031527224e74b82bf16e639c666134674ecc8a6e648fed2f68255617bd6a3b18

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-11-2024 20:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

632cfc71bd4734fdd98e48166a52fbc4a48d43640f3375fd882dd374479bffb1.doc
Size

9.3MB
MD5

aaa839e4993c07fdfba45afe8826d6bf
SHA1

3d00bce50c92b31c3d74d20c5451aedc6878a246
SHA256

632cfc71bd4734fdd98e48166a52fbc4a48d43640f3375fd882dd374479bffb1
SHA512

e3bca0a028a39e602b093069fb84a84ff13d7451ebaaf05dc127aa061ae7d096460133a3b8d726adedafd1dd08d09621197bf9e8747ac622bfedd909dec6f3cc
SSDEEP

98304:IydePKsBylarg6bY/J1ZKbTsBylarg6bY/J1ZKb2ayX0I6:IHisB2Eb01ZssB2Eb01Z820X

Score

10^/10

discovery

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

mstsc.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	2808	2644	mstsc.exe	WINWORD.EXE

Loads dropped DLL 3 IoCs

Processes:

WINWORD.EXEmstsc.exe

pid process

2644 WINWORD.EXE
2644 WINWORD.EXE
2808 mstsc.exe
Drops file in Windows directory 2 IoCs

Processes:

WINWORD.EXEmstsc.exe

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
File created C:\Windows\Tasks\openvpn-gui.job mstsc.exe

pid	process
2644	WINWORD.EXE
2644	WINWORD.EXE
2808	mstsc.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE
File created	C:\Windows\Tasks\openvpn-gui.job	mstsc.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

WINWORD.EXEmstsc.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mstsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Office loads VBA resources, possible macro or embedded object present
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

2644 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

WINWORD.EXE

pid process

2644 WINWORD.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

2644 WINWORD.EXE
2644 WINWORD.EXE

pid	process
2644	WINWORD.EXE

pid	process
2644	WINWORD.EXE

pid	process
2644	WINWORD.EXE
2644	WINWORD.EXE

Suspicious use of WriteProcessMemory 41 IoCs

Processes:

WINWORD.EXEmstsc.exe

description	pid	process	target process
PID 2644 wrote to memory of 1676	2644	WINWORD.EXE	splwow64.exe
PID 2644 wrote to memory of 1676	2644	WINWORD.EXE	splwow64.exe
PID 2644 wrote to memory of 1676	2644	WINWORD.EXE	splwow64.exe
PID 2644 wrote to memory of 1676	2644	WINWORD.EXE	splwow64.exe
PID 2644 wrote to memory of 2808	2644	WINWORD.EXE	mstsc.exe
PID 2644 wrote to memory of 2808	2644	WINWORD.EXE	mstsc.exe
PID 2644 wrote to memory of 2808	2644	WINWORD.EXE	mstsc.exe
PID 2644 wrote to memory of 2808	2644	WINWORD.EXE	mstsc.exe
PID 2644 wrote to memory of 2808	2644	WINWORD.EXE	mstsc.exe
PID 2644 wrote to memory of 2808	2644	WINWORD.EXE	mstsc.exe
PID 2644 wrote to memory of 2808	2644	WINWORD.EXE	mstsc.exe
PID 2644 wrote to memory of 2808	2644	WINWORD.EXE	mstsc.exe
PID 2644 wrote to memory of 2808	2644	WINWORD.EXE	mstsc.exe
PID 2644 wrote to memory of 2808	2644	WINWORD.EXE	mstsc.exe
PID 2644 wrote to memory of 2808	2644	WINWORD.EXE	mstsc.exe
PID 2644 wrote to memory of 2808	2644	WINWORD.EXE	mstsc.exe
PID 2644 wrote to memory of 2808	2644	WINWORD.EXE	mstsc.exe
PID 2644 wrote to memory of 2808	2644	WINWORD.EXE	mstsc.exe
PID 2644 wrote to memory of 2808	2644	WINWORD.EXE	mstsc.exe
PID 2644 wrote to memory of 2808	2644	WINWORD.EXE	mstsc.exe
PID 2644 wrote to memory of 2808	2644	WINWORD.EXE	mstsc.exe
PID 2644 wrote to memory of 2808	2644	WINWORD.EXE	mstsc.exe
PID 2644 wrote to memory of 2808	2644	WINWORD.EXE	mstsc.exe
PID 2644 wrote to memory of 2808	2644	WINWORD.EXE	mstsc.exe
PID 2644 wrote to memory of 2808	2644	WINWORD.EXE	mstsc.exe
PID 2644 wrote to memory of 2808	2644	WINWORD.EXE	mstsc.exe
PID 2644 wrote to memory of 2808	2644	WINWORD.EXE	mstsc.exe
PID 2644 wrote to memory of 2808	2644	WINWORD.EXE	mstsc.exe
PID 2644 wrote to memory of 2808	2644	WINWORD.EXE	mstsc.exe
PID 2644 wrote to memory of 2808	2644	WINWORD.EXE	mstsc.exe
PID 2644 wrote to memory of 2808	2644	WINWORD.EXE	mstsc.exe
PID 2644 wrote to memory of 2808	2644	WINWORD.EXE	mstsc.exe
PID 2644 wrote to memory of 2808	2644	WINWORD.EXE	mstsc.exe
PID 2644 wrote to memory of 2808	2644	WINWORD.EXE	mstsc.exe
PID 2644 wrote to memory of 2808	2644	WINWORD.EXE	mstsc.exe
PID 2644 wrote to memory of 2808	2644	WINWORD.EXE	mstsc.exe
PID 2644 wrote to memory of 2808	2644	WINWORD.EXE	mstsc.exe
PID 2808 wrote to memory of 2304	2808	mstsc.exe	cmd.exe
PID 2808 wrote to memory of 2304	2808	mstsc.exe	cmd.exe
PID 2808 wrote to memory of 2304	2808	mstsc.exe	cmd.exe
PID 2808 wrote to memory of 2304	2808	mstsc.exe	cmd.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\632cfc71bd4734fdd98e48166a52fbc4a48d43640f3375fd882dd374479bffb1.doc"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1676
- C:\Windows\SysWOW64\mstsc.exe
  "C:\Windows\system32\mstsc.exe"
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c "move /y "C:\Users\Admin\AppData\Local\Temp\openvpn-gui.lnk" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\openvpn-gui.lnk""
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\openvpn-gui.lnk

Filesize
823B

MD5
a6716a28c760eafd1f2ba7279a351da6

SHA1
317f388247ffced79d643e4f0d7ea90165b7ac1f

SHA256
09a5e5fa1c0d760dda86fadf0febfad69fc512b9f4b102c000f1470d9d98fece

SHA512
a62a8bae1046a4e049cef426d98a24a395f571a837bc36022147e7f776ccefa3a7ff8bee2d49133abd0acfa1fa37436223763e1a0a1fba7bc97a47a3665891d4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
\Users\Admin\AppData\Local\Temp\churner.dll

Filesize
29KB

MD5
f7092de5f32c0df837fa7f947a3424af

SHA1
acc8123288c20b1c4ae67ef4f2b4028d9153239c

SHA256
97adb1700858b74f456f5cf681b0421d0be50e3aed1adea3d1b9694295723700

SHA512
f10d5c86a85d3d8be56fb5066fddd0474c71a36f280f475f4e3d6cc939718647f493665c4c9ea00c3d60f22f172019e2082c7090b54f730d02701f1cb3d34164

Download Submit
\Users\Admin\AppData\Local\Temp\churner.dll

Filesize
80KB

MD5
0546651845809bc22408fc50cb0d65d2

SHA1
3d5ef77d628c56ecce8997f6ec0e8bb10c135d66

SHA256
05d0eae0fe71eb89cbe6b752290004385d24511507dabd40e1e12fe2c271a06c

SHA512
86a63794dab6eacdb3b03569a9957c7ddd7c91269b7e75568857264a19c97617c33f09b2085e77308d3c4bfe1baa37f8793b0096a6ab5ba2442b51b00275bd6c

Download Submit
\Users\Admin\AppData\Local\openvpn-gui.exe

Filesize
45KB

MD5
87390e37e36622b054d4bdcbb7997b6c

SHA1
4d591f310318fd95a95109d7965a79729b65c69e

SHA256
5f067f86ad0f88a629263162810bf5052f5ebbd97d5d0de936311bb44c9f35e7

SHA512
285abb19138a5dd109dfc0e76f4a4f96b3731a84ca9229e6ef9315513b052fd7ad7b2e0392ac9becbf4caf2c9bbdbd87f5b66486fb2ae1385c1fbe6e1ed643dd

Download Submit
memory/2644-33-0x00000000070D0000-0x00000000071D0000-memory.dmp

Filesize
1024KB

Download
memory/2644-54-0x00000000070D0000-0x00000000071D0000-memory.dmp

Filesize
1024KB

Download
memory/2644-42-0x00000000070D0000-0x00000000071D0000-memory.dmp

Filesize
1024KB

Download
memory/2644-41-0x00000000070D0000-0x00000000071D0000-memory.dmp

Filesize
1024KB

Download
memory/2644-44-0x00000000070D0000-0x00000000071D0000-memory.dmp

Filesize
1024KB

Download
memory/2644-45-0x00000000070D0000-0x00000000071D0000-memory.dmp

Filesize
1024KB

Download
memory/2644-34-0x00000000070D0000-0x00000000071D0000-memory.dmp

Filesize
1024KB

Download
memory/2644-35-0x00000000070D0000-0x00000000071D0000-memory.dmp

Filesize
1024KB

Download
memory/2644-51-0x00000000025E0000-0x00000000025E6000-memory.dmp

Filesize
24KB

Download
memory/2644-88-0x00000000025E0000-0x00000000025E6000-memory.dmp

Filesize
24KB

Download
memory/2644-53-0x000000007164D000-0x0000000071658000-memory.dmp

Filesize
44KB

Download
memory/2644-0-0x000000002FF71000-0x000000002FF72000-memory.dmp

Filesize
4KB

Download
memory/2644-55-0x00000000070D0000-0x00000000071D0000-memory.dmp

Filesize
1024KB

Download
memory/2644-57-0x00000000070D0000-0x00000000071D0000-memory.dmp

Filesize
1024KB

Download
memory/2644-58-0x00000000070D0000-0x00000000071D0000-memory.dmp

Filesize
1024KB

Download
memory/2644-36-0x00000000070D0000-0x00000000071D0000-memory.dmp

Filesize
1024KB

Download
memory/2644-75-0x00000000070D0000-0x00000000071D0000-memory.dmp

Filesize
1024KB

Download
memory/2644-2-0x000000007164D000-0x0000000071658000-memory.dmp

Filesize
44KB

Download
memory/2644-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2644-87-0x00000000070D0000-0x00000000071D0000-memory.dmp

Filesize
1024KB

Download
memory/2808-52-0x0000000000090000-0x0000000000093000-memory.dmp

Filesize
12KB

Download