270248e6a629a7d47374cf2c8a172000ca6790c7ab7e90eac0fdbac902122958

Analysis

max time kernel
123s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
24/12/2024, 10:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

doc_main_15.docx
Size

114KB
MD5

7d5f178cb14ebce00f773854c3222bd6
SHA1

dab51bc741f72c1011a4a3b244e8f6f418443c98
SHA256

8c0f28ea5a7cbc63533b7e7d6b1acd29faee6284ab2dfa3cf6b8e19881f4e714
SHA512

2b31a1da9221434077dab5275869f3e2f97fafee1089a716f367f80cfbb6c62d9cb06b85c7be4bb4a9835f61cf3b8e26adda00d988162602890cf16860cd1c11
SSDEEP

3072:WeBQAhNHh83WrtH8ynSlP2UUQk+CmLSZEroAtF5:PLvB83+cySlVYmLGAtF5

Score

7^/10

discovery

Malware Config

Signatures

Abuses OpenXML format to download file from external location

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2004	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2004	WINWORD.EXE
2004	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 2824	2004	WINWORD.EXE	33
PID 2004 wrote to memory of 2824	2004	WINWORD.EXE	33
PID 2004 wrote to memory of 2824	2004	WINWORD.EXE	33
PID 2004 wrote to memory of 2824	2004	WINWORD.EXE	33

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\doc_main_15.docx"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
3efe5bfb733d62f3fe6804b2eac4a7b8

SHA1
a2c4c079756b809e95863db95d555c39b3779116

SHA256
d8be73a686a1e6983f400f970a559962f88125fea70c9bab88d5a9a3da72cf36

SHA512
6d36aeeed715beef12b938f2e9ba67008d0beb6a9d5e82a5185118cf24ac94443a3ed11df77083abd4a2aacc03d51e50827f1a96b29ca3bdbedbacd11fcd86fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{FE530873-E44A-4CA8-9C61-AAFD563AA763}.FSD

Filesize
128KB

MD5
6595fcfb3f3b4e79f1b04917c2091862

SHA1
dad0279f1372247ae5c54a2ef60ac20e0209ca69

SHA256
bd286beae2ececac2b37df3712a26da3d54d216bd0b274d3b36815c10de083c9

SHA512
8ee78f1993d8f3d6d77c740834dd4f3811e7ecb1c0b61660c4881282766d7a500f653b7baf618ca4a271eff074ad1b662360fc4e415852980f1dcc0039448a83

Download Submit
C:\Users\Admin\AppData\Local\Temp\{96F24BB4-5D9E-4B65-AD1F-A7AC705178B1}

Filesize
128KB

MD5
b184ed43241208f4f01a2bcba79b2dbf

SHA1
df74b47f9c5563100729134f4da6c27a97d8d1fc

SHA256
430f9dd146c2e078fac61d2c48bb3db5576d1ac60fafd469ec22ef8520c88440

SHA512
4a3df39427dd368855ce7f87ddd90ae0b52da1aa9245eeb3f8b040920b7966153b3e421bf26f319bf927556f246df6cdd8555ec2f012deca526788ca0ff3ac2d

Download Submit
memory/2004-0-0x000000002F061000-0x000000002F062000-memory.dmp

Filesize
4KB

Download
memory/2004-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2004-2-0x0000000070CBD000-0x0000000070CC8000-memory.dmp

Filesize
44KB

Download
memory/2004-66-0x0000000070CBD000-0x0000000070CC8000-memory.dmp

Filesize
44KB

Download