270248e6a629a7d47374cf2c8a172000ca6790c7ab7e90eac0fdbac902122958

Analysis

max time kernel
120s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
24/12/2024, 10:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

doc_main_0.docx
Size

113KB
MD5

8378772899278be4e5765a4c37d13b4d
SHA1

cf4fc162064e10d57e6be49ec298011497eaae2f
SHA256

71a948fcd9738c2762860dc25841a6eca1e23c9b372a3bb764359f29ba5782ed
SHA512

a0be03ca85dacce9e883c4946a3cdd35f31d34a9f86958825036d6f51526454dafb4a98a95311b6e649a054a099e96645da8dc7f6cb030d67641168decaeea34
SSDEEP

3072:WeBQAhNHh83WrtH8ynSlP2UUQk+CmLSZYu:PLvB83+cySlVYmLNu

Score

7^/10

discovery

Malware Config

Signatures

Abuses OpenXML format to download file from external location

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2636	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2636	WINWORD.EXE
2636	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2636 wrote to memory of 1616	2636	WINWORD.EXE	32
PID 2636 wrote to memory of 1616	2636	WINWORD.EXE	32
PID 2636 wrote to memory of 1616	2636	WINWORD.EXE	32
PID 2636 wrote to memory of 1616	2636	WINWORD.EXE	32

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\doc_main_0.docx"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2636
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD

Filesize
128KB

MD5
66a3b98638f213438c069badff8d34c0

SHA1
5bdd4a0034e7937cee5f4135111c162527f57a29

SHA256
7015a4264f86064a5f3fafc1bff669af4e87f992a7b53197ea61338065746b01

SHA512
cbcd82f43883a4d46be0d356d33bccd4a20c5d468eb8936e661ea84733edf16982b7bb996370cde2afd5a871e039f4664f067bcf2819fbbdb8532cc197551aa9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{FEB94391-A0A0-4291-BEEF-9AF1971E0325}.FSD

Filesize
128KB

MD5
427de7b2aa89780b0aeb74e1d7a1fa89

SHA1
5ef60f05a6053deae784ff017e06583345753c1a

SHA256
f4403bc5596d34ca7ed5c0104c947d8580bafc2197387d4dcb69ea87ebc5c505

SHA512
cdb7eaf08795788f65f10cebe0dea61462400bd0fde155b26182a24fc3a3a18487c5bafebaef3d86e1425e58d55b9204a2a091a5e04583e8d81c0b822722aeab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
bbde015aa249424961244bbb8627d0d4

SHA1
618afdf1ba427165573e0bffb906904a163cd6d8

SHA256
4f0035dd7378eb94f708c07843989a479cd9e1f9a3ffa0843bbde314b6b1bf72

SHA512
dff574321653dedd0a3c9963aae9c3bd5f13bbe89f8e59f0be1be5bf11d0dd7c9ca8f006a193034f51c3c53e8da23fef98507b2b2a61879f0ba95e50ce4c261f

Download Submit
C:\Users\Admin\AppData\Local\Temp\{4AEF3F59-7BF4-4EB6-869E-5B83E9E3A9C2}

Filesize
128KB

MD5
322c2807620aceb550c0e12c4adc4707

SHA1
b3a2311146e2d6f0fdcd4e8f54db1fd4cedcd33c

SHA256
38b4ddf6427ef995de375beaf0f3b3f1c98ace92314c8afc9b9652d75d97d8ec

SHA512
6fab8aa3d932d11caa2117ee1a24ca3c31c79c79fd6fd3e783cd9efe12f7a76b35ece22502e7b97494282f674764f8bfa9f9c0eb42b3f52baffff09e94b76125

Download Submit
memory/2636-0-0x000000002F551000-0x000000002F552000-memory.dmp

Filesize
4KB

Download
memory/2636-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2636-2-0x0000000070D0D000-0x0000000070D18000-memory.dmp

Filesize
44KB

Download
memory/2636-66-0x0000000070D0D000-0x0000000070D18000-memory.dmp

Filesize
44KB

Download