20306.exe
| MD5 | f7e702effaaad33faa0cbc4f87da2d07 |
| SHA1 | b8be783f38b987f8c88f7de258d69a648033be72 |
| SHA256 | a44de00550c4b3adc9409fd1fb559cab02a9efab1a1352ff07b896a2cea98678 |
| SHA512 | 43e29d3926317d7234f333e41177cafce5e4bd297d3a854f7959aad341eb68748b57113c41bf9173b5d838c7460ca146c21ba2dbf982535e5ad736118773cec9 |
\Users\Admin\AppData\Local\Temp\nsu22EF.tmp\System.dll
| MD5 | 9625d5b1754bc4ff29281d415d27a0fd |
| SHA1 | 80e85afc5cccd4c0a3775edbb90595a1a59f5ce0 |
| SHA256 | c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448 |
| SHA512 | dce52b640897c2e8dbfd0a1472d5377fa91fb9cf1aeff62604d014bccbe5b56af1378f173132abeb0edd18c225b9f8f5e3d3e72434aed946661e036c779f165b |
memory/2104-26-0x0000000070BED000-0x0000000070BF8000-memory.dmp
memory/2092-28-0x0000000000480000-0x00000000014E2000-memory.dmp
memory/2092-51-0x0000000000480000-0x00000000014E2000-memory.dmp
memory/2092-52-0x0000000000480000-0x00000000004C8000-memory.dmp