7a3b1e9c8df660dc1c1cf9b17411c1d6a4ffca364712c5de8ac46b1199ece1ce

Analysis

max time kernel
125s
max time network
124s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11-11-2024 02:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cgu3.docx
Size

12KB
MD5

3a99a5077f5178c4320e97d997cfbff1
SHA1

d3e053535607751b0a2d6dc5187f74dac3b1846d
SHA256

154dae89d0d92be206c9c006af8112f36ba1180f56334bfdbbf33668675a76a5
SHA512

218f3265617bd320e862b32591f7ef2c6bd85e9225d565281f54045486cc63593a89fb5c1b15853082554d84545a63492bed16ca73840cfd548e1ef4316b1f34
SSDEEP

192:CtfoVP+CCNxtpgoZ22NNMp14xew+Wfm0FfkvGUlfbN9urD9N:afo1+dNxt/ZtNN04+30On50n9N

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
4	bitbucket.org
5	bitbucket.org
10	bitbucket.org
13	bitbucket.org

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3044	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3044	WINWORD.EXE
3044	WINWORD.EXE

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\cgu3.docx"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{77216855-F693-4243-912C-A0DE14A27247}.FSD

Filesize
128KB

MD5
556adc86e6e253a6cc9d711e08257e04

SHA1
c4407d6fbc05987c10b7d7e5ed9b310175c924f3

SHA256
105d3e6fb4c64c845cb876aad5e8b2c3e7e9e4a6ece6f82bdda666d2df2ac84f

SHA512
8865f42e5ee26d654bae985e1fec7cdea93001ad987a3de1a54ae6bb91dd2e1466484a0de6ef74575d1f2c3007ec581f68294dc9a50855e1031b7b3cd3e958b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
09e1bf6067381c630e302c845975cb21

SHA1
8dcd0c3a52d57ab9f44db4c06cb525eb5d7ae243

SHA256
e278a25493b0668f2cf0ec3667b14a505715c3af974d165f84689976cfd83f91

SHA512
bef4d2c5b8ef8e6aab86fbf0eed7ec8504db779016462472ae35892ebd0ad94619fda33d85a66eabfd4946958cba6f1e030017117be32e36bbec2357c6070904

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{8DFAB033-4FFA-499F-A6F3-AC78419960CB}.FSD

Filesize
128KB

MD5
298ee91ff3e7b94f4a859d839be8f894

SHA1
6ee4265c3ad84ec30e1f73c17a30c8f73f4ff86a

SHA256
1157b893d0d08c6a96efc414e9f02cd26d801c8a2fc7ebed3283b465737daaf9

SHA512
6eeb5a6254e498f86ebb88216e36814fe7f12da5a9f1e2a1f9885831067c06646317cec9cca42837ee503285e0d0891a1686bd97243d9b7ae22e8a3454358647

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA91E.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA98E.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{623B6A75-00E4-42B5-83F1-144E23162D60}

Filesize
128KB

MD5
364883f2918d321cf88eb0277b178cde

SHA1
4c75a1bffa09228ed3da1fc2d9b0008fa5bb671b

SHA256
3bb37d90aaebda892c262dd318c2a311ed65b0f24b90106f9a625d3ac3adea0f

SHA512
9980d0e111c0a3e2999a59e98e8d2dc3aa4d02c346dd1302708e03abfd14fe2982fb1db2c7e1709c2fb27a1011506b9288fe9524ac0abb981374bc33d23de806

Download Submit
memory/3044-0-0x000000002F081000-0x000000002F082000-memory.dmp

Filesize
4KB

Download
memory/3044-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/3044-2-0x000000007131D000-0x0000000071328000-memory.dmp

Filesize
44KB

Download
memory/3044-111-0x000000007131D000-0x0000000071328000-memory.dmp

Filesize
44KB

Download