Analysis
-
max time kernel
141s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
23-10-2024 16:24
Static task
static1
Behavioral task
behavioral1
Sample
֪ܽͨ[2013]119120/֪ͨ[2013]119Źÿѧǰ.doc
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
֪ܽͨ[2013]119120/֪ͨ[2013]119Źÿѧǰ.doc
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
֪ܽͨ[2013]119120/֪ͨ[2013]120Ÿ2013ѧ.xls
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
֪ܽͨ[2013]119120/֪ͨ[2013]120Ÿ2013ѧ.xls
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
֪ܽͨ[2013]119120/֪ͨ[2013]120Źڿչ��.doc
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
֪ܽͨ[2013]119120/֪ͨ[2013]120Źڿչ��.doc
Resource
win10v2004-20241007-en
General
-
Target
֪ܽͨ[2013]119120/֪ͨ[2013]120Źڿչ��.doc
-
Size
25KB
-
MD5
28461a86e20479c40d9ae670516a1212
-
SHA1
50d6abe482a41fe88452f23f5612940970100693
-
SHA256
45b49c0520e1ef367057ae1cd05474d1f4424f4de8f9e4613d154f17597380bd
-
SHA512
1c98a5355d188589a89aeccf3f2c52615398484941297ebf17b39ff8f1653a3b922a84aeca90ee81e7815a595179f8638a9245a475d9d9d2c48e20ca97cdcdff
-
SSDEEP
192:1kvW1U8Y0BpHigdb7nAx9dnqhVyh1b+0fvhT5hTuS1hnhTDsvH4:1kvW66pH59kx9pb+OrukQw
Malware Config
Signatures
-
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 2360 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 2360 WINWORD.EXE 2360 WINWORD.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 2360 wrote to memory of 2488 2360 WINWORD.EXE splwow64.exe PID 2360 wrote to memory of 2488 2360 WINWORD.EXE splwow64.exe PID 2360 wrote to memory of 2488 2360 WINWORD.EXE splwow64.exe PID 2360 wrote to memory of 2488 2360 WINWORD.EXE splwow64.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\֪ܽͨ[2013]119120\֪ͨ[2013]120Źڿչ��.doc"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:2488