270248e6a629a7d47374cf2c8a172000ca6790c7ab7e90eac0fdbac902122958

Analysis

max time kernel
123s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
24-12-2024 10:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

doc_main_11.docx
Size

107KB
MD5

282cfbf72c087eeee07d50f1d753f81b
SHA1

29713ca07c8d665a6174195194e8f0addb2c7868
SHA256

f604a6d503515a6adb91cf5c8fb21bd5f4044326717730ee63c25366dbfee3eb
SHA512

20bf47b33b99ba68c3982b3033da87bcaab4108ec679e8cb60e749d60d57543fbf2a29a514771c85fe80fe06f1cc6b81002acf4c48b2a3e17b72755febd08d88
SSDEEP

3072:WeBQAhNHh83WrtH8ynSlP2UUQk+CmLSZRp2:PLvB83+cySlVYmLv

Score

7^/10

discovery

Malware Config

Signatures

Abuses OpenXML format to download file from external location

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1016	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1016	WINWORD.EXE
1016	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1016 wrote to memory of 1356	1016	WINWORD.EXE	33
PID 1016 wrote to memory of 1356	1016	WINWORD.EXE	33
PID 1016 wrote to memory of 1356	1016	WINWORD.EXE	33
PID 1016 wrote to memory of 1356	1016	WINWORD.EXE	33

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\doc_main_11.docx"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1016
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{171E6709-CF4C-4007-9248-5992D19FA56E}.FSD

Filesize
128KB

MD5
c98e480e28ae5e6bbd9cf0914f9329a7

SHA1
669b400cdeb8c50b8c296ef50f9c3e9bea0d2cda

SHA256
a240473ae36f5895a1971fd52dc74e52114b23ffea7170d528bc471139f5ea35

SHA512
2b3f768deedebb1bebaf95b0c24640ad298e3a0ff80ac75ef331167755631729f073320c5f84c4bb17448941f95f7cb2956ed72354b8c483651054f793db56f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
039554c5c6bdd6f097848a4288351d07

SHA1
d3f010597d23406bda2e111b92e9cb1098818fbb

SHA256
a02d60cc72f07a7bfae202fcd7ead4c84073d832e1b877921523fcaf14df48d3

SHA512
9b9d0c0475eaec2f8cd371630b3b782a1ebcc532b032530c845449b959fba7ca9eb554d070e902b8e2c661e5dabdccc0e445ccff78a67bb0c7b018599c7d5d5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\{F9C7B69A-B8C0-4D2D-B714-28344D0AACF1}

Filesize
128KB

MD5
e49712d2a7a667ef14da732a9a067dd7

SHA1
fbada32a0adadc10d8c6142c1c5d1bb7ce32f591

SHA256
64a4bcbef547228c8d865fb2b99cba689eec97d1a518ccc03ece27beff9a4311

SHA512
194e553e107cbfd99dcf712da218aaefc9f771e954c7d27f864fa6de93d6a11ba5b6bd6019152787c5988c9f6fbdf0cda67a16cb550253bbbeff8797a6a85e86

Download Submit
memory/1016-0-0x000000002F281000-0x000000002F282000-memory.dmp

Filesize
4KB

Download
memory/1016-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1016-2-0x00000000712CD000-0x00000000712D8000-memory.dmp

Filesize
44KB

Download
memory/1016-66-0x00000000712CD000-0x00000000712D8000-memory.dmp

Filesize
44KB

Download