c724c89a3f64371dae74905f9f252cd3e35dcd61ca579ec0d5f4b627d0db0821

Analysis

max time kernel
146s
max time network
146s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20/11/2024, 03:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

94429686734738455549179233.doc
Size

504.2MB
MD5

9ca28b337106a2abcfc09db4a86d48cd
SHA1

54e86e9e8355f41a8a6d96ac7eef3473e213037d
SHA256

dcb4a3d259430a637ed0b54de85008fbfd288d62ad846450ea89ab60908e18fa
SHA512

9559ad3521d03d1bdd689b7889f40018596f108509044d71580716c021e7679684ff13409c848a7a43ffbb292e4d1138b1d3967202ebf827e498a0f75797f7b9
SSDEEP

3072:vpt3LDPYvrTr3jvZNWGBStinoLVMcXyHtt5YC7EGIuGEMYDDK6:H3AvrTPRUGpmpXqWCoGIuGEMY

Score

4^/10

discovery

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1908	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1908	WINWORD.EXE
1908	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1908 wrote to memory of 2288	1908	WINWORD.EXE	34
PID 1908 wrote to memory of 2288	1908	WINWORD.EXE	34
PID 1908 wrote to memory of 2288	1908	WINWORD.EXE	34
PID 1908 wrote to memory of 2288	1908	WINWORD.EXE	34

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\94429686734738455549179233.doc"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1908
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A1821B93C351177A2EDC5BC815FB5A33

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
47f8357e940edd4a020aa79495533e99

SHA1
53fe4545aa97690db9ed1e12a585f1ec0b2b173e

SHA256
134d0dd7e86e484bfcaa8603eebcc158c295f2bf92dfdf62dc35673db908c918

SHA512
877566eea297203832f03b68e9258c21a62825883cbc191594d9de4860c1d7882c39428d85f510055d919d00bae6f4e8703ca39592e25c8ac91a4841a690e99f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF01C.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF08C.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/1908-15-0x0000000000830000-0x0000000000930000-memory.dmp

Filesize
1024KB

Download
memory/1908-11-0x0000000000830000-0x0000000000930000-memory.dmp

Filesize
1024KB

Download
memory/1908-30-0x0000000000830000-0x0000000000930000-memory.dmp

Filesize
1024KB

Download
memory/1908-31-0x0000000000830000-0x0000000000930000-memory.dmp

Filesize
1024KB

Download
memory/1908-29-0x0000000000830000-0x0000000000930000-memory.dmp

Filesize
1024KB

Download
memory/1908-28-0x0000000000830000-0x0000000000930000-memory.dmp

Filesize
1024KB

Download
memory/1908-27-0x0000000000830000-0x0000000000930000-memory.dmp

Filesize
1024KB

Download
memory/1908-25-0x0000000000830000-0x0000000000930000-memory.dmp

Filesize
1024KB

Download
memory/1908-24-0x0000000000830000-0x0000000000930000-memory.dmp

Filesize
1024KB

Download
memory/1908-22-0x0000000000830000-0x0000000000930000-memory.dmp

Filesize
1024KB

Download
memory/1908-21-0x0000000000830000-0x0000000000930000-memory.dmp

Filesize
1024KB

Download
memory/1908-32-0x0000000000830000-0x0000000000930000-memory.dmp

Filesize
1024KB

Download
memory/1908-19-0x0000000000830000-0x0000000000930000-memory.dmp

Filesize
1024KB

Download
memory/1908-18-0x0000000000830000-0x0000000000930000-memory.dmp

Filesize
1024KB

Download
memory/1908-16-0x0000000000830000-0x0000000000930000-memory.dmp

Filesize
1024KB

Download
memory/1908-0-0x000000002F3B1000-0x000000002F3B2000-memory.dmp

Filesize
4KB

Download
memory/1908-14-0x0000000000830000-0x0000000000930000-memory.dmp

Filesize
1024KB

Download
memory/1908-13-0x0000000000830000-0x0000000000930000-memory.dmp

Filesize
1024KB

Download
memory/1908-12-0x0000000000830000-0x0000000000930000-memory.dmp

Filesize
1024KB

Download
memory/1908-23-0x0000000000830000-0x0000000000930000-memory.dmp

Filesize
1024KB

Download
memory/1908-10-0x0000000000830000-0x0000000000930000-memory.dmp

Filesize
1024KB

Download
memory/1908-9-0x0000000000830000-0x0000000000930000-memory.dmp

Filesize
1024KB

Download
memory/1908-8-0x0000000000830000-0x0000000000930000-memory.dmp

Filesize
1024KB

Download
memory/1908-7-0x0000000000830000-0x0000000000930000-memory.dmp

Filesize
1024KB

Download
memory/1908-6-0x0000000000830000-0x0000000000930000-memory.dmp

Filesize
1024KB

Download
memory/1908-5-0x0000000000830000-0x0000000000930000-memory.dmp

Filesize
1024KB

Download
memory/1908-26-0x0000000000830000-0x0000000000930000-memory.dmp

Filesize
1024KB

Download
memory/1908-127-0x0000000000830000-0x0000000000930000-memory.dmp

Filesize
1024KB

Download
memory/1908-59-0x0000000000830000-0x0000000000930000-memory.dmp

Filesize
1024KB

Download
memory/1908-20-0x0000000000830000-0x0000000000930000-memory.dmp

Filesize
1024KB

Download
memory/1908-17-0x0000000000830000-0x0000000000930000-memory.dmp

Filesize
1024KB

Download
memory/1908-4-0x0000000000830000-0x0000000000930000-memory.dmp

Filesize
1024KB

Download
memory/1908-371-0x000000007123D000-0x0000000071248000-memory.dmp

Filesize
44KB

Download
memory/1908-372-0x0000000000830000-0x0000000000930000-memory.dmp

Filesize
1024KB

Download
memory/1908-373-0x0000000000830000-0x0000000000930000-memory.dmp

Filesize
1024KB

Download
memory/1908-2-0x000000007123D000-0x0000000071248000-memory.dmp

Filesize
44KB

Download
memory/1908-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download