86f944531d069f9e05bb4e511da597dc75c3792b2a6f5be0e76f5edba767b30a

Analysis

max time kernel
42s
max time network
52s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
04/10/2024, 22:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

86f944531d069f9e05bb4e511da597dc75c3792b2a6f5be0e76f5edba767b30a.docx
Size

10KB
MD5

c06920fb3837530519e3e5a23ebb25b8
SHA1

e53bd31d1c720eb552d1c2282ea17407654372a3
SHA256

86f944531d069f9e05bb4e511da597dc75c3792b2a6f5be0e76f5edba767b30a
SHA512

b63e11db0adb88b792c7b88172cc94de126b25721138ec26d4b0f5cd834e8fa0d64f4b5043e5890f88954ebbdf6c21692d3ad9b3cff840e47cad6e8bda96a584
SSDEEP

192:OEhM6yD7Z/c+8poF1d3jvvtlN9264wpCGhe3b8UfrGxjPCUUuf5U:OqJGcfa7pr1lN92hwkGA3b9fyxjPCzuq

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\http:\172.31.102.226:8000\index.html!	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2080	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2080	WINWORD.EXE
2080	WINWORD.EXE

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\86f944531d069f9e05bb4e511da597dc75c3792b2a6f5be0e76f5edba767b30a.docx"
1⤵
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
0800b30c3ae9ffc5d8e35e9ead8f1ba5

SHA1
de364834cf38ac499d822798c00d1f37e0ae207c

SHA256
623438c686cf188e0e218b6e227805dee1c1009677894db6125ac2cbd0a367ee

SHA512
1ac5dcd709a15d5aab011222ddca7675f151e145ef68b663f9750e30ffee541fef8a7549ffe7fca6ad6fb25d51116de81869abc81a995ff9e1ba222918bf7379

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{CA7F3305-D7EE-4A01-9679-6F8416B76B2A}.FSD

Filesize
128KB

MD5
1e59916d81af1fd8b6bdb3c9fe1d5a0a

SHA1
2a81eed5ffbded3b06db065f799cb1b114af000f

SHA256
592726688dc91c0365f4200c13b84275243d93ebf1f3e1866f3fa2aceb99c854

SHA512
22f2c5c39f3b3aaef88c6e2af8ccb6053a2e40ca9f6f3b02085209f1cf016d7c9b3d543c8616baeea711906207e556ec8c86dfdfc8736ba48b88ae5dfaacea6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\{65C0225B-722E-4BA3-AF37-C961B84068BC}

Filesize
128KB

MD5
c337c90575a0be101037026d14718baf

SHA1
14b71ba62b1664c6104f965d8afe40374eaa0e38

SHA256
04718a54a9057ca9f1f67eb3a060a542416369e7a5aa87a061ca09f0eb140f58

SHA512
0a754fd5690aeb5dcfbaa70071787f5fed2d4346e43b59d47f9998d7e3933583539ca45b675bd56160da07381a39ea73f713919537c3f1972edaab3ec2a1a667

Download Submit
memory/2080-0-0x000000002FF51000-0x000000002FF52000-memory.dmp

Filesize
4KB

Download
memory/2080-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2080-2-0x000000007182D000-0x0000000071838000-memory.dmp

Filesize
44KB

Download
memory/2080-4-0x000000007182D000-0x0000000071838000-memory.dmp

Filesize
44KB

Download