3dadca091bcfdf0926110925eb8ad0e0f9c07277e0b848e3c5532373cc89d667

Analysis

max time kernel
117s
max time network
117s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12-10-2024 01:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3dadca091bcfdf0926110925eb8ad0e0f9c07277e0b848e3c5532373cc89d667N.exe
Size

38KB
MD5

23a015db832504a329a52b9ee1a50970
SHA1

d2edfbf67ed0def887cba303db9b1130fbb58d55
SHA256

3dadca091bcfdf0926110925eb8ad0e0f9c07277e0b848e3c5532373cc89d667
SHA512

c7ebb4759b1c6571e43b54a2d9ae39c478bd5ed85acab7561d5f7f4336c62b95aa156493eb458b79ea389d55e83245033b38e59cf47716221330e3de3d6357e5
SSDEEP

384:gTivFsccfFOr424zLyZj3Vs1QR0rmTLbZxQlOK+e+z0rB6WPR86pf0ZAY99xSR:jscqOSyVVymvbO+e+06wvpfUAU9xS

Score

4^/10

discovery

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3dadca091bcfdf0926110925eb8ad0e0f9c07277e0b848e3c5532373cc89d667N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2780	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2780	WINWORD.EXE
2780	WINWORD.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 2780	2380	3dadca091bcfdf0926110925eb8ad0e0f9c07277e0b848e3c5532373cc89d667N.exe	30
PID 2380 wrote to memory of 2780	2380	3dadca091bcfdf0926110925eb8ad0e0f9c07277e0b848e3c5532373cc89d667N.exe	30
PID 2380 wrote to memory of 2780	2380	3dadca091bcfdf0926110925eb8ad0e0f9c07277e0b848e3c5532373cc89d667N.exe	30
PID 2380 wrote to memory of 2780	2380	3dadca091bcfdf0926110925eb8ad0e0f9c07277e0b848e3c5532373cc89d667N.exe	30
PID 2780 wrote to memory of 2628	2780	WINWORD.EXE	32
PID 2780 wrote to memory of 2628	2780	WINWORD.EXE	32
PID 2780 wrote to memory of 2628	2780	WINWORD.EXE	32
PID 2780 wrote to memory of 2628	2780	WINWORD.EXE	32

C:\Users\Admin\AppData\Local\Temp\3dadca091bcfdf0926110925eb8ad0e0f9c07277e0b848e3c5532373cc89d667N.exe
"C:\Users\Admin\AppData\Local\Temp\3dadca091bcfdf0926110925eb8ad0e0f9c07277e0b848e3c5532373cc89d667N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\3dadca091bcfdf0926110925eb8ad0e0f9c07277e0b848e3c5532373cc89d667N.rtf"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2780
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3dadca091bcfdf0926110925eb8ad0e0f9c07277e0b848e3c5532373cc89d667N.rtf

Filesize
4KB

MD5
cce1ee2eca38ec5cca3a1dc883ca815e

SHA1
447b3209541feb29aef0e8150367f1e9d4777ed5

SHA256
d44903105c844b08ebe0822d97c64fb70e7da14fb327ae3a2cad4059d4e10d98

SHA512
514b4bce268ddc79696334fae0dc642a97c2582b80648c1ffcd347beed2c70789f7f690eab8c4ed1398492bd1d8edf3e46cff38e22340130fc52d76943583acd

Download Submit
memory/2380-0-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2380-1-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2380-2-0x0000000000401000-0x0000000000402000-memory.dmp

Filesize
4KB

Download
memory/2380-17-0x0000000000401000-0x0000000000402000-memory.dmp

Filesize
4KB

Download
memory/2380-18-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2780-7-0x000000002F7E1000-0x000000002F7E2000-memory.dmp

Filesize
4KB

Download
memory/2780-8-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2780-9-0x0000000070CFD000-0x0000000070D08000-memory.dmp

Filesize
44KB

Download
memory/2780-19-0x0000000070CFD000-0x0000000070D08000-memory.dmp

Filesize
44KB

Download