b13b29772c29ccb412d6ab360ff38525836fcf0f65be637a7945a83a446dfd5e

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25/03/2025, 20:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

metrofax.doc
Size

221KB
MD5

28e855032f83adbd2d8499af6d2d0e22
SHA1

6b590325e2e465d9762fa5d1877846667268558a
SHA256

b13b29772c29ccb412d6ab360ff38525836fcf0f65be637a7945a83a446dfd5e
SHA512

e401cbd41e044ff7d557f57960d50fb821244eaa97ce1218191d58e0935f6c069e6a0ff4788ed91ead279f36ba4eddfaa08dc3de01082c41dc9c2fc3c4b0ae34
SSDEEP

3072:zVIfFuR6AqFMa2fL3NtkWL90y7K4mlQCww7zDTW6HNRn0nPmaw:zVIf8RsOtZclptz78Pk

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2752	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2752	WINWORD.EXE
2752	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2752 wrote to memory of 2712	2752	WINWORD.EXE	31
PID 2752 wrote to memory of 2712	2752	WINWORD.EXE	31
PID 2752 wrote to memory of 2712	2752	WINWORD.EXE	31
PID 2752 wrote to memory of 2712	2752	WINWORD.EXE	31

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\metrofax.doc"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2752
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2DF00488.emf

Filesize
5KB

MD5
0ed5bc16545d23c325d756013579a697

SHA1
dcdde3196414a743177131d7d906cb67315d88e7

SHA256
3e430584cd9774ea3b21d8e19b485b48212fe356776158dd5f3c5f63a5bde7d3

SHA512
c93072d11058fa50e3b09ff4da9f3dbe2637c2b5df05e616bd8ddd04557ea1e8b0db106b1545fad334619118c467776f81cf97ca52d3f2fcbbe007f30032b8af

Download Submit
C:\Users\Admin\AppData\Local\Temp\~WRD0001.tmp

Filesize
802KB

MD5
0d3d82514dbb0715dfac5cb27712bcbb

SHA1
2c0c8bce048cd43b35c30d8ff7987a4de9579dcc

SHA256
01e9a7ea192348a96a02e2c4ca0b5fe1c12491eeff3997081c09df316d79d6e0

SHA512
93df268305ebc001f5d399279f42bcd0e9d751e21a0a1824f0f206b1ac6a28eb60ccf4d853908207b378b5a4066190a8529efbc5579abadb55a51d0f4ed5088a

Download Submit
memory/2752-0-0x000000002F711000-0x000000002F712000-memory.dmp

Filesize
4KB

Download
memory/2752-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2752-2-0x00000000718ED000-0x00000000718F8000-memory.dmp

Filesize
44KB

Download
memory/2752-4-0x00000000007F0000-0x00000000008F0000-memory.dmp

Filesize
1024KB

Download
memory/2752-5-0x00000000007F0000-0x00000000008F0000-memory.dmp

Filesize
1024KB

Download
memory/2752-6-0x00000000007F0000-0x00000000008F0000-memory.dmp

Filesize
1024KB

Download
memory/2752-10-0x00000000007F0000-0x00000000008F0000-memory.dmp

Filesize
1024KB

Download
memory/2752-8-0x00000000007F0000-0x00000000008F0000-memory.dmp

Filesize
1024KB

Download
memory/2752-12-0x00000000007F0000-0x00000000008F0000-memory.dmp

Filesize
1024KB

Download
memory/2752-15-0x00000000007F0000-0x00000000008F0000-memory.dmp

Filesize
1024KB

Download
memory/2752-16-0x00000000007F0000-0x00000000008F0000-memory.dmp

Filesize
1024KB

Download
memory/2752-17-0x00000000007F0000-0x00000000008F0000-memory.dmp

Filesize
1024KB

Download
memory/2752-18-0x00000000007F0000-0x00000000008F0000-memory.dmp

Filesize
1024KB

Download
memory/2752-21-0x00000000007F0000-0x00000000008F0000-memory.dmp

Filesize
1024KB

Download
memory/2752-20-0x00000000007F0000-0x00000000008F0000-memory.dmp

Filesize
1024KB

Download
memory/2752-23-0x00000000007F0000-0x00000000008F0000-memory.dmp

Filesize
1024KB

Download
memory/2752-25-0x00000000007F0000-0x00000000008F0000-memory.dmp

Filesize
1024KB

Download
memory/2752-29-0x00000000007F0000-0x00000000008F0000-memory.dmp

Filesize
1024KB

Download
memory/2752-31-0x00000000007F0000-0x00000000008F0000-memory.dmp

Filesize
1024KB

Download
memory/2752-35-0x00000000007F0000-0x00000000008F0000-memory.dmp

Filesize
1024KB

Download
memory/2752-41-0x00000000007F0000-0x00000000008F0000-memory.dmp

Filesize
1024KB

Download
memory/2752-44-0x00000000007F0000-0x00000000008F0000-memory.dmp

Filesize
1024KB

Download
memory/2752-42-0x00000000007F0000-0x00000000008F0000-memory.dmp

Filesize
1024KB

Download
memory/2752-40-0x00000000007F0000-0x00000000008F0000-memory.dmp

Filesize
1024KB

Download
memory/2752-39-0x00000000007F0000-0x00000000008F0000-memory.dmp

Filesize
1024KB

Download
memory/2752-37-0x00000000007F0000-0x00000000008F0000-memory.dmp

Filesize
1024KB

Download
memory/2752-36-0x00000000007F0000-0x00000000008F0000-memory.dmp

Filesize
1024KB

Download
memory/2752-34-0x00000000007F0000-0x00000000008F0000-memory.dmp

Filesize
1024KB

Download
memory/2752-33-0x00000000007F0000-0x00000000008F0000-memory.dmp

Filesize
1024KB

Download
memory/2752-73-0x00000000007F0000-0x00000000008F0000-memory.dmp

Filesize
1024KB

Download
memory/2752-72-0x00000000007F0000-0x00000000008F0000-memory.dmp

Filesize
1024KB

Download
memory/2752-71-0x00000000007F0000-0x00000000008F0000-memory.dmp

Filesize
1024KB

Download
memory/2752-70-0x00000000007F0000-0x00000000008F0000-memory.dmp

Filesize
1024KB

Download
memory/2752-69-0x00000000007F0000-0x00000000008F0000-memory.dmp

Filesize
1024KB

Download
memory/2752-68-0x00000000007F0000-0x00000000008F0000-memory.dmp

Filesize
1024KB

Download
memory/2752-67-0x00000000007F0000-0x00000000008F0000-memory.dmp

Filesize
1024KB

Download
memory/2752-53-0x00000000007F0000-0x00000000008F0000-memory.dmp

Filesize
1024KB

Download
memory/2752-32-0x00000000007F0000-0x00000000008F0000-memory.dmp

Filesize
1024KB

Download
memory/2752-30-0x00000000007F0000-0x00000000008F0000-memory.dmp

Filesize
1024KB

Download
memory/2752-28-0x00000000007F0000-0x00000000008F0000-memory.dmp

Filesize
1024KB

Download
memory/2752-27-0x00000000007F0000-0x00000000008F0000-memory.dmp

Filesize
1024KB

Download
memory/2752-26-0x00000000007F0000-0x00000000008F0000-memory.dmp

Filesize
1024KB

Download
memory/2752-24-0x00000000007F0000-0x00000000008F0000-memory.dmp

Filesize
1024KB

Download
memory/2752-19-0x00000000007F0000-0x00000000008F0000-memory.dmp

Filesize
1024KB

Download
memory/2752-14-0x00000000007F0000-0x00000000008F0000-memory.dmp

Filesize
1024KB

Download
memory/2752-11-0x00000000007F0000-0x00000000008F0000-memory.dmp

Filesize
1024KB

Download
memory/2752-9-0x00000000007F0000-0x00000000008F0000-memory.dmp

Filesize
1024KB

Download
memory/2752-7-0x00000000007F0000-0x00000000008F0000-memory.dmp

Filesize
1024KB

Download
memory/2752-43-0x00000000007F0000-0x00000000008F0000-memory.dmp

Filesize
1024KB

Download
memory/2752-38-0x00000000007F0000-0x00000000008F0000-memory.dmp

Filesize
1024KB

Download
memory/2752-75-0x00000000718ED000-0x00000000718F8000-memory.dmp

Filesize
44KB

Download
memory/2752-76-0x00000000007F0000-0x00000000008F0000-memory.dmp

Filesize
1024KB

Download
memory/2752-77-0x00000000007F0000-0x00000000008F0000-memory.dmp

Filesize
1024KB

Download