c8a8e382ba1f7d1ab4b00d3e03f63ca65b2e459f3b01006bf44b3cf9950b7ceb

Analysis

max time kernel
124s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13-12-2024 11:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c8a8e382ba1f7d1ab4b00d3e03f63ca65b2e459f3b01006bf44b3cf9950b7ceb.docx
Size

17KB
MD5

86eeb037f5669bff655de1e08199a554
SHA1

f0a2bb57da87b579e5027631066a9652d64d67b7
SHA256

c8a8e382ba1f7d1ab4b00d3e03f63ca65b2e459f3b01006bf44b3cf9950b7ceb
SHA512

fc2fc717c6249bfc3a24abd754bd16325354ead054268c7585bef10ac8ebaa91e6f6c354e1de57cfee6ab9bcd8d044bf915d1d3080b0f4f450bac091626113ca
SSDEEP

384:o2fQ+vZ4D6L9bIsQj0OUeZFpLKQ+axX/mc7TmmK5:8ZD6L98sQjmSmM5ecum6

Score

4^/10

discovery

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\https:\moitt-gov-pk.fia-gov.net\659949null\file.rtf	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1316	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1316	WINWORD.EXE
1316	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1316 wrote to memory of 768	1316	WINWORD.EXE	30
PID 1316 wrote to memory of 768	1316	WINWORD.EXE	30
PID 1316 wrote to memory of 768	1316	WINWORD.EXE	30
PID 1316 wrote to memory of 768	1316	WINWORD.EXE	30

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\c8a8e382ba1f7d1ab4b00d3e03f63ca65b2e459f3b01006bf44b3cf9950b7ceb.docx"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1316
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{6EC7CD5A-690E-4EEF-A992-247A52C5E669}.FSD

Filesize
128KB

MD5
6d2ae837aeb0ac40d09bd4b3065af19a

SHA1
4f5cc8ee5a2e03c6ad0ea7c7eb77599bc49a600d

SHA256
27a8df248949fd00610f8080a4eb7cb7794c99128da750819b977e4660f08a91

SHA512
4992ae103ed4fa2c550cf2615d4916391563c230735d3bed6f75682d1b9b15f473c19f9891852ff999ca7013acb639a847aa2a0ae99c13613d66605203e389c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
519ad639274b2a0d6125967f278786f1

SHA1
60971e5d9ef08d54b9aa5c2ee196aa97be5b3015

SHA256
660e567fc65cb3783ab5362d40c30d6ed5257dc0eb5a2d2ccaed2b371a270d95

SHA512
1d4c94c9bf2d8cfc95a429fca16163e9c93c5642e132b270646bfdb25103d5de4633782ee960fdeb1ebbe285d835843f130a49c834fa10fd3281f0e532c339e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{76F88F4F-8910-4F16-8E74-7D1C36134C8F}.FSD

Filesize
128KB

MD5
21cf1c4baff99bf79d7ed6aeeebd09bd

SHA1
ca3b27e95e7698ac192d38c251f93c60e16e7036

SHA256
4aac6addd5d0d90af381b8cd4cfc47c47487a717daa4d73bf5250deb7c60f57b

SHA512
f35d8ef719370d9ced92a3c87c10ce9afac94708b7c1e95cecb30d0def4fe422c3dda79b122a87db7c179b5e65f239ba5d7d4dccc63d7cba07513e3237cb53da

Download Submit
C:\Users\Admin\AppData\Local\Temp\{A9BEDFA3-CFCA-4C16-86CA-3C1230C9D2BD}

Filesize
128KB

MD5
8a77599942f7e698059174dc049279ed

SHA1
4b8999b9b026bc2ad004bf98222a604bdabe9c72

SHA256
054dc79c627fb32d21c43074c565c4ae26cf8ec21a0a075f6ed9f85bcbafddd7

SHA512
3bf1b9e0625574c2c80e9b3823ef5530a158e045f6292bc1cdd036b7357c0cbfa3e2b4eb7c05567fbc9328f279797f612618c919f9244fa70ac139c5c4d632ad

Download Submit
memory/1316-0-0x000000002F7D1000-0x000000002F7D2000-memory.dmp

Filesize
4KB

Download
memory/1316-2-0x000000007123D000-0x0000000071248000-memory.dmp

Filesize
44KB

Download
memory/1316-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1316-68-0x000000007123D000-0x0000000071248000-memory.dmp

Filesize
44KB

Download