Overview
overview
10Static
static
8Ehhbsuuemv.exe
windows7-x64
10Ehhbsuuemv.exe
windows10-2004-x64
10GjIEmKW.exe
windows7-x64
10GjIEmKW.exe
windows10-2004-x64
10Jtvcsfni.exe
windows7-x64
10Jtvcsfni.exe
windows10-2004-x64
10OriginalBuild.exe
windows7-x64
3OriginalBuild.exe
windows10-2004-x64
8PUMPED_docc.exe
windows7-x64
10PUMPED_docc.exe
windows10-2004-x64
10Servicing-...te.pdf
windows7-x64
3Servicing-...te.pdf
windows10-2004-x64
3cgu3.docx
windows7-x64
6cgu3.docx
windows10-2004-x64
6debt.rtf.lnk
windows7-x64
10debt.rtf.lnk
windows10-2004-x64
10eeee.dotm
windows7-x64
3eeee.dotm
windows10-2004-x64
1egor.dotm
windows7-x64
10egor.dotm
windows10-2004-x64
10errr.dotm
windows7-x64
3errr.dotm
windows10-2004-x64
1example.dotm
windows7-x64
10example.dotm
windows10-2004-x64
10fasfs.dotm
windows7-x64
10fasfs.dotm
windows10-2004-x64
10ferrr.dotm
windows7-x64
3ferrr.dotm
windows10-2004-x64
1fffffffnew.dotm
windows7-x64
10fffffffnew.dotm
windows10-2004-x64
10fp4h5ur67j.exe
windows7-x64
10fp4h5ur67j.exe
windows10-2004-x64
10Analysis
-
max time kernel
125s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
11-11-2024 02:36
Behavioral task
behavioral1
Sample
Ehhbsuuemv.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
Ehhbsuuemv.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
GjIEmKW.exe
Resource
win7-20241023-en
Behavioral task
behavioral4
Sample
GjIEmKW.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
Jtvcsfni.exe
Resource
win7-20240729-en
Behavioral task
behavioral6
Sample
Jtvcsfni.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
OriginalBuild.exe
Resource
win7-20241010-en
Behavioral task
behavioral8
Sample
OriginalBuild.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
PUMPED_docc.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
PUMPED_docc.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
Servicing-invoice-template.pdf
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
Servicing-invoice-template.pdf
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
cgu3.docx
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
cgu3.docx
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
debt.rtf.lnk
Resource
win7-20240708-en
Behavioral task
behavioral16
Sample
debt.rtf.lnk
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
eeee.dotm
Resource
win7-20241010-en
Behavioral task
behavioral18
Sample
eeee.dotm
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
egor.dotm
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
egor.dotm
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
errr.dotm
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
errr.dotm
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
example.dotm
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
example.dotm
Resource
win10v2004-20241007-en
Behavioral task
behavioral25
Sample
fasfs.dotm
Resource
win7-20241010-en
Behavioral task
behavioral26
Sample
fasfs.dotm
Resource
win10v2004-20241007-en
Behavioral task
behavioral27
Sample
ferrr.dotm
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
ferrr.dotm
Resource
win10v2004-20241007-en
Behavioral task
behavioral29
Sample
fffffffnew.dotm
Resource
win7-20241010-en
Behavioral task
behavioral30
Sample
fffffffnew.dotm
Resource
win10v2004-20241007-en
Behavioral task
behavioral31
Sample
fp4h5ur67j.exe
Resource
win7-20240708-en
Behavioral task
behavioral32
Sample
fp4h5ur67j.exe
Resource
win10v2004-20241007-en
General
-
Target
cgu3.docx
-
Size
12KB
-
MD5
3a99a5077f5178c4320e97d997cfbff1
-
SHA1
d3e053535607751b0a2d6dc5187f74dac3b1846d
-
SHA256
154dae89d0d92be206c9c006af8112f36ba1180f56334bfdbbf33668675a76a5
-
SHA512
218f3265617bd320e862b32591f7ef2c6bd85e9225d565281f54045486cc63593a89fb5c1b15853082554d84545a63492bed16ca73840cfd548e1ef4316b1f34
-
SSDEEP
192:CtfoVP+CCNxtpgoZ22NNMp14xew+Wfm0FfkvGUlfbN9urD9N:afo1+dNxt/ZtNN04+30On50n9N
Malware Config
Signatures
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
flow ioc 4 bitbucket.org 5 bitbucket.org 10 bitbucket.org 13 bitbucket.org -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3044 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3044 WINWORD.EXE 3044 WINWORD.EXE
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\cgu3.docx"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3044
Network
-
Remote address:8.8.8.8:53Requestbitbucket.orgIN AResponsebitbucket.orgIN A185.166.142.23bitbucket.orgIN A185.166.142.21bitbucket.orgIN A185.166.142.22
-
Remote address:185.166.142.23:443RequestOPTIONS /damnman/damn/downloads/ HTTP/1.1
User-Agent: Microsoft Office Protocol Discovery
Host: bitbucket.org
Content-Length: 0
Connection: Keep-Alive
ResponseHTTP/1.1 404 Not Found
Content-Type: text/html; charset=utf-8
Content-Length: 15634
Server: AtlassianEdge
Vary: authorization, cookie, user-context, Accept-Language, Origin, Accept-Encoding
X-Used-Mesh: False
Content-Language: en
X-View-Name: bitbucket.apps.downloads.views.downloads
X-Dc-Location: Micros-3
X-Served-By: 9ede1fff07f2
X-Version: f4f170c4eb61
X-Static-Version: f4f170c4eb61
X-Request-Count: 2544
X-Render-Time: 0.07039165496826172
X-B3-Traceid: c21d7fe06398410aaf0a2159f782d7bf
X-B3-Spanid: f79dfd4f2db52bb6
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: style-src 'self' 'unsafe-inline' https://aui-cdn.atlassian.com/ https://cdn.cookielaw.org/ https://bbc-frontbucket-static.stg-east.frontend.public.atl-paas.net https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; frame-ancestors 'self' start.atlassian.com start.stg.atlassian.com atlaskit.atlassian.com bitbucket.org; object-src 'none'; base-uri 'self'; connect-src bitbucket.org *.bitbucket.org bb-inf.net *.bb-inf.net id.atlassian.com api.atlassian.com api.stg.atlassian.com wss://bitbucketci-ws-service.services.atlassian.com/ wss://bitbucketci-ws-service.stg.services.atlassian.com/ wss://bitbucketci-ws-service.dev.services.atlassian.com/ analytics.atlassian.com atlassian-cookies--categories.us-east-1.prod.public.atl-paas.net as.atlassian.com api-private.stg.atlassian.com api-private.atlassian.com xp.atlassian.com atl-global.atlassian.com cofs.staging.public.atl-paas.net cofs.prod.public.atl-paas.net fd-assets.prod.atl-paas.net flight-deck-assets-bifrost.prod-east.frontend.public.atl-paas.net intake.opbeat.com api.media.atlassian.com api.segment.io xid.statuspage.io xid.atlassian.com xid.sourcetreeapp.com bam.nr-data.net bam-cell.nr-data.net www.google-analytics.com sentry.io *.ingest.sentry.io events.launchdarkly.com app.launchdarkly.com statsigapi.net fd-config.us-east-1.prod.public.atl-paas.net fd-config-bifrost.prod-east.frontend.public.atl-paas.net micros--prod-west--bitbucketci-file-service--files.s3.us-west-1.amazonaws.com micros--prod-east--bitbucketci-file-service--files.s3.amazonaws.com micros--stg-west--bitbucketci-file-service--files.s3.us-west-1.amazonaws.com micros--stg-east--bitbucketci-file-service--files.s3.amazonaws.com micros--ddev--bitbucketci-file-service--files.s3.ap-southeast-2.amazonaws.com bqlf8qjztdtr.statuspage.io https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; script-src 'unsafe-eval' 'strict-dynamic' 'unsafe-inline' 'self' http: https: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net https://remote-app-switcher.prod-east.frontend.public.atl-paas.net https://bbc-frontbucket-static.stg-east.frontend.public.atl-paas.net https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/ 'nonce-v3sKpzPjfKyFNsAc54+w4w=='; default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob: *; report-uri https://web-security-reports.services.atlassian.com/csp-report/bb-website
Expires: Mon, 11 Nov 2024 02:38:55 GMT
Cache-Control: max-age=0, no-cache, no-store, must-revalidate, private
X-Usage-User-Time: 0.033983
X-Usage-System-Time: 0.010378
X-Usage-Input-Ops: 0
X-Usage-Output-Ops: 0
Age: 0
X-Cache: MISS
X-Content-Type-Options: nosniff
X-Xss-Protection: 1; mode=block
Atl-Traceid: c21d7fe06398410aaf0a2159f782d7bf
Atl-Request-Id: c21d7fe0-6398-410a-af0a-2159f782d7bf
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
Report-To: {"endpoints": [{"url": "https://dz8aopenkvv6s.cloudfront.net"}], "group": "endpoint-1", "include_subdomains": true, "max_age": 600}
Nel: {"failure_fraction": 0.001, "include_subdomains": true, "max_age": 600, "report_to": "endpoint-1"}
Server-Timing: atl-edge;dur=154,atl-edge-internal;dur=2,atl-edge-upstream;dur=152,atl-edge-pop;desc="aws-eu-west-1"
-
Remote address:8.8.8.8:53Requestcrl.microsoft.comIN AResponsecrl.microsoft.comIN CNAMEcrl.www.ms.akadns.netcrl.www.ms.akadns.netIN CNAMEa1363.dscg.akamai.neta1363.dscg.akamai.netIN A2.19.117.18a1363.dscg.akamai.netIN A2.19.117.22
-
Remote address:2.19.117.18:80RequestGET /pki/crl/products/MicRooCerAut2011_2011_03_22.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Thu, 11 Jul 2024 01:45:51 GMT
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com
ResponseHTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-MD5: 8M9bF5Tsp81z+cAg2quO8g==
Last-Modified: Thu, 26 Sep 2024 02:21:11 GMT
ETag: 0x8DCDDD1E3AF2C76
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
x-ms-request-id: b28c4ea1-d01e-0016-0ebc-0fa13d000000
x-ms-version: 2009-09-19
x-ms-lease-status: unlocked
x-ms-blob-type: BlockBlob
Date: Mon, 11 Nov 2024 02:39:25 GMT
Connection: keep-alive
-
1.2kB 24.0kB 17 23
HTTP Request
OPTIONS https://bitbucket.org/damnman/damn/downloads/HTTP Response
404 -
347 B 219 B 5 5
-
288 B 219 B 5 5
-
288 B 219 B 5 5
-
347 B 219 B 5 5
-
399 B 1.7kB 4 4
HTTP Request
GET http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crlHTTP Response
200
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{77216855-F693-4243-912C-A0DE14A27247}.FSD
Filesize128KB
MD5556adc86e6e253a6cc9d711e08257e04
SHA1c4407d6fbc05987c10b7d7e5ed9b310175c924f3
SHA256105d3e6fb4c64c845cb876aad5e8b2c3e7e9e4a6ece6f82bdda666d2df2ac84f
SHA5128865f42e5ee26d654bae985e1fec7cdea93001ad987a3de1a54ae6bb91dd2e1466484a0de6ef74575d1f2c3007ec581f68294dc9a50855e1031b7b3cd3e958b0
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize128KB
MD509e1bf6067381c630e302c845975cb21
SHA18dcd0c3a52d57ab9f44db4c06cb525eb5d7ae243
SHA256e278a25493b0668f2cf0ec3667b14a505715c3af974d165f84689976cfd83f91
SHA512bef4d2c5b8ef8e6aab86fbf0eed7ec8504db779016462472ae35892ebd0ad94619fda33d85a66eabfd4946958cba6f1e030017117be32e36bbec2357c6070904
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{8DFAB033-4FFA-499F-A6F3-AC78419960CB}.FSD
Filesize128KB
MD5298ee91ff3e7b94f4a859d839be8f894
SHA16ee4265c3ad84ec30e1f73c17a30c8f73f4ff86a
SHA2561157b893d0d08c6a96efc414e9f02cd26d801c8a2fc7ebed3283b465737daaf9
SHA5126eeb5a6254e498f86ebb88216e36814fe7f12da5a9f1e2a1f9885831067c06646317cec9cca42837ee503285e0d0891a1686bd97243d9b7ae22e8a3454358647
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
128KB
MD5364883f2918d321cf88eb0277b178cde
SHA14c75a1bffa09228ed3da1fc2d9b0008fa5bb671b
SHA2563bb37d90aaebda892c262dd318c2a311ed65b0f24b90106f9a625d3ac3adea0f
SHA5129980d0e111c0a3e2999a59e98e8d2dc3aa4d02c346dd1302708e03abfd14fe2982fb1db2c7e1709c2fb27a1011506b9288fe9524ac0abb981374bc33d23de806