50892efc8fef1e340e817accb42857ed930508a1c89cc2f506c8a127db9cbe9a

Analysis

max time kernel
240s
max time network
244s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
19/11/2024, 14:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

vaultFile1141088409326926723.vol
Size

71KB
MD5

66f1ee448af50534011090b47c6500f5
SHA1

9dcfe0d4aeaad70dfa8b2673d545e96bb7414cd7
SHA256

90a81c8258e1783dcf3e035221d4b1bfc96a9a10e96dda1a6057f60c3ff42dc6
SHA512

4f40353ccf1c0ccd7d9d0a008b5ba0f64260a268c865ff99a857a9089cda1385d005860474a27cc4e67229767a8363e15af9f83ed17f25dbc349aa8b457228ea
SSDEEP

1536:UCEOCYLu/kB5B6DzkHQ1J5//RI33t72OVjg1ReCBuxUx:z2kB5B6DzkHQ1JB/RI330OVERd

Score

4^/10

discovery

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2416	WINWORD.EXE
1688	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	2820	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2820	AUDIODG.EXE
Token: 33	2820	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2820	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2416	WINWORD.EXE
2416	WINWORD.EXE
1688	WINWORD.EXE
1688	WINWORD.EXE
1688	WINWORD.EXE

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2256 wrote to memory of 2908	2256	cmd.exe	31
PID 2256 wrote to memory of 2908	2256	cmd.exe	31
PID 2256 wrote to memory of 2908	2256	cmd.exe	31
PID 1688 wrote to memory of 2668	1688	WINWORD.EXE	42
PID 1688 wrote to memory of 2668	1688	WINWORD.EXE	42
PID 1688 wrote to memory of 2668	1688	WINWORD.EXE	42
PID 1688 wrote to memory of 2668	1688	WINWORD.EXE	42

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\vaultFile1141088409326926723.vol
1⤵
- Suspicious use of WriteProcessMemory
PID:2256
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\vaultFile1141088409326926723.vol
  2⤵
  - Modifies registry class
  PID:2908

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2996

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x514
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2820

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\vaultFile1141088409326926723.doc"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2416

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\vaultFile1141088409326926723.docm"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
2c3e1e9685a0117b6794e7434f8a1359

SHA1
1e614a3b47fc2897d3c9aff4ef3b8734f7714b3d

SHA256
75cf20b900a315262b388b5abe609bc5c2607c8f35716e722758a92c03201617

SHA512
6fc9f4838fd197e10f0dedfe0c43c9e017112033797b46ab4eb2dd6ac21b46d078b426b107adf2fc11a1db7785ceadd0f37d6542fd73225f563b7f03c8fb89a8

Download Submit
memory/1688-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2416-24-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2416-44-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download