9dca6f86e538bce17615f19670f0b415de0228ce5665a57d1efd5a62daff8449

Analysis

max time kernel
132s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/11/2024, 13:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

layoffs.docx
Size

10KB
MD5

532483e8708fa504fec845f5e187c218
SHA1

7720b43f69086eefd828451e5a5237014cb8747c
SHA256

9dca6f86e538bce17615f19670f0b415de0228ce5665a57d1efd5a62daff8449
SHA512

d5521296e5a264ad803b00ca6425c4453f9d6ebd7e57ef6b58b9ab5e5cf439fe01b0c2e13cf4e87291e6109b29b628bd8276ae10b591ca7515f212e81979bbdd
SSDEEP

192:QEhMCXGheIhu7Z/c+8poF1d3jvvtlfb8t9264wpQ42srGxjPbUUFfyczSm:QqvGAImcfa7pr1lfb892hwe4tyxjPbzr

Score

4^/10

discovery

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\http:\diagnostic.htb:41177\223_index_style_fancy.html!	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2824	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2824	WINWORD.EXE
2824	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2824 wrote to memory of 2372	2824	WINWORD.EXE	32
PID 2824 wrote to memory of 2372	2824	WINWORD.EXE	32
PID 2824 wrote to memory of 2372	2824	WINWORD.EXE	32
PID 2824 wrote to memory of 2372	2824	WINWORD.EXE	32

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\layoffs.docx"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2824
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{B01EE548-3272-4C2A-974E-49B3565A7791}.FSD

Filesize
128KB

MD5
af41628795161d5bc9507ae213004d6a

SHA1
664a8ed411b313e60a03b505cb0393a520d95472

SHA256
f417ec343da1b513459a2b0710e6a641e016a756b019ae1fd88dea58d58c352f

SHA512
b1577b4d8e2b2818361a9672869ecaca1665e1a7b3f98d940b230db71c4385622b39224dd756823675a85401d22a96179582de20cbd10ba2d13b1a67170dfa08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
342dcc416e50965404264d05b5f20d87

SHA1
aa94b77266cc6f3675de96aaeae4fdcba05e6cda

SHA256
0447fe47cd56c2981129821dda924fbdd363a72e3f8d9daf27d7e1272d2ae8ab

SHA512
da11019d8af7e0ac2eeea693f17fe2f4c23bff072306b6e5f85aabb89a23ae1fddbc09b8087603b324dc255ce146fe0cc53fffa1653b6b0acf86d28c951b9378

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{BC578063-A517-4A95-BAD6-06DC89413178}.FSD

Filesize
128KB

MD5
b3309292ba6669ae3752047dd4928c91

SHA1
98a3050ea825d8b700eac9050d75457ba7a6e6b3

SHA256
3cc70e74e4b5da067598c69c78b1b414fc82397246340db782904c74ea85c60e

SHA512
e6308cbab4fb76b0d342abb8207a474c031e5e7c125d4d44edd9b76e6d61614fabf4104b522b89be86ff66528af5d36f89fa2b412987da53a72b53a38d72918f

Download Submit
C:\Users\Admin\AppData\Local\Temp\{4F8A2D9B-61BE-4BE4-B80B-92ABABEE07B2}

Filesize
128KB

MD5
74b5761a74cf19e70f674343a051a0a2

SHA1
693cf356ed2b793ae5df62cd18df4c1da0cca212

SHA256
af423456f2f8e70b99b69b3bfc9437268c7aa576eeaeb233298a082e3853c125

SHA512
f5209920ee13f1f91dfd2d204d5572add4feef18bd4ac2a5c110b4d63d9b78df98ddabb6cc180c30263ce1467ba5e39e889f841978916998ac481a2c442372a5

Download Submit
memory/2824-0-0x000000002F2D1000-0x000000002F2D2000-memory.dmp

Filesize
4KB

Download
memory/2824-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2824-2-0x0000000070B3D000-0x0000000070B48000-memory.dmp

Filesize
44KB

Download
memory/2824-67-0x0000000070B3D000-0x0000000070B48000-memory.dmp

Filesize
44KB

Download