c222037658ff24487ed5d647c31e89bc07ac8a96c5dfbb133b2f9187d1c846dc

Analysis

max time kernel
66s
max time network
107s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
20/11/2024, 14:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-03-08_1157.doc
Size

548.3MB
MD5

df03ab3720154f245c109759ae06913e
SHA1

1f4ae4072ca354d3337f578b74b7526f7fb2bbee
SHA256

a85fa869a88e0c5464efb2e86ab86b97035374ea96bcc9c59a4fd7f7e3ba5de1
SHA512

cdc65bbde648ac2349b566003be8b6f9f9a74c1439f09faa81d0d3b29ff4037be57d9bbb4a2588847b1ac528cec82c5e205ac02862dfd64cac90ea0c0e3d0b56
SSDEEP

6144:xPn4VZXbatu7MDogsDkHS50LdfcGcbz1f5M9KTFrMpSlMK3Ru+Q28:xP4PbNMkgg3Ru+x

Score

4^/10

discovery

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Script User-Agent 3 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	12	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	3	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	11	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2296	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2296	WINWORD.EXE
2296	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2296 wrote to memory of 948	2296	WINWORD.EXE	30
PID 2296 wrote to memory of 948	2296	WINWORD.EXE	30
PID 2296 wrote to memory of 948	2296	WINWORD.EXE	30
PID 2296 wrote to memory of 948	2296	WINWORD.EXE	30

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\2023-03-08_1157.doc"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2296-0-0x000000002FEF1000-0x000000002FEF2000-memory.dmp

Filesize
4KB

Download
memory/2296-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2296-2-0x00000000710BD000-0x00000000710C8000-memory.dmp

Filesize
44KB

Download
memory/2296-133-0x0000000005960000-0x0000000005A60000-memory.dmp

Filesize
1024KB

Download
memory/2296-444-0x0000000005960000-0x0000000005A60000-memory.dmp

Filesize
1024KB

Download
memory/2296-425-0x0000000005960000-0x0000000005A60000-memory.dmp

Filesize
1024KB

Download
memory/2296-460-0x0000000005960000-0x0000000005A60000-memory.dmp

Filesize
1024KB

Download
memory/2296-449-0x0000000005960000-0x0000000005A60000-memory.dmp

Filesize
1024KB

Download
memory/2296-467-0x0000000005960000-0x0000000005A60000-memory.dmp

Filesize
1024KB

Download
memory/2296-551-0x00000000710BD000-0x00000000710C8000-memory.dmp

Filesize
44KB

Download
memory/2296-552-0x0000000005960000-0x0000000005A60000-memory.dmp

Filesize
1024KB

Download