270248e6a629a7d47374cf2c8a172000ca6790c7ab7e90eac0fdbac902122958

Analysis

max time kernel
123s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
24/12/2024, 10:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

doc_main_17.docx
Size

120KB
MD5

3385539be81277524f7544ec50ec64d2
SHA1

ad9ce8f19e5e9443f4f931b5cfc0ad1a6dd0fa9d
SHA256

88c4e69990bf79f0d77b2d524ed2ec146f8f20e4ecad0a1f39eddd32b3ab3315
SHA512

886f4a61baeb5e00a19638b41a7ae2e497f76faf12a11279f9be1777c9c0784b3647404c5cdd801a0a1cb4d5f5a026664f6c155e42ce5799af247b6b20d674ce
SSDEEP

3072:WeBQAhNHh83WrtH8ynSlP2UUQk+CmLSZJP5zgy:PLvB83+cySlVYmLGPNgy

Score

7^/10

discovery

Malware Config

Signatures

Abuses OpenXML format to download file from external location

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2364	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2364	WINWORD.EXE
2364	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 1092	2364	WINWORD.EXE	33
PID 2364 wrote to memory of 1092	2364	WINWORD.EXE	33
PID 2364 wrote to memory of 1092	2364	WINWORD.EXE	33
PID 2364 wrote to memory of 1092	2364	WINWORD.EXE	33

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\doc_main_17.docx"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD

Filesize
128KB

MD5
80a71d83ca4f979ccbc79f1dc45fe14d

SHA1
2c26f71393b22f9ed61a8b32e1bb42a2fd341c63

SHA256
46f103d8d54ce2a98d960aa6c25896076c80cbd08cf287e358583a6d880abeed

SHA512
5c96b183a7c4f1a60a28d52775dcfd4dbb83ef9bff11b7bae6e987f6ff77b83ea6e41388b7ac9ca655c3735652022e33a3dbef3be28c8788fb7ba16f698a476d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{D3568DDD-5E86-41E8-A273-831A9D28D5DE}.FSD

Filesize
128KB

MD5
85ac02f318301f4fed1e2f9aa9e3ba22

SHA1
133652efa46daa2a79876d20b34ebc03c264d0ef

SHA256
a44637ad113975fd07c7a065b877e18af8cc39308d47ef103735ba008cf2af2c

SHA512
48d793b473af6bee34a72e5415146749d400b42f443a1af6c529dde9bd5c1b39bdc36e019e94911d316445b5e5faa266c07c912c6bf4ba9c60d201a70a49a98a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
2ffcd7f337061febb899e67bf27a8730

SHA1
eccc1392d6a3a54e6dc0a5d93511a91fc49f10b6

SHA256
45b43254fec2436b1846edd035a0068f962fc87fdd2239a684b0047c4e2cbff6

SHA512
0d8d61bb1ba49e083ce9897e6f06a85ad728ca0ffbabc09794f0542563fe5f81039e1e5f8fca93409e9085249b3ea227fe1910c2297dd88822f7ffbd2b880948

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{5754746E-9F00-40DE-82F1-FC79A219F2C6}.FSD

Filesize
128KB

MD5
393466c517873e3de2c6ab14b1d58ab8

SHA1
1f8000b5942c3b1adf1ced89b79ddcc46f63f6e2

SHA256
fbbc4a629cbf78c1820c4f3280b69e00fd1789e032f6cc18f742228d31e59bd1

SHA512
0f42e1d6e02f57c8fe35eb7d653c5999389e7ea392a84a7d1cbac995dd37c4c5b0f41a1c1b76ed193a8e0f322e130c700d93d63fc9e4fa0cefd4144652f9be99

Download Submit
C:\Users\Admin\AppData\Local\Temp\{21D2DF04-F864-422A-9BF9-2088FBF5EDEF}

Filesize
128KB

MD5
49fb2d779d39d30e1cc7bdc0a501d3bb

SHA1
69e50ca05b7da55413bc7ce3467c1bc2dbf9e7be

SHA256
10f445fda71bffe0f9357ca965af47a9651129fca48546ce1cdf7a2c2b9146f9

SHA512
5ea1e86769b516af59fd052c53d0c40ab051d5883cbad9cef6c5ccb7d9cbdd3748276fb17069bb63f009fc36f5f765de99a1473377e0be9e8b40551b14e4f3ea

Download Submit
memory/2364-0-0x000000002FE31000-0x000000002FE32000-memory.dmp

Filesize
4KB

Download
memory/2364-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2364-2-0x0000000070CFD000-0x0000000070D08000-memory.dmp

Filesize
44KB

Download
memory/2364-62-0x0000000070CFD000-0x0000000070D08000-memory.dmp

Filesize
44KB

Download