328d5021590bf808545e470fbfb153f96d61f48f518e6c8a7c98d8d03d796dfc

Analysis

max time kernel
129s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-11-2024 19:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aa92a3fc1435e17c3200534f0dc9bc7225a05587_1633535444644.docx
Size

10KB
MD5

b7c251065c3568dc920204dfcf8f926f
SHA1

aa92a3fc1435e17c3200534f0dc9bc7225a05587
SHA256

ec4ca439612dd82e0c3083832277f8d6d310cdec17cb77f73fe378fd62dd8cc2
SHA512

232df1c3114e07b5eaf0473f0789668f096336c0d52d3e5414a6128ed8e8d4c89c9868256a08a1eea92f2dbda66eee00649b2000fc20725765cf596773aabb08
SSDEEP

192:ScIMmtPp8G/btCX0iSOcchWamWBXfc3zMaoN:SPXxrtCEiSOz0o0a

Score

7^/10

discovery

Malware Config

Signatures

Abuses OpenXML format to download file from external location 2 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\Common\Offline\Files\http://107.172.13.160/---.----.-------------------....-.-.-.-.-.-.-.-.......------------/.-.-.-.-.-.-.-.-.-..-.------------..........wiz.wiz	WINWORD.EXE

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

WINWORD.EXE

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

2540 WINWORD.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

2540 WINWORD.EXE
2540 WINWORD.EXE

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	process
2540	WINWORD.EXE

pid	process
2540	WINWORD.EXE
2540	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 2540 wrote to memory of 2676	2540	WINWORD.EXE	splwow64.exe
PID 2540 wrote to memory of 2676	2540	WINWORD.EXE	splwow64.exe
PID 2540 wrote to memory of 2676	2540	WINWORD.EXE	splwow64.exe
PID 2540 wrote to memory of 2676	2540	WINWORD.EXE	splwow64.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\aa92a3fc1435e17c3200534f0dc9bc7225a05587_1633535444644.docx"
1⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2540
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{960C62B8-94E8-4F1F-BD02-5C076B1F0ADD}.FSD

Filesize
128KB

MD5
41c1081ac6a6ba2022398ae51d180ed0

SHA1
90ca3d39c623abd8e942b9f5561047270c5429ce

SHA256
1ea720de003100af7baf2c2d935d5338602e2719aaf2629411c55a4ef9c6661b

SHA512
92ab902657966854cbc6b59b732ebdf4f3216e7a08cdb68c7eb7a24995c672666aa979a1fc6de6027fd6941496a1511420c12ab16e02db138736c03bc5194457

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
0d1e814f57186d58963abe8111d3a638

SHA1
b1e2bc3f8c2ce8690914a86f57a3147167d87bd3

SHA256
0cca1becec34b1c82c85669a6db61079844d3489df53a0b694837c65288bf8d1

SHA512
38e5609b0da8a9049693f710448818e0d0cb48f88f3b038c4cfcc0b19b9728f0d6696f1ba12c0766e1901afd19b3b06f6ac3835eb026d0409792058a687273fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{651D554B-DD76-4219-A48D-5F2DA572ABE2}.FSD

Filesize
128KB

MD5
9831d0d705f67f650c23d64ffdc2251e

SHA1
4c0c40218b0e63cd222b3a2da31d3d5c6aec9e4a

SHA256
f7b6842003d058f02817e17a3334955eccf19cd6487cb943186011977df5e764

SHA512
f05f20df32d3edf418ca5940e70378fdf970cf07a90b31e97e589c06263abe9d760d581a37eceab7c08b0ae0df1295310c9e01c0eb17017336478448edea0a18

Download Submit
C:\Users\Admin\AppData\Local\Temp\{474705EB-2FE6-43AE-B63D-A41A06FCCACA}

Filesize
128KB

MD5
efbe5d55c9e100b579de18d3b66f0106

SHA1
46a88e9f957df8d127b7c069652e4da57c2b0a00

SHA256
0aaedc38ffca350399707e689e400383353eaa8a6c15275003557713082af3cc

SHA512
2455ae4bf6fd3c4600a87afe1d880f2c18d035e52e5fcfd074ec018f96ba9115aa3df77ab75b5e21b4bf48716ce0bb7e5f50d51c1fa0c66aca997895af9a0ea8

Download Submit
memory/2540-0-0x000000002F331000-0x000000002F332000-memory.dmp

Filesize
4KB

Download
memory/2540-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2540-2-0x00000000710FD000-0x0000000071108000-memory.dmp

Filesize
44KB

Download
memory/2540-62-0x00000000710FD000-0x0000000071108000-memory.dmp

Filesize
44KB

Download