b39cc1ce2d546ee6683e73264aaf094f4dd0ddae3b77bba5e3c0384523e66110

General

Target

b39cc1ce2d546ee6683e73264aaf094f4dd0ddae3b77bba5e3c0384523e66110.docx
Size

84KB
MD5

e8eeca2b17300555ce982ae3368ea55e
SHA1

18b108ab1f73ef5e7ff61a2d3e0235976e412081
SHA256

b39cc1ce2d546ee6683e73264aaf094f4dd0ddae3b77bba5e3c0384523e66110
SHA512

cf9b2462b907438c33d96aaf82238d45e4bbe2d771bf97122fc774112f46bd0e568e4058df65b7dd6d4096043470265175b2df2c8b914de20b3c79d005433fa4
SSDEEP

1536:aYtb7ih7kPw17kG1hc2FjOppzOYN1TThLdvV5brdSp2:aYt3ixkw17kc/OppzOYH39JV5brdSp2

Score

7^/10

discovery

Malware Config

Signatures

Abuses OpenXML format to download file from external location

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2376	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2376	WINWORD.EXE
2376	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 1992	2376	WINWORD.EXE	32
PID 2376 wrote to memory of 1992	2376	WINWORD.EXE	32
PID 2376 wrote to memory of 1992	2376	WINWORD.EXE	32
PID 2376 wrote to memory of 1992	2376	WINWORD.EXE	32

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\b39cc1ce2d546ee6683e73264aaf094f4dd0ddae3b77bba5e3c0384523e66110.docx"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{15B7C0C7-60B4-4B08-A6E8-C80185D74D6A}.FSD

Filesize
128KB

MD5
43855e9b7a5f2568073cd620e05dfbb7

SHA1
ddbbab0a24dd2b36404e2449a9841f6f3bc7bffc

SHA256
3b67f2ec4032720b329e761406cf05c45f942ef2b55e71cfad43391bbd313994

SHA512
672e08af6c74bcbdd8d7c32a68f401ffcdbe86950c9e16111a333751ff8ca1c454dbab09336c4a228348d7728119e66e88491d559e59c8ac23aada393d311dde

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
6ccb995c3ad399a46036bca9c54b9a7a

SHA1
b8c205f30053eb8c9b514f1f0d21851fb9e6ce25

SHA256
858ddf2a872b4b7a1151f675c4767e5520bea78d4beca4e23ba80d2c746290d1

SHA512
778b68f55f4efa752f751522c9701a755c85d34102eec0b412347ee07b1c6ab637b854aac4c51ed9cb1c32ca873278a74773780ae785c87a47e7e4f19e59ac64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{6F1768CC-FF79-40DD-AFDF-675120E2082E}.FSD

Filesize
128KB

MD5
b32327ccf42a1f556846ccbb139ce916

SHA1
d3b84bba2d4feb166948641e677b7efac3f2b263

SHA256
1e70ffbc11f59b8b92d5c4f24a52115ef736e25a251928ec09cb3a3853440045

SHA512
4f33dac0387ecce07019012de373b74a52f96d71549f65c6baf0d98dc9a1c92ebc1eaea98b2c5ab72da98e091e36aad490684a43846933d00f1980029d1d2f47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\633SXO0D\TtzpZ[1].htm

Filesize
3KB

MD5
31d56d865881b09d6c92f5f8f69d6634

SHA1
ad629a539b2e6b86bfd90b745e8176c9f58b702b

SHA256
73fcdb91d1fbcf1b5e5353af5c3105bfdaaca5a2e4b2dc698135e4820c097921

SHA512
e26d948f5fce36c67096594b7a639ae95dec5b8d69e2ffedb59113145b55b7de39186e10787953e303e34fcdcfdfa9c8372b15886f7f815a8418da7220820ef2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\501F9AC4.svg

Filesize
4KB

MD5
e5c61878b60131a6ac8e94a80597f81d

SHA1
3b730bc3bbf3e56de4caa2389eac17bac1ad6997

SHA256
194f8974284cad509d798f11b1104d9dda63a550078e29c0725dedfb302024b1

SHA512
30ff13f4dd0153bb426c3e101a57524e7f29f1a2be879d0257f87a47eff8c2e069deadb064949b25b5e4200b5880645c8b71b5fceaec7be002b4d6c1f46fbd04

Download Submit
C:\Users\Admin\AppData\Local\Temp\{CE177C7B-9669-4C75-B20D-DB2FD596916D}

Filesize
128KB

MD5
b45d32d765ed9024ebe3eaa225804138

SHA1
f1566dff01b2537f547124676d319090b81e4783

SHA256
57bebec1b97028ce080889909eb880237ae1e53f4b8f4934153ceef33f517f76

SHA512
9541bb68efeb16a90a8c882990f6fc01208f8555b01819bcec0e82e473c29fd5c03ad6823a98a0f6a1f5536973cf052dc84ec70a432dba8c6d1a1841878d9735

Download Submit
memory/2376-0-0x000000002F961000-0x000000002F962000-memory.dmp

Filesize
4KB

Download
memory/2376-2-0x000000007137D000-0x0000000071388000-memory.dmp

Filesize
44KB

Download
memory/2376-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2376-126-0x000000007137D000-0x0000000071388000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing