20501b21e4c5f3317e5e1e1ac8a553d60a434fb50d262fa1abee1a79b39bd4d0

Analysis

max time kernel
141s
max time network
126s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
23-10-2024 16:24

Target

ܽ֪ͨ[2013]119120/֪ͨ[2013]120Źڿչ��.doc
Size

25KB
MD5

28461a86e20479c40d9ae670516a1212
SHA1

50d6abe482a41fe88452f23f5612940970100693
SHA256

45b49c0520e1ef367057ae1cd05474d1f4424f4de8f9e4613d154f17597380bd
SHA512

1c98a5355d188589a89aeccf3f2c52615398484941297ebf17b39ff8f1653a3b922a84aeca90ee81e7815a595179f8638a9245a475d9d9d2c48e20ca97cdcdff
SSDEEP

192:1kvW1U8Y0BpHigdb7nAx9dnqhVyh1b+0fvhT5hTuS1hnhTDsvH4:1kvW66pH59kx9pb+OrukQw

Score

4^/10

discovery

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

WINWORD.EXE

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

2360 WINWORD.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

2360 WINWORD.EXE
2360 WINWORD.EXE

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE

pid	process
2360	WINWORD.EXE

pid	process
2360	WINWORD.EXE
2360	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 2360 wrote to memory of 2488	2360	WINWORD.EXE	splwow64.exe
PID 2360 wrote to memory of 2488	2360	WINWORD.EXE	splwow64.exe
PID 2360 wrote to memory of 2488	2360	WINWORD.EXE	splwow64.exe
PID 2360 wrote to memory of 2488	2360	WINWORD.EXE	splwow64.exe

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/2360-0-0x000000002FBA1000-0x000000002FBA2000-memory.dmp

Filesize
4KB

Download
memory/2360-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2360-2-0x000000007125D000-0x0000000071268000-memory.dmp

Filesize
44KB

Download
memory/2360-5-0x000000007125D000-0x0000000071268000-memory.dmp

Filesize
44KB

Download