270248e6a629a7d47374cf2c8a172000ca6790c7ab7e90eac0fdbac902122958

Analysis

max time kernel
124s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
24-12-2024 10:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

doc_main_1.docx
Size

121KB
MD5

0da59de6dd4b145c23f14c4592031515
SHA1

933eed6827b6f49a0f9b2c1af1fe838c39e4cfa2
SHA256

ff34dd776636f1e13ece8e4ae6ce31e10dbae28e4b8b15c37ff9655ea79a42b9
SHA512

490957ee59aa940535113e10caed00456aad37442366796a6eeb6d0d8c9c5e506d83b33ad4059715cec562a21ca58b9656926355305c3ed11c4cac4b9171d434
SSDEEP

3072:WeBQAhNHh83WrtH8ynSlP2UUQk+CmLSZtBpFoq7To:PLvB83+cySlVYmLioq7To

Score

7^/10

discovery

Malware Config

Signatures

Abuses OpenXML format to download file from external location

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3028	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3028	WINWORD.EXE
3028	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 2424	3028	WINWORD.EXE	32
PID 3028 wrote to memory of 2424	3028	WINWORD.EXE	32
PID 3028 wrote to memory of 2424	3028	WINWORD.EXE	32
PID 3028 wrote to memory of 2424	3028	WINWORD.EXE	32

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\doc_main_1.docx"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{2EE3622B-8DD7-4932-BCA7-21780FD76198}.FSD

Filesize
128KB

MD5
88154bb48489e8453fe373bb524df98f

SHA1
4e1db3068acace564ccf172b0484727d0194dd5b

SHA256
c24d818d5720ab7970b3bd0e796cbd36754ea6e41d755377fdf38dc94eb2e8a9

SHA512
e4b7a2caeb38308a630a6979aaf49598a3faaa4d6118b7b5f43f66f0e13c3a0e8ab7f12f0f9c4b3d66117dc0b8603ebf091bcfa49a76dffa387d64479854322a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
f54a99bf8a38b009fa1e528c1fae25bf

SHA1
34d29f60eb70959198c8ac8ba8d89ba8441bf205

SHA256
4544212fe2f015aabd9b6dbe27f153611883701fda964caaa4624ad07d9b468e

SHA512
c2e2d6271c10d165b688fc6536a990eff8dd3d3f0c21fb11e073745a9a026eeca933cb8b26ce63c8e483f7775d8dbaad5ced758e8c4617732e01c6fc6da5a323

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
8456c95f591972f33cc3e3dfb026b9ec

SHA1
7dc6d31643ca2a8098407d606b6181922880e7a4

SHA256
c819e512790bae39c2ba0ffddec1abfb1decd619d1044bca08bd49d5158e5141

SHA512
bcea639b0006d2acfca8fe543d9a780356dd2e11569823afcbe238b6b99a7a5b00ce30336d47545808b2d0356374b73e71721ddd61e26b707391b85fb4ea9602

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{74D63733-EEFA-483D-B879-EE1B8A1DCA9C}.FSD

Filesize
128KB

MD5
779c5d35cfb93efe19ea2a7da97d1608

SHA1
4c515ba0ae50b86a7807908a3123288d9d2c1e14

SHA256
e2829d1a7592eaa3af902595f81c490e42a3d5d3aea8c7876bdfb58ba7861451

SHA512
034c3e79af73a9ee83774b5bd0b3fac2c1b9cefb35065ca32a0f58696505972d535031314c3a13e59ed4e0ee1250bd3071336346da41671e3014852d0ba1ee1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{ACFEA463-A699-42E2-8CA3-677E4283AE68}

Filesize
128KB

MD5
9a13e35fb9841888158a2066ed4615dd

SHA1
d969e4bfe1713c0fc5465c974342c736ac3daec3

SHA256
e4709bf01fdebbcb720a9cd25a5a93eee06ee1318d755f2ea4696f9c1cb79aa1

SHA512
9ca8b19de895fa52cf81039efb0fd765fae99f88526ac67e0d33628b3e54d3d63c32b8bc1c3b62d87f70d9abcc7c2bc66d93e0f7b9623b1760ec8de3bc920ca1

Download Submit
memory/3028-0-0x000000002F8C1000-0x000000002F8C2000-memory.dmp

Filesize
4KB

Download
memory/3028-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/3028-2-0x0000000070B8D000-0x0000000070B98000-memory.dmp

Filesize
44KB

Download
memory/3028-66-0x0000000070B8D000-0x0000000070B98000-memory.dmp

Filesize
44KB

Download