a18289dc74f878d89f3b749daecaf6ac390863e521a13af1f63bfab25776d3de

Analysis

max time kernel
140s
max time network
118s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
13/10/2024, 02:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

starring.scr
Size

30KB
MD5

f185d7ec946d13ad3dc698170ed52c4d
SHA1

753074e6a7a104af2cf6d9d49c7440931162b47a
SHA256

d578a584c936b8a089403db9e0f49688d83c3f55482eaf67295f65165d1c3773
SHA512

aad2cd1fc58bf80037f658bce528426b04a77d7d90d2eefb94fdf3cccc2277ecd6f65c223e059ecb7c939db6d496d634cd2a70e46cd672a78c94821d9d7ca0ca
SSDEEP

384:MKe/H84setrFWXVWQl7zBilcsYBIKxqM5fBGSRwQjhloGNSvEBOj8uB:he04so85NQTmp5fBGS/jIGwvEBs

Score

4^/10

discovery

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	starring.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2784	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2784	WINWORD.EXE
2784	WINWORD.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 2784	2196	starring.scr	30
PID 2196 wrote to memory of 2784	2196	starring.scr	30
PID 2196 wrote to memory of 2784	2196	starring.scr	30
PID 2196 wrote to memory of 2784	2196	starring.scr	30
PID 2784 wrote to memory of 2604	2784	WINWORD.EXE	32
PID 2784 wrote to memory of 2604	2784	WINWORD.EXE	32
PID 2784 wrote to memory of 2604	2784	WINWORD.EXE	32
PID 2784 wrote to memory of 2604	2784	WINWORD.EXE	32

C:\Users\Admin\AppData\Local\Temp\starring.scr
"C:\Users\Admin\AppData\Local\Temp\starring.scr" /S
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\starring.rtf"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\starring.rtf

Filesize
4KB

MD5
a82035105d0b65efb306d6ffd209f581

SHA1
13a2db6ce38071634e31bb95fff1f961d06b3c9a

SHA256
968168cb0bb937fc93cc9a598dc24e3ab0967b39a5af16865c6713e94298907e

SHA512
6b3d3136885dbb580d0fca02152df6346aa58e90c9eafa5c184b44a079bf01ecd1e8fb10d80d72871162f06b29a699ee9ad7f2906f2df25111472dc48870b5cc

Download Submit
memory/2196-0-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2196-2-0x0000000000401000-0x0000000000402000-memory.dmp

Filesize
4KB

Download
memory/2196-1-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2196-17-0x0000000000401000-0x0000000000402000-memory.dmp

Filesize
4KB

Download
memory/2196-18-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2784-7-0x000000002F7A1000-0x000000002F7A2000-memory.dmp

Filesize
4KB

Download
memory/2784-8-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2784-9-0x0000000070B4D000-0x0000000070B58000-memory.dmp

Filesize
44KB

Download
memory/2784-19-0x0000000070B4D000-0x0000000070B58000-memory.dmp

Filesize
44KB

Download