Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
28-11-2024 19:30
Behavioral task
behavioral1
Sample
gen steam.roblox/License-.rtf
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
gen steam.roblox/License-.rtf
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
gen steam.roblox/gen-(1).exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
gen steam.roblox/gen-(1).exe
Resource
win10v2004-20241007-en
General
-
Target
gen steam.roblox/License-.rtf
-
Size
192B
-
MD5
048f563e590dcebfbd85bf3728df3791
-
SHA1
fe00a008f6d95dc14a84578045197d25c1f97616
-
SHA256
da1cd38070db8e4c12643ed6007be206c26392f47e8d5a898937f9379d2aae01
-
SHA512
47ed4377afe15774dc2ef327858f2f28a0f17ae1e68bddc57898fc4b3654e98402ea8bed5f63342fa9d6f6b227a2f7fd6ccd601e59f5ee6132b4c4d8830b6d0f
Malware Config
Signatures
-
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
WINWORD.EXEdescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid Process 2792 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid Process 2792 WINWORD.EXE 2792 WINWORD.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
WINWORD.EXEdescription pid Process procid_target PID 2792 wrote to memory of 2632 2792 WINWORD.EXE 31 PID 2792 wrote to memory of 2632 2792 WINWORD.EXE 31 PID 2792 wrote to memory of 2632 2792 WINWORD.EXE 31 PID 2792 wrote to memory of 2632 2792 WINWORD.EXE 31
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\gen steam.roblox\License-.rtf"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:2632
-