Analysis
-
max time kernel
123s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
27/01/2025, 15:11
Static task
static1
Behavioral task
behavioral1
Sample
=?UTF-8?B?0KHQvtGE0LjRjzEuZG9jeA==?=.docx
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
=?UTF-8?B?0KHQvtGE0LjRjzEuZG9jeA==?=.docx
Resource
win10v2004-20241007-en
General
-
Target
=?UTF-8?B?0KHQvtGE0LjRjzEuZG9jeA==?=.docx
-
Size
81KB
-
MD5
b32ca4ff80111873bb76fc0c5ae27b9f
-
SHA1
883a364cea4445779fa7d7ffe8d1cca80127d5c5
-
SHA256
11a6be3842bc5d9610806c9a5b5fb2e7fe6f6efb484f0e8ca0052865344d1037
-
SHA512
be391018a6a0dee58f9478874e4f253f660509a1f7f6e35fb87f446140fa4c30dee3e61b92c0a1bdc24eaef79daaec3e80bb0936e416006e7764876f21a88efe
-
SSDEEP
1536:kvlTLO18p7FnT/dvnogRKVyqGljCdhPXjOSYFJEyKMsVTvGYhQuCgjzv:kvlTaSp7FjdQgQVyqQjGBq5mXhzC+v
Malware Config
Signatures
-
Abuses OpenXML format to download file from external location
-
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2080 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2080 WINWORD.EXE 2080 WINWORD.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2080 wrote to memory of 1048 2080 WINWORD.EXE 33 PID 2080 wrote to memory of 1048 2080 WINWORD.EXE 33 PID 2080 wrote to memory of 1048 2080 WINWORD.EXE 33 PID 2080 wrote to memory of 1048 2080 WINWORD.EXE 33
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\=_UTF-8_B_0KHQvtGE0LjRjzEuZG9jeA==_=.docx"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:1048
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{0DF4F85E-907E-4CC7-A368-07C4DF7D7C43}.FSD
Filesize128KB
MD5bee81e1d01d53c1948b8cb17547fac42
SHA17438809b72f2487328dffcedf04ff6465f0085ec
SHA2563eb67d717f1feb2420a166d5bea7f1ac8e2818b57250135040dcc6dfb12bcc5a
SHA5128c3720d67e6275ccc268cface15d0889b453e62af4ae5a98c8a9a72cef5c6acb4202a0fabbb1fb26961ee38c85801d727323e894382862ae69114bb320a34da0
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize128KB
MD55c890b8e48ac939d2c7bf9375a784b74
SHA1a457e44b0a77eaa0cdeab668939110aab2bd1be5
SHA256eb591fe3c9ded5d5e127dca22bc802f3b320436e0fad0661b0bb31c4efd769dd
SHA5124c05504aaca9231814bd01b0efbde381c3dd37e323860946407f0e3d9be404a4b6c0553cbe3c7cf943eb5486c1df6785e7857db409ce615ec35183de24edbe9e
-
Filesize
133KB
MD5bdf9149463746634ab95eeaba5d49660
SHA14ccebb4488a7592ba2c3325edc9b29d8e30c6cf3
SHA2560624386927475fa35629167480ffe83a7c8d3ba1197dfd75b625285cfc5ba316
SHA5127dd68319fc369f993e44fd26291eada9b30e257a52a86209c96b3a1c091f147ab9f247e87d398a68e2855b65ed10199cd2de390803ef91cee09b3da1e68ebdcc
-
Filesize
128KB
MD5f3999d5d175cba554c9f259e77c9d64c
SHA1e6a1a72fa0bd479a24fe2118bf749603e3a3ecfe
SHA25614832b31027b19c5357ee97315b643d41362f072f8ecc944a1d1be1a4f3dc1da
SHA512772e9607a140d40740f4ca9aaf099bbeacd156b3e2645c5b50a84582655f1a921b1357dbb8078c33faa2fd7c27e8faae4f76876da6260d2c672d438f00a81568