4e436e252a2d7f8e276cec984f96c0a89326b1af50b9075b116d450ef171a8e7

Analysis

max time kernel
117s
max time network
117s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-01-2025 09:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

lititruanjian/众邦2009立体软件/~$众邦文档.doc
Size

162B
MD5

b7ac0dce049e20893a45702c6b28b7bc
SHA1

dc8b746a3cde88c3ce01204d17fa25f7c095bb1c
SHA256

95899a7f08de44ecadca9e1ee5e2142934f1bf0daf0948c66212bca130775599
SHA512

c9187587e2fa54058abe0335872e197e304ee362a4aea52aa0c3fdd65b5065f35927ca926278c78f0ca50cd8707ceecf1cc999d6f93128c60c10125e3e45d10b

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2992	WINWORD.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
2992	WINWORD.EXE
2992	WINWORD.EXE
2992	WINWORD.EXE
2992	WINWORD.EXE
2992	WINWORD.EXE
2992	WINWORD.EXE
2992	WINWORD.EXE
2992	WINWORD.EXE
2992	WINWORD.EXE
2992	WINWORD.EXE
2992	WINWORD.EXE
2992	WINWORD.EXE
2992	WINWORD.EXE
2992	WINWORD.EXE
2992	WINWORD.EXE
2992	WINWORD.EXE

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\lititruanjian\众邦2009立体软件\~$众邦文档.doc"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2992-0-0x000000002FC21000-0x000000002FC22000-memory.dmp

Filesize
4KB

Download
memory/2992-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2992-2-0x000000007160D000-0x0000000071618000-memory.dmp

Filesize
44KB

Download