Analysis

  • max time kernel
    125s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    11-11-2024 02:36

General

  • Target

    cgu3.docx

  • Size

    12KB

  • MD5

    3a99a5077f5178c4320e97d997cfbff1

  • SHA1

    d3e053535607751b0a2d6dc5187f74dac3b1846d

  • SHA256

    154dae89d0d92be206c9c006af8112f36ba1180f56334bfdbbf33668675a76a5

  • SHA512

    218f3265617bd320e862b32591f7ef2c6bd85e9225d565281f54045486cc63593a89fb5c1b15853082554d84545a63492bed16ca73840cfd548e1ef4316b1f34

  • SSDEEP

    192:CtfoVP+CCNxtpgoZ22NNMp14xew+Wfm0FfkvGUlfbN9urD9N:afo1+dNxt/ZtNN04+30On50n9N

Score
6/10

Malware Config

Signatures

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\cgu3.docx"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:3044

Network

  • flag-us
    DNS
    bitbucket.org
    WINWORD.EXE
    Remote address:
    8.8.8.8:53
    Request
    bitbucket.org
    IN A
    Response
    bitbucket.org
    IN A
    185.166.142.23
    bitbucket.org
    IN A
    185.166.142.21
    bitbucket.org
    IN A
    185.166.142.22
  • flag-ie
    OPTIONS
    https://bitbucket.org/damnman/damn/downloads/
    WINWORD.EXE
    Remote address:
    185.166.142.23:443
    Request
    OPTIONS /damnman/damn/downloads/ HTTP/1.1
    User-Agent: Microsoft Office Protocol Discovery
    Host: bitbucket.org
    Content-Length: 0
    Connection: Keep-Alive
    Response
    HTTP/1.1 404 Not Found
    Date: Mon, 11 Nov 2024 02:38:55 GMT
    Content-Type: text/html; charset=utf-8
    Content-Length: 15634
    Server: AtlassianEdge
    Vary: authorization, cookie, user-context, Accept-Language, Origin, Accept-Encoding
    X-Used-Mesh: False
    Content-Language: en
    X-View-Name: bitbucket.apps.downloads.views.downloads
    X-Dc-Location: Micros-3
    X-Served-By: 9ede1fff07f2
    X-Version: f4f170c4eb61
    X-Static-Version: f4f170c4eb61
    X-Request-Count: 2544
    X-Render-Time: 0.07039165496826172
    X-B3-Traceid: c21d7fe06398410aaf0a2159f782d7bf
    X-B3-Spanid: f79dfd4f2db52bb6
    X-Frame-Options: SAMEORIGIN
    Content-Security-Policy: style-src 'self' 'unsafe-inline' https://aui-cdn.atlassian.com/ https://cdn.cookielaw.org/ https://bbc-frontbucket-static.stg-east.frontend.public.atl-paas.net https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; frame-ancestors 'self' start.atlassian.com start.stg.atlassian.com atlaskit.atlassian.com bitbucket.org; object-src 'none'; base-uri 'self'; connect-src bitbucket.org *.bitbucket.org bb-inf.net *.bb-inf.net id.atlassian.com api.atlassian.com api.stg.atlassian.com wss://bitbucketci-ws-service.services.atlassian.com/ wss://bitbucketci-ws-service.stg.services.atlassian.com/ wss://bitbucketci-ws-service.dev.services.atlassian.com/ analytics.atlassian.com atlassian-cookies--categories.us-east-1.prod.public.atl-paas.net as.atlassian.com api-private.stg.atlassian.com api-private.atlassian.com xp.atlassian.com atl-global.atlassian.com cofs.staging.public.atl-paas.net cofs.prod.public.atl-paas.net fd-assets.prod.atl-paas.net flight-deck-assets-bifrost.prod-east.frontend.public.atl-paas.net intake.opbeat.com api.media.atlassian.com api.segment.io xid.statuspage.io xid.atlassian.com xid.sourcetreeapp.com bam.nr-data.net bam-cell.nr-data.net www.google-analytics.com sentry.io *.ingest.sentry.io events.launchdarkly.com app.launchdarkly.com statsigapi.net fd-config.us-east-1.prod.public.atl-paas.net fd-config-bifrost.prod-east.frontend.public.atl-paas.net micros--prod-west--bitbucketci-file-service--files.s3.us-west-1.amazonaws.com micros--prod-east--bitbucketci-file-service--files.s3.amazonaws.com micros--stg-west--bitbucketci-file-service--files.s3.us-west-1.amazonaws.com micros--stg-east--bitbucketci-file-service--files.s3.amazonaws.com micros--ddev--bitbucketci-file-service--files.s3.ap-southeast-2.amazonaws.com bqlf8qjztdtr.statuspage.io https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; script-src 'unsafe-eval' 'strict-dynamic' 'unsafe-inline' 'self' http: https: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net https://remote-app-switcher.prod-east.frontend.public.atl-paas.net https://bbc-frontbucket-static.stg-east.frontend.public.atl-paas.net https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/ 'nonce-v3sKpzPjfKyFNsAc54+w4w=='; default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob: *; report-uri https://web-security-reports.services.atlassian.com/csp-report/bb-website
    Expires: Mon, 11 Nov 2024 02:38:55 GMT
    Cache-Control: max-age=0, no-cache, no-store, must-revalidate, private
    X-Usage-User-Time: 0.033983
    X-Usage-System-Time: 0.010378
    X-Usage-Input-Ops: 0
    X-Usage-Output-Ops: 0
    Age: 0
    X-Cache: MISS
    X-Content-Type-Options: nosniff
    X-Xss-Protection: 1; mode=block
    Atl-Traceid: c21d7fe06398410aaf0a2159f782d7bf
    Atl-Request-Id: c21d7fe0-6398-410a-af0a-2159f782d7bf
    Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
    Report-To: {"endpoints": [{"url": "https://dz8aopenkvv6s.cloudfront.net"}], "group": "endpoint-1", "include_subdomains": true, "max_age": 600}
    Nel: {"failure_fraction": 0.001, "include_subdomains": true, "max_age": 600, "report_to": "endpoint-1"}
    Server-Timing: atl-edge;dur=154,atl-edge-internal;dur=2,atl-edge-upstream;dur=152,atl-edge-pop;desc="aws-eu-west-1"
  • flag-us
    DNS
    crl.microsoft.com
    Remote address:
    8.8.8.8:53
    Request
    crl.microsoft.com
    IN A
    Response
    crl.microsoft.com
    IN CNAME
    crl.www.ms.akadns.net
    crl.www.ms.akadns.net
    IN CNAME
    a1363.dscg.akamai.net
    a1363.dscg.akamai.net
    IN A
    2.19.117.18
    a1363.dscg.akamai.net
    IN A
    2.19.117.22
  • flag-gb
    GET
    http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
    Remote address:
    2.19.117.18:80
    Request
    GET /pki/crl/products/MicRooCerAut2011_2011_03_22.crl HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    If-Modified-Since: Thu, 11 Jul 2024 01:45:51 GMT
    User-Agent: Microsoft-CryptoAPI/6.1
    Host: crl.microsoft.com
    Response
    HTTP/1.1 200 OK
    Content-Length: 1036
    Content-Type: application/octet-stream
    Content-MD5: 8M9bF5Tsp81z+cAg2quO8g==
    Last-Modified: Thu, 26 Sep 2024 02:21:11 GMT
    ETag: 0x8DCDDD1E3AF2C76
    Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
    x-ms-request-id: b28c4ea1-d01e-0016-0ebc-0fa13d000000
    x-ms-version: 2009-09-19
    x-ms-lease-status: unlocked
    x-ms-blob-type: BlockBlob
    Date: Mon, 11 Nov 2024 02:39:25 GMT
    Connection: keep-alive
  • 185.166.142.23:443
    https://bitbucket.org/damnman/damn/downloads/
    tls, http
    WINWORD.EXE
    1.2kB
    24.0kB
    17
    23

    HTTP Request

    OPTIONS https://bitbucket.org/damnman/damn/downloads/

    HTTP Response

    404
  • 185.166.142.23:443
    bitbucket.org
    tls
    WINWORD.EXE
    347 B
    219 B
    5
    5
  • 185.166.142.23:443
    bitbucket.org
    tls
    WINWORD.EXE
    288 B
    219 B
    5
    5
  • 185.166.142.23:443
    bitbucket.org
    tls
    WINWORD.EXE
    288 B
    219 B
    5
    5
  • 185.166.142.23:443
    bitbucket.org
    tls
    WINWORD.EXE
    347 B
    219 B
    5
    5
  • 2.19.117.18:80
    http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
    http
    399 B
    1.7kB
    4
    4

    HTTP Request

    GET http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl

    HTTP Response

    200
  • 8.8.8.8:53
    bitbucket.org
    dns
    WINWORD.EXE
    59 B
    107 B
    1
    1

    DNS Request

    bitbucket.org

    DNS Response

    185.166.142.23
    185.166.142.21
    185.166.142.22

  • 8.8.8.8:53
    crl.microsoft.com
    dns
    63 B
    162 B
    1
    1

    DNS Request

    crl.microsoft.com

    DNS Response

    2.19.117.18
    2.19.117.22

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{77216855-F693-4243-912C-A0DE14A27247}.FSD

    Filesize

    128KB

    MD5

    556adc86e6e253a6cc9d711e08257e04

    SHA1

    c4407d6fbc05987c10b7d7e5ed9b310175c924f3

    SHA256

    105d3e6fb4c64c845cb876aad5e8b2c3e7e9e4a6ece6f82bdda666d2df2ac84f

    SHA512

    8865f42e5ee26d654bae985e1fec7cdea93001ad987a3de1a54ae6bb91dd2e1466484a0de6ef74575d1f2c3007ec581f68294dc9a50855e1031b7b3cd3e958b0

  • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

    Filesize

    128KB

    MD5

    09e1bf6067381c630e302c845975cb21

    SHA1

    8dcd0c3a52d57ab9f44db4c06cb525eb5d7ae243

    SHA256

    e278a25493b0668f2cf0ec3667b14a505715c3af974d165f84689976cfd83f91

    SHA512

    bef4d2c5b8ef8e6aab86fbf0eed7ec8504db779016462472ae35892ebd0ad94619fda33d85a66eabfd4946958cba6f1e030017117be32e36bbec2357c6070904

  • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{8DFAB033-4FFA-499F-A6F3-AC78419960CB}.FSD

    Filesize

    128KB

    MD5

    298ee91ff3e7b94f4a859d839be8f894

    SHA1

    6ee4265c3ad84ec30e1f73c17a30c8f73f4ff86a

    SHA256

    1157b893d0d08c6a96efc414e9f02cd26d801c8a2fc7ebed3283b465737daaf9

    SHA512

    6eeb5a6254e498f86ebb88216e36814fe7f12da5a9f1e2a1f9885831067c06646317cec9cca42837ee503285e0d0891a1686bd97243d9b7ae22e8a3454358647

  • C:\Users\Admin\AppData\Local\Temp\CabA91E.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\TarA98E.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • C:\Users\Admin\AppData\Local\Temp\{623B6A75-00E4-42B5-83F1-144E23162D60}

    Filesize

    128KB

    MD5

    364883f2918d321cf88eb0277b178cde

    SHA1

    4c75a1bffa09228ed3da1fc2d9b0008fa5bb671b

    SHA256

    3bb37d90aaebda892c262dd318c2a311ed65b0f24b90106f9a625d3ac3adea0f

    SHA512

    9980d0e111c0a3e2999a59e98e8d2dc3aa4d02c346dd1302708e03abfd14fe2982fb1db2c7e1709c2fb27a1011506b9288fe9524ac0abb981374bc33d23de806

  • memory/3044-0-0x000000002F081000-0x000000002F082000-memory.dmp

    Filesize

    4KB

  • memory/3044-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

  • memory/3044-2-0x000000007131D000-0x0000000071328000-memory.dmp

    Filesize

    44KB

  • memory/3044-111-0x000000007131D000-0x0000000071328000-memory.dmp

    Filesize

    44KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.