Overview
overview
10Static
static
10ScreenCapt...r1.exe
windows7-x64
1ScreenCapt...r1.exe
windows10-2004-x64
1ScreenCapt...r2.exe
windows7-x64
1ScreenCapt...r2.exe
windows10-2004-x64
1ScreenCapt...rt.exe
windows7-x64
1ScreenCapt...rt.exe
windows10-2004-x64
1ScreenCapt...er.exe
windows7-x64
1ScreenCapt...er.exe
windows10-2004-x64
1ScreenCapt...ck.exe
windows7-x64
1ScreenCapt...ck.exe
windows10-2004-x64
1ScreenCapt...k1.exe
windows7-x64
1ScreenCapt...k1.exe
windows10-2004-x64
1ScreenCapt...k2.exe
windows7-x64
1ScreenCapt...k2.exe
windows10-2004-x64
1Setup (5).exe
windows7-x64
7Setup (5).exe
windows10-2004-x64
7Setup (6).exe
windows7-x64
7Setup (6).exe
windows10-2004-x64
7Supplement...16.scr
windows7-x64
3Supplement...16.scr
windows10-2004-x64
3T1.exe
windows7-x64
10T1.exe
windows10-2004-x64
10T1_b7afca7...b5.exe
windows7-x64
10T1_b7afca7...b5.exe
windows10-2004-x64
10TeenTube_90767.exe
windows7-x64
10TeenTube_90767.exe
windows10-2004-x64
10Trojan-Ran....a.exe
windows7-x64
3Trojan-Ran....a.exe
windows10-2004-x64
7Tuyen bo c...ed.doc
windows7-x64
4Tuyen bo c...ed.doc
windows10-2004-x64
1Tuyen bo c...ed.doc
windows7-x64
4Tuyen bo c...ed.doc
windows10-2004-x64
1Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
22-11-2024 03:46
Behavioral task
behavioral1
Sample
ScreenCapture_Win8.MalwareScanner1.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
ScreenCapture_Win8.MalwareScanner1.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
ScreenCapture_Win8.MalwareScanner2.exe
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
ScreenCapture_Win8.MalwareScanner2.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
ScreenCapture_Win8.PopupAlert.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
ScreenCapture_Win8.PopupAlert.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
ScreenCapture_Win8.TaskServer.exe
Resource
win7-20241010-en
Behavioral task
behavioral8
Sample
ScreenCapture_Win8.TaskServer.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
ScreenCapture_Win8.WindowsLock.exe
Resource
win7-20241023-en
Behavioral task
behavioral10
Sample
ScreenCapture_Win8.WindowsLock.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
ScreenCapture_Win8.WindowsLock1.exe
Resource
win7-20241010-en
Behavioral task
behavioral12
Sample
ScreenCapture_Win8.WindowsLock1.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
ScreenCapture_Win8.WindowsLock2.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
ScreenCapture_Win8.WindowsLock2.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
Setup (5).exe
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
Setup (5).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
Setup (6).exe
Resource
win7-20241010-en
Behavioral task
behavioral18
Sample
Setup (6).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
Supplementary Agreement 26_01_2016.scr
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
Supplementary Agreement 26_01_2016.scr
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
T1.exe
Resource
win7-20240708-en
Behavioral task
behavioral22
Sample
T1.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
T1_b7afca788487347804156f052c613db5.exe
Resource
win7-20241010-en
Behavioral task
behavioral24
Sample
T1_b7afca788487347804156f052c613db5.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral25
Sample
TeenTube_90767.exe
Resource
win7-20240903-en
Behavioral task
behavioral26
Sample
TeenTube_90767.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral27
Sample
Trojan-Ransom.Win32.Telecrypt.a.exe
Resource
win7-20241010-en
Behavioral task
behavioral28
Sample
Trojan-Ransom.Win32.Telecrypt.a.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral29
Sample
Tuyen bo chung Viet Nam - Hoa Ky - Infected and EnCrypted.doc
Resource
win7-20240708-en
Behavioral task
behavioral30
Sample
Tuyen bo chung Viet Nam - Hoa Ky - Infected and EnCrypted.doc
Resource
win10v2004-20241007-en
Behavioral task
behavioral31
Sample
Tuyen bo chung Viet Nam - Hoa Ky - Infected.doc
Resource
win7-20241023-en
Behavioral task
behavioral32
Sample
Tuyen bo chung Viet Nam - Hoa Ky - Infected.doc
Resource
win10v2004-20241007-en
General
-
Target
Tuyen bo chung Viet Nam - Hoa Ky - Infected.doc
-
Size
38KB
-
MD5
2d2bd96b7b99a4727dd3d01db91ed276
-
SHA1
90aff4cebf1741efab3123e3455cbb0181d9f9f7
-
SHA256
e6b15419059e833424e9c726e9b0b085d9f0fcb2cccbfe1025b0d0f8a1735a66
-
SHA512
8338a2a2bbfbae0c5dc705e677eb063aeaf87acc1f287d11046370cdaa697092a15d539b9c0ee40a0155a7cfb221b299d5a7a3c65c26fdb50aff4961186d6e4a
-
SSDEEP
384:Zjj08Mjar5mlCQTzQsBpD7FPWGwTvx5RSwYg0j3pAYtt/g8:JjMj+5mlCQT8sBxxP/wTJrJI
Malware Config
Signatures
-
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
NTFS ADS 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Temp\~WRD0000.tmp\:Zone.Identifier:$DATA WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1956 WINWORD.EXE -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1956 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1956 WINWORD.EXE 1956 WINWORD.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1956 wrote to memory of 1372 1956 WINWORD.EXE 32 PID 1956 wrote to memory of 1372 1956 WINWORD.EXE 32 PID 1956 wrote to memory of 1372 1956 WINWORD.EXE 32 PID 1956 wrote to memory of 1372 1956 WINWORD.EXE 32
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Tuyen bo chung Viet Nam - Hoa Ky - Infected.doc"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:1372
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
41KB
MD54079e910e438dfdd4068fe00d2b6761a
SHA1c097b9783ef8a851baaa763d22cdaab31291e9c0
SHA256585914b09ea8b68da303e384663d22a0513ec686b077f66c2440e99bbb14f759
SHA512b75288d96d8b55fb6e9f19795f73f2a5a53b9fbf452e3d7e49add2e3117dc21ec9ffa2c4f6a05eb7951a5193a930e1c270804c005a275e0bf10986f05f9f5f53