Overview

overview

8

Static

static

8

62-3590.pdf

windows7-x64

8

62-3590.pdf

windows10-2004-x64

3

1.xlsx

windows7-x64

4

1.xlsx

windows10-2004-x64

1

M3BTZEP.docm

windows7-x64

4

M3BTZEP.docm

windows10-2004-x64

1

M3BTZEP.zip

windows7-x64

1

M3BTZEP.zip

windows10-2004-x64

1

Analysis

  • max time kernel
    122s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    02/10/2024, 12:19

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    62-3590.pdf

  • Size

    60KB

  • MD5

    2eb950038fd5b4a2e2aaf4aae2187bf4

  • SHA1

    56cedb038e6f1a7ca70bce8a4d789376f7eb65e8

  • SHA256

    91886095e94318052cea0b34c3d0641b1614e0e4e701987ed06a7fe1354c3a7e

  • SHA512

    0fa0c859416f1a2f2eeb95a2768016f6fdc35fd0e60c8cde4e93a03123d130168c87861e886a6b14f7048d6a3a2377b44738a0ada50b3c37f07640685fe532e9

  • SSDEEP

    1536:6zK48rjPoCHSWfQ63zaWMF8mDRaZjf9Mk:6248XlHPfx3zaWMF8mDRad9x

Score
8/10
discoverymacro

Malware Config

Signatures

  • Suspicious Office macro 1 IoCs

    Office document equipped with macros.

    macro
  • Drops file in Windows directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\62-3590.pdf"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:828
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\A9REACD.tmp\M3BTZEP.docm"
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3020
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:768

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\A9REACD.tmp\M3BTZEP.docm
            Filesize

            61KB

            MD5

            3f21eb3c6eaceb54872e6e48553cbdd2

            SHA1

            9df55ee8c80bc8aead1cb26830b5f0ddb7fea69f

            SHA256

            ea5bf36a687e13701ed03a095dc53abac19b7691f3647cfe03e824df73c5c484

            SHA512

            d919430c67d123d26d7fcd2d3fb2334b2a4bdbfc697f95d297116030e702a77651913fb922e7110e2873c10c2fa61d8729f81304b3070158533ed59402a01918

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
            Filesize

            3KB

            MD5

            73338fe1d16a7bc3662e726c2799bc2a

            SHA1

            8fbe5cf9ea2f6c0bda708b3e669a07690d7a53ac

            SHA256

            045093e2231ab9b71b02e56c79797f6c412eed062cdc7e6d774c509faa79da8f

            SHA512

            09fbfa6e6b9d385e47c2851275b2e192f306796ae8f31eb3d1d0d93f4b9fb50faee4293f2587f8bddcd6aefbb6428ba188f387574dca83cc2555348e38feaa6a

            Download Submit

          • memory/3020-2-0x000000005FFF0000-0x0000000060000000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3020-6-0x0000000000490000-0x0000000000590000-memory.dmp

            Filesize

            1024KB

            Download

          • memory/3020-5-0x0000000000490000-0x0000000000590000-memory.dmp

            Filesize

            1024KB

            Download

          • memory/3020-8-0x0000000000490000-0x0000000000590000-memory.dmp

            Filesize

            1024KB

            Download

          • memory/3020-7-0x0000000000490000-0x0000000000590000-memory.dmp

            Filesize

            1024KB

            Download

          • memory/3020-73-0x0000000000490000-0x0000000000590000-memory.dmp

            Filesize

            1024KB

            Download

          • memory/3020-72-0x0000000000490000-0x0000000000590000-memory.dmp

            Filesize

            1024KB

            Download