270248e6a629a7d47374cf2c8a172000ca6790c7ab7e90eac0fdbac902122958

Analysis

max time kernel
121s
max time network
118s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
24-12-2024 10:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

doc_main_18.docx
Size

116KB
MD5

560414515c152fbaaf795383e3e35f6b
SHA1

374b49e30e71a2ecd37a42ad90208caa9ccca455
SHA256

86e0df0941d6eaf4337e60765bcbb4e543045f1be9bf5d595fcbc3a018772297
SHA512

993ad8a57062a2033b5de64f342667aedf21cc02e371ab1d1e757a3fc0dfcc28a5535a80c5751fef4e32cbb53c7c9def325c2a6e43d042961bd88e1a3a20ddab
SSDEEP

3072:WeBQAhNHh83WrtH8ynSlP2UUQk+CmLSZd/P:PLvB83+cySlVYmLO

Score

7^/10

discovery

Malware Config

Signatures

Abuses OpenXML format to download file from external location

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2848	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2848	WINWORD.EXE
2848	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 2520	2848	WINWORD.EXE	32
PID 2848 wrote to memory of 2520	2848	WINWORD.EXE	32
PID 2848 wrote to memory of 2520	2848	WINWORD.EXE	32
PID 2848 wrote to memory of 2520	2848	WINWORD.EXE	32

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\doc_main_18.docx"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{067F1603-954C-4CEA-8BD7-A035C3328405}.FSD

Filesize
128KB

MD5
aad392442488d4344bad5ce0d7c61849

SHA1
70867fad3ef1da5e8c6d2d55f055f681a2648031

SHA256
0b86ea1fbaa87317fd75c8a5b0aa64f29a4b208531705d42d4ad82dd629db5f2

SHA512
223fc2bcaa51c6c650938eef4b2b139222bb23163fd930dd1c9c54fce41aad8d0d6a5af8def5a56957b7b1d9a504048cc2c130eccb6003a5b1d1ffe9435ed9cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
9ee4a3922e75c910cfb6b938706d9e5d

SHA1
6079ca3d1ff38665136992f99cbe5b78b3659999

SHA256
9633072ca87c713168faeb35f7d293bd511a62a083774f51875a4c5f5b137987

SHA512
356b79eca6aefd01788e860a0967e1db52fd682484b104f5a346d4bf6033314bad0117fd004ff23770aa7e6d37593890db7859a0381681166de6169fcd4b2da8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{D6207DF4-50EC-4E6C-8BBD-60B5ED351F2C}.FSD

Filesize
128KB

MD5
c9a2c64ad2db7c8edfa9660351d5ed94

SHA1
adb11d8873a963b8988d0770e5f2dd1386df38e6

SHA256
023a485aa3d2950341086684c07a85a988801eee542be725252cf03bd53566d5

SHA512
eb25099bef21628cfe4677c8a0561e07c42885367b4fd410723ea3ccb7ad58de5584fbabbbc4504758e215e5c761d3a5d663c4476c9b7b109a410b84f0bc9cd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\{A2A5C2A0-413B-4951-8068-6F5B1D97B20F}

Filesize
128KB

MD5
8cc798879f6eff0ee89407b22b623e64

SHA1
9fae9444206064dc3a30e4c9a63e28223351b8de

SHA256
4086128943efefadc21eb040078fece4213df56b994d50dca6f7774be07935df

SHA512
1dc0f3c3152625353720cc2ae92a0a639a7187ecabc76e8c53b22508f8e52e52e3a9a6099802231643e0463da3a8de6b3ca9dded67beb1bcc258e41c3751926b

Download Submit
memory/2848-0-0x000000002F9F1000-0x000000002F9F2000-memory.dmp

Filesize
4KB

Download
memory/2848-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2848-2-0x000000007170D000-0x0000000071718000-memory.dmp

Filesize
44KB

Download
memory/2848-62-0x000000007170D000-0x0000000071718000-memory.dmp

Filesize
44KB

Download