674e91e0c3a04ceb11086fd104774bf5dc9056b2b9804cdf82fa4b8042c22ef6

General

Target

aaaa/info.docx
Size

9KB
MD5

ef6a809323b25b2659285678ec36fe11
SHA1

bdfc3482363328091fc8622a0ec7dc9b9c41d887
SHA256

10010fb1bf9dad2ea268165bcb2260254ad9683f0c1868e96fd1473e2902dcd0
SHA512

2958bc972d92ee51f79bdbe5dd890ccb79b822a2502e1b7012e9ee9e14bf17992f2efac0603069cc1127444462cefc9ccf069f3bc71f6ff881c71fba51de93c2
SSDEEP

192:6ILMNhGcBBeNp9Y64ccp7MyqFQvXzmpOIT8wN4lYglv69DqkygyXMY:6+MNhtc9L+JFvapr84AYC6dqkjyXMY

Score

4^/10

discovery

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_Classes\Local Settings	rundll32.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\aaaa\http:\185.195.24.162:8080\sVkakMI2Can.html!	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3064	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3064	WINWORD.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3064	WINWORD.EXE
3064	WINWORD.EXE
3064	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3064 wrote to memory of 2064	3064	WINWORD.EXE	32
PID 3064 wrote to memory of 2064	3064	WINWORD.EXE	32
PID 3064 wrote to memory of 2064	3064	WINWORD.EXE	32
PID 3064 wrote to memory of 2064	3064	WINWORD.EXE	32

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\aaaa\info.docx"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3064
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2064

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\SaveGroup.mpeg3
1⤵
- Modifies registry class
PID:984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{EC7142D1-15E7-4C0A-A528-E45DAC8386EE}.FSD

Filesize
128KB

MD5
e129a663876fbc34ddcf142394cff088

SHA1
d7c34d891f56bebc67ba082baeeb9316a93bfad6

SHA256
7abe8cb98f8384813ebb1bb342b4d32ccdc55a0ecb31c8607c531fd869229bcd

SHA512
cff4c5403efe6d8a37c8307bdf6464ca92c9ca8332aa767f03e834a55892b0cf399d1ce788ba6bc6edd9f83c32558d8122e013c4d54d7fdbcc5d78fe20d1c732

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
587f8d01e4969b1c83762c82499e2a20

SHA1
90a33291bd3705d149d01056d1c85a4aca9fdfa5

SHA256
a0f76137b155de901941371b5e88e81dcb89066b6a98e2b5d9cdbca4a5146bcd

SHA512
dd57b9eca6ed761d3c230a0bd2f05886f3383d9f90db163768194f9c51460cdf14e17601164757d033cde6404cd2e2e16099453a20a1cc914767e0d4fb52fafd

Download Submit
C:\Users\Admin\AppData\Local\Temp\{6B755839-7F38-44B9-B801-36E8131DDB2E}

Filesize
128KB

MD5
7ac2e72a593b14ba966c130a197a2b9c

SHA1
d1bcc247ed8702607d5892f89fc37d5c7f6e8397

SHA256
e86002ee04c924703a3d3eaba31963cd7d31d0639c57d91af0c3fd9950d74695

SHA512
5d027a600b7c22b77397ebd1d0b3e5e6256e49a566427a48b1604d6e111a7f89e9728c422afba803177ce7f3b3b18e8bd1b4017f90e6bc36c851a5e1213fd448

Download Submit
C:\Users\Admin\AppData\Local\Temp\{CB15A86C-DDAC-4A3F-A917-2C8F354DBCCD}

Filesize
128KB

MD5
dd76f83364f373c1ee3a3829e53658fe

SHA1
1f05e6cbe7976b8749a6069672a7e8f21603361d

SHA256
72234affc9a26ec5c704a63921ac6bc633d13aa605e47f8698750662580bfd3d

SHA512
483946521fb031f961492237a59c3625026ce2fc017301e3ca8b25eef6f3b03af11adffb0c952228e9cdd1b53e137e73c10022374a8c1c972e5c346daba7ccb6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
4daa532a49276c2868dd41dafaf6e365

SHA1
5734434cc8421ce7169cdf5524780e1d4e323ad5

SHA256
e41c57cef01fd8f0957b939fb2b8430fef3e37567710edf20b8ba5aa3c87f14a

SHA512
0fcf30708ab9e06d3e0bbd278ed20a349bd422f02624c99f86086f666ec4fbb1e02ad8748aff3b066840ad3d5ee7b80d93f06355fde3ef3a30ff2cf631d8ec93

Download Submit
memory/3064-0-0x000000002FA51000-0x000000002FA52000-memory.dmp

Filesize
4KB

Download
memory/3064-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/3064-2-0x0000000070B3D000-0x0000000070B48000-memory.dmp

Filesize
44KB

Download
memory/3064-61-0x0000000070B3D000-0x0000000070B48000-memory.dmp

Filesize
44KB

Download
memory/3064-85-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/3064-86-0x0000000070B3D000-0x0000000070B48000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing