e3bd83b61c2deec0f5d6febbfc891be6fc52d2b546bafdf9b182032d845805a8

Analysis

max time kernel
125s
max time network
123s
platform
windows7_x64
resource
win7-20250207-en
resource tags

arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system
submitted
17-02-2025 20:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

malware-samples-master/2018-04-Common-Malware-Carrier/d347e095369aba294f674331054df8469b12d5e3260deb168827142d862f88d6.docx
Size

142KB
MD5

df55633ede8a7905083f6397513a4af2
SHA1

0e45b003bf33dc49037e0840a74f2221a10f625e
SHA256

d347e095369aba294f674331054df8469b12d5e3260deb168827142d862f88d6
SHA512

ef6a6110429db763921139ff853c3cb156152e61afa203b8c80d14816fd8a90f5a5f3edc3422875590538763f617179a616e7693a5c93e12a41ef6bbe3e49bd2
SSDEEP

3072:XnTQ/2Ml3BNjuz5ri6+Em0GncPoKSDJ4nVF6G:XTQ/24BNjwriFyPo2L

Score

7^/10

discovery

Malware Config

Signatures

Abuses OpenXML format to download file from external location 2 IoCs

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Office\Common\Offline\Files\http://job.softline.top/banner.jpg	WINWORD.EXE

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2000	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2000	WINWORD.EXE
2000	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2000 wrote to memory of 2228	2000	WINWORD.EXE	33
PID 2000 wrote to memory of 2228	2000	WINWORD.EXE	33
PID 2000 wrote to memory of 2228	2000	WINWORD.EXE	33
PID 2000 wrote to memory of 2228	2000	WINWORD.EXE	33

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\malware-samples-master\2018-04-Common-Malware-Carrier\d347e095369aba294f674331054df8469b12d5e3260deb168827142d862f88d6.docx"
1⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{E90560BF-8510-4E0F-86FF-5ECE1BB2CB8F}.FSD

Filesize
128KB

MD5
19b1fba3e2505065e7e6b6f5c58e474f

SHA1
f28731d890fc0ab4b473e9868f914d3f8ff0d743

SHA256
0b8bfc858062cd82dec9ece1d3eea454a786db0a7ce1cc8f16cc88309b7484dc

SHA512
0bddb8aab8d3fe6bdb01c795381abba02d7994e3dd438d5e5f03c8266db47cb98dd7831e0f010d94bca4325a451b4680284ec4e8408d273de3fa28ad940e92fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{4536298A-FFF9-4651-AB5F-3CE82F2E68D4}.FSD

Filesize
128KB

MD5
0bf8108d48db952aa7b15e23fb099364

SHA1
d36152fb9a4fee3c8dbe255d599cd33843820acb

SHA256
bea9a1bf653a252cf8dd013e683dc2f42885d8d8cff42ff12ebd6b773a37cc57

SHA512
81cce5502db088f7cbd27b86f431aaf14fa5dc61663a36628c69cb9e504392e0c18b194dbe3a0106d06930a0d3d0a9c194cef64a2a3a83f30795c2aad7a5aeed

Download Submit
C:\Users\Admin\AppData\Local\Temp\{96403F0C-948A-4163-8BCB-EF1715D0B33B}

Filesize
128KB

MD5
793105d41c8fcfbe62f42041a893332d

SHA1
e0c6f548fdb009676968f0d8b25efe01a3965bc7

SHA256
e193e45993ad8119f0e408600fc03efbd2564a58e1315129752cc60088505365

SHA512
b6ee08e3b51ee700671799dff9d07f655e649e03172062f8725d72e9bb4a09759d3eb458f84a8273da81ca6753fba4401d3baec826de719b55643d6a85de6fd3

Download Submit
memory/2000-0-0x000000002FAF1000-0x000000002FAF2000-memory.dmp

Filesize
4KB

Download
memory/2000-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2000-2-0x00000000715FD000-0x0000000071608000-memory.dmp

Filesize
44KB

Download
memory/2000-72-0x00000000715FD000-0x0000000071608000-memory.dmp

Filesize
44KB

Download