b39cc1ce2d546ee6683e73264aaf094f4dd0ddae3b77bba5e3c0384523e66110

Analysis

max time kernel
129s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
19/11/2024, 11:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b39cc1ce2d546ee6683e73264aaf094f4dd0ddae3b77bba5e3c0384523e66110.docx
Size

84KB
MD5

e8eeca2b17300555ce982ae3368ea55e
SHA1

18b108ab1f73ef5e7ff61a2d3e0235976e412081
SHA256

b39cc1ce2d546ee6683e73264aaf094f4dd0ddae3b77bba5e3c0384523e66110
SHA512

cf9b2462b907438c33d96aaf82238d45e4bbe2d771bf97122fc774112f46bd0e568e4058df65b7dd6d4096043470265175b2df2c8b914de20b3c79d005433fa4
SSDEEP

1536:aYtb7ih7kPw17kG1hc2FjOppzOYN1TThLdvV5brdSp2:aYt3ixkw17kc/OppzOYH39JV5brdSp2

Score

7^/10

discovery

Malware Config

Signatures

Abuses OpenXML format to download file from external location

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2200	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2200	WINWORD.EXE
2200	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 1992	2200	WINWORD.EXE	31
PID 2200 wrote to memory of 1992	2200	WINWORD.EXE	31
PID 2200 wrote to memory of 1992	2200	WINWORD.EXE	31
PID 2200 wrote to memory of 1992	2200	WINWORD.EXE	31

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\b39cc1ce2d546ee6683e73264aaf094f4dd0ddae3b77bba5e3c0384523e66110.docx"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
487be85f723d7ef8dd43f92cfe779db0

SHA1
1d74ba96d3619c4364f864a285053aed5c4ee439

SHA256
3689617f9c0d39fd1596b1fe1596ea1c8ce561ad6f6d02c6ed4a46a477590514

SHA512
6a12d28ef8011a9696b9c1056e55f8645730c9e55c889ea0ed7e639379438c25c9103a556d05682b03d150ddd1de49215a1101effb06914ab1a313b57b9ce0b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{A2C66A4C-D7D0-4C8F-AE8E-DCFE5C1134E4}.FSD

Filesize
128KB

MD5
13e4e3fb89ad2b6ba95845ee6ca5f35d

SHA1
bedfa2e3f7be035309c787d9de859ea8fed657e7

SHA256
c530572ebd5c9b1301320b6abde2a67bd2e2418707cd44e7d3f26ecd085e1a28

SHA512
b23681a99cf97189049a18f0235c45a17667de8b75ef1aef332735dc48834ce9e713b07084ba281912f0fe9847f589e5e3b7bdaa4884ce45e8f87010c5a40e30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UQFHO95Z\TtzpZ[1].htm

Filesize
3KB

MD5
31d56d865881b09d6c92f5f8f69d6634

SHA1
ad629a539b2e6b86bfd90b745e8176c9f58b702b

SHA256
73fcdb91d1fbcf1b5e5353af5c3105bfdaaca5a2e4b2dc698135e4820c097921

SHA512
e26d948f5fce36c67096594b7a639ae95dec5b8d69e2ffedb59113145b55b7de39186e10787953e303e34fcdcfdfa9c8372b15886f7f815a8418da7220820ef2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\28A23414.svg

Filesize
4KB

MD5
e5c61878b60131a6ac8e94a80597f81d

SHA1
3b730bc3bbf3e56de4caa2389eac17bac1ad6997

SHA256
194f8974284cad509d798f11b1104d9dda63a550078e29c0725dedfb302024b1

SHA512
30ff13f4dd0153bb426c3e101a57524e7f29f1a2be879d0257f87a47eff8c2e069deadb064949b25b5e4200b5880645c8b71b5fceaec7be002b4d6c1f46fbd04

Download Submit
C:\Users\Admin\AppData\Local\Temp\{FAA2B2E8-1BEB-4D76-8EC4-208CE7B144E6}

Filesize
128KB

MD5
37764756ead9901a80560305909db4fb

SHA1
191e1d59952079d412a4c7798fcdef4afd09fd71

SHA256
d755d5fccf9fb1c8679cdb34ff8b31d2f491010d1ebdbf0a12b075f53bc6a847

SHA512
07e51e2d50e8b0c425ced71bc8b11b4d86116330cd2d5619d56a63fa7beeaa01233022499c2aa2b053302b5d86e05bbe4dc44570c6d3f26b568d6da11ef898e0

Download Submit
memory/2200-0-0x000000002F041000-0x000000002F042000-memory.dmp

Filesize
4KB

Download
memory/2200-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2200-2-0x0000000070BCD000-0x0000000070BD8000-memory.dmp

Filesize
44KB

Download
memory/2200-129-0x0000000070BCD000-0x0000000070BD8000-memory.dmp

Filesize
44KB

Download