ffc3ab51f9afc6124b648903a43847d36138f9f4582e426bf2c11025ec918fe2

Analysis

max time kernel
840s
max time network
837s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01/03/2025, 09:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$TEMP/Loving.rtf
Size

27KB
MD5

71f22b73d66adf2370bdf3f9ab941086
SHA1

c7cc8938570b412a89243b588ac7cf70b947c9b4
SHA256

ac214767bc378d05afeb52bfd90da5e544cbe6cbc819ecbe346c10b79e2f3ca2
SHA512

caf1adce4ed75278a66b80e4407cb30844295397bca5cdadd40d6c9f31e0e4049b330e977b4768eb4fcd83ce298fe4b521d3196e8e9e3bb8b05e41ae67733717
SSDEEP

768:tPFOmX30+d2EOkzwM0VbPDQTvkgyOWJg67:tPf30+WJQTC/7

Score

4^/10

discovery

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2100	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2100	WINWORD.EXE

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2100	WINWORD.EXE
2100	WINWORD.EXE
2100	WINWORD.EXE
2100	WINWORD.EXE
2100	WINWORD.EXE
2100	WINWORD.EXE
2100	WINWORD.EXE
2100	WINWORD.EXE
2100	WINWORD.EXE
2100	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 2952	2100	WINWORD.EXE	31
PID 2100 wrote to memory of 2952	2100	WINWORD.EXE	31
PID 2100 wrote to memory of 2952	2100	WINWORD.EXE	31
PID 2100 wrote to memory of 2952	2100	WINWORD.EXE	31

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$TEMP\Loving.rtf"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
295B

MD5
0775a7fd820a62e63775b68e38f8a97b

SHA1
ca413dbe619862b4a30ddc1003bad745161d6cb2

SHA256
4a21431e63b9bfabdea809e1656a650b8d853d8f89e6be3add3b419f12e87fb9

SHA512
af640dae67d6cc0988355b5924a75c8daae036f5467c05782c270eaea28c160a04fc382d73617f937991d4f37cb02d78d6d33852e061eed6ac4113fcacf8162d

Download Submit
memory/2100-0-0x000000002F1E1000-0x000000002F1E2000-memory.dmp

Filesize
4KB

Download
memory/2100-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2100-2-0x0000000071A5D000-0x0000000071A68000-memory.dmp

Filesize
44KB

Download
memory/2100-5-0x0000000071A5D000-0x0000000071A68000-memory.dmp

Filesize
44KB

Download