3ac8048f9883e5b60a3afccfe36b899dd0309ce7b955b1234bfaa75a7d6ac94b

General

Target

BC paper compound supplementary information v6.docx
Size

2.3MB
MD5

70275562a4eff606fec08077c76b7f19
SHA1

df508baff707d37bda13f7bf12a43c7408844fac
SHA256

46e73d3c90314653369a9dee5bf9e8730521336a44a837cafedd358f56c356ad
SHA512

1e678be5aa7c04bc59babfad5bc78f1850a39be9b016a16ff04a77cc8fc04d6a941671ea931f56e14a3a14bfe074613638c2826ae12b4840a9d082cd9cec27b2
SSDEEP

49152:ukvbForDbJoc2XqXiBMQfI0UHjpT7lOeCYSq5XotTWA465giWZ+mhCtArIUToQ:ukzFo3beB6XiKiUHdlOe8ef7i8ZBhDrh

Score

4^/10

discovery

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2088	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2088	WINWORD.EXE
2088	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 1940	2088	WINWORD.EXE	30
PID 2088 wrote to memory of 1940	2088	WINWORD.EXE	30
PID 2088 wrote to memory of 1940	2088	WINWORD.EXE	30
PID 2088 wrote to memory of 1940	2088	WINWORD.EXE	30

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\BC paper compound supplementary information v6.docx"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\341CA73C.emf

Filesize
1.3MB

MD5
60e2cd58e43c7058deb0f4d128effb4e

SHA1
885f8abb623737ba20a631af55f39f759c06967c

SHA256
5018115a1d78784c9b6854f01c4cad7ed4a60f665d3c2b65e123efae16281f08

SHA512
7c0b89dfa0e17f1cdc72a046af9c8a009364ceaf27142bf5239b4efaa3018b0e40a999d2964e6a9fc4bd9a28f1dd6f6a093a5e5ae9299de46583cf342b643c5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3EA370A3.emf

Filesize
1.3MB

MD5
31d81d59d03eebee6fbef5845e5780e1

SHA1
0eb471246284ee9ef011812a613b691e08045de9

SHA256
3eb36d78f09b29cd3511662c4b732406d12adece9465fb3d6c1399f0355662a9

SHA512
568602db1a82340aa8dfb29c5ca2c6acc6e6710af47b3ea9aeba1d45de2c17c7343e7cd05443eb2801812d8b4c033e7352712e21d86e87958635e7c52eea7d2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5F2155A9.emf

Filesize
49KB

MD5
7512398cb585026249bfb4d859d7979f

SHA1
f5835088c413d8025a33a0d54b84214d0a7e8c73

SHA256
3f3a116fffaf22b46a3214afc41177453f1a7b3b7f23e3a36f259c1311d23699

SHA512
be6540b14451658e4f4488fe22bc47a7b4a8c4377c855a0acca8609289eed9253a94a7a7d9bd2e04ac2b2a2086b922b87eaff5c9af84ed29a6e6ea1ed2563ec3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\64F2660D.emf

Filesize
49KB

MD5
e240bc7c08d225c73b95af61f300d1df

SHA1
d49ad78fd46bb35f040e951e2499ac0c515de8d6

SHA256
e558d61eca3bf7c31a99db923436dedcbc849348e87ad6a49c92e5ed32f45f40

SHA512
b60719601d2cd6f9347cba47f84929444e474dc0c83afb208278083f9f84142e3d5a8974cf28c1905f2d003c93f1f0b4d3c6060209801595d49fb4acb9aeb951

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B3DBAE9F.emf

Filesize
1.4MB

MD5
41e36c36b9f79d7602f2770cfc5d4cb6

SHA1
19d7271a35beb8f752e16d3d49b4969af0e2cf48

SHA256
8d26fe8498a3575ac4598512ed0c69e2f59cb7c488c2944b12cdbf1689f6245d

SHA512
8f85ac40f2ebab968f07edc031fbe4ea80915f0e2dd4371222ac82db9527d89759077764ec361f5ce80847b39bd9e95ddc659c84c7622aa093d50bf795c4ede8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B7423814.emf

Filesize
21KB

MD5
b8b3cb57b43dd8a1baea31d5c0c5f34d

SHA1
c1e382dfd0e1164602edb84b4ffcfdaf71b981e7

SHA256
f4c322b578d523815f2ce159ed1a897cb78745c5b16d02ce670d121f5661a91d

SHA512
4cb487bdb299cfae0d35512db5af54e01e6322cdf6fa51e5ca16f15c858c0b8d401564f95fc6da6788b4774f6b4b3ef31f586d9d4033e4a0de87a1b1aac1ba77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D128F867.emf

Filesize
1.3MB

MD5
e600763be4d8543ad6e49c9923d9eb2b

SHA1
a031983790bbe5231cf74b0123a75b203d735429

SHA256
63bcdba4ecd87d4b699f2b3cd692dcbd46dd094c486443345742e5dca61ee5bb

SHA512
a45a81cbef3c590eb380a1fe6f9d62f1aa30541ac1a3c865a541d304e1ae73d83c315fa9d0baa384a4dfa3fc5787c77809662e205d473e155ec7978914678506

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/2088-0-0x000000002FDD1000-0x000000002FDD2000-memory.dmp

Filesize
4KB

Download
memory/2088-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2088-2-0x0000000070ACD000-0x0000000070AD8000-memory.dmp

Filesize
44KB

Download
memory/2088-211-0x0000000070ACD000-0x0000000070AD8000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing