Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20250207-en -
resource tags
arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system -
submitted
25/03/2025, 19:55
Behavioral task
behavioral1
Sample
70fa2300d7932ab901c19878bf109bdd9e078e96380879ca2ce2c3f9fc5c7665.docx
Resource
win7-20250207-en
Behavioral task
behavioral2
Sample
70fa2300d7932ab901c19878bf109bdd9e078e96380879ca2ce2c3f9fc5c7665.docx
Resource
win10v2004-20250314-en
General
-
Target
70fa2300d7932ab901c19878bf109bdd9e078e96380879ca2ce2c3f9fc5c7665.docx
-
Size
52KB
-
MD5
90a59c16d670fd77d710516299533834
-
SHA1
25c0a651d7bdfdfca2f37160837829bea669c5f7
-
SHA256
70fa2300d7932ab901c19878bf109bdd9e078e96380879ca2ce2c3f9fc5c7665
-
SHA512
99382bae4f1c8ac9c1cca47083ec321403d421e94d3036407b6f311e417c55e41ef11a404723a2e31ebaa5e0ef2b3181ba662987ee020b15a1e1c9045a2172dc
-
SSDEEP
384:Mo8AY64U4jOHgiI/6iSY5UFXoOfYxFSAtcwqVCM+V0hxtjiK6yOrX0jui3M:t/7dRc6lCMvxp6yOL5i
Malware Config
Signatures
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1336 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1336 WINWORD.EXE 1336 WINWORD.EXE 1336 WINWORD.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1336 wrote to memory of 2212 1336 WINWORD.EXE 31 PID 1336 wrote to memory of 2212 1336 WINWORD.EXE 31 PID 1336 wrote to memory of 2212 1336 WINWORD.EXE 31 PID 1336 wrote to memory of 2212 1336 WINWORD.EXE 31
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\70fa2300d7932ab901c19878bf109bdd9e078e96380879ca2ce2c3f9fc5c7665.docx"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1336 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:2212
-