a681967d5d91f1def07dcde80d561b9621381760b781c970746673d53e7bfcd7

General

Target

PO AR483-1590436 _ J-3000 PROJT.xlsx
Size

55KB
MD5

245fa98d0fc156ccd21c92b31ec8c5c7
SHA1

b5cabd660aafef98fc3fbc987aa1bc4d5884fa17
SHA256

a681967d5d91f1def07dcde80d561b9621381760b781c970746673d53e7bfcd7
SHA512

b78e1f36524ddb9a76d36ee809150bd8cf0f2a0a3ae747d79046e6cb5a14e863485e0740c2a860b7f40be19b70f2607c0cd9f1a753facf8c41d4c7c2cd22c3b7

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEWINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEWINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid process

4040 EXCEL.EXE
2180 WINWORD.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WINWORD.EXE

description pid process

Token: SeAuditPrivilege 2180 WINWORD.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

EXCEL.EXE

pid process

4040 EXCEL.EXE
4040 EXCEL.EXE

description	pid	process
Token: SeAuditPrivilege	2180	WINWORD.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid	process
4040	EXCEL.EXE
4040	EXCEL.EXE
4040	EXCEL.EXE
4040	EXCEL.EXE
4040	EXCEL.EXE
4040	EXCEL.EXE
2180	WINWORD.EXE
2180	WINWORD.EXE
2180	WINWORD.EXE
2180	WINWORD.EXE
4040	EXCEL.EXE
4040	EXCEL.EXE
4040	EXCEL.EXE
4040	EXCEL.EXE
4040	EXCEL.EXE
4040	EXCEL.EXE

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 2180 wrote to memory of 2824	2180	WINWORD.EXE	splwow64.exe
PID 2180 wrote to memory of 2824	2180	WINWORD.EXE	splwow64.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\PO AR483-1590436 _ J-3000 PROJT.xlsx"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4040

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2180

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:2824

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868
MD5
d17a5e66993fef37edaf19d505111ace

SHA1
8373a9b613ec14209fb026df8815ee67f448543b

SHA256
82779f7847fe1256dd4c22c678a33018229db19f74d17869b10091df6e2bd8a6

SHA512
09d8126aeddae3e4aa9c5b43d802fc99ec5b98b3c16daad6e66037fc65704e3eaf10de3f5b8dc46b316db8e0206f682b0b4485048dc11966e4e7be410c68fa38

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868
MD5
234426a4a921af156baa4cdbfe82ee03

SHA1
87525d6043ac5efeb4e1c8e3822d012daa6f99aa

SHA256
485c62890ef64f4580abcf85b8d707510db0ae1f4e6dcd88f56a949716f29844

SHA512
edc4834626272e456105ea7984941570195fc823e0484a78725428811f370282a46055dfc3b779489d62a7b5eb94a107fee8be80f96d5ff8eb11f5cb9172f18f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\DAF2A699-8A90-40A1-9708-BA5109EF50B1
MD5
1a59de567c070e5976263553d7e987ea

SHA1
ded3388f80a2c439e1668013617a0cf9fce38a63

SHA256
62ef40435b4f8cabdebddad33f9f04aebbaf1cd90ccea056f9e57eb71684a1f2

SHA512
4aa9ba033ed062ae545c87183b25e65ae20ab3309b06b296dcd9e0129bf3d9371bcfd9d641dbf5c44309bd997d78f436ec00258568332a4b45ca23640a15a48a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\C75WK71L\document[1].doc
MD5
6d238a412f808d2c4c56865d7f4c4d16

SHA1
cf2c952dd7303167d7e666763dcf278088190f52

SHA256
a4ab58cc18771c7141e96d45714b7aeb046ff7173ec5266f08da7b28d411744e

SHA512
764bc68ac1f55d2b0b717ec8434f22c8bc5baf50cfa517e8d0fbae22f2419332d33f67d5dc41bab415e5e68af9b42c41df8262f25ea105f65c4984e8c5c3fbe8

Download Submit
memory/2180-10-0x00007FFFF3870000-0x00007FFFF3EA7000-memory.dmp

Filesize
6.2MB

Download
memory/2824-15-0x0000000002ED0000-0x0000000002FD1000-memory.dmp

Filesize
1.0MB

Download
memory/2824-14-0x0000000000000000-mapping.dmp

Download
memory/2824-16-0x0000000002BD0000-0x0000000002BD1000-memory.dmp

Filesize
4KB

Download
memory/4040-6-0x00007FF7CF480000-0x00007FF7CF490000-memory.dmp

Filesize
64KB

Download
memory/4040-5-0x00007FFFF3870000-0x00007FFFF3EA7000-memory.dmp

Filesize
6.2MB

Download
memory/4040-2-0x00007FF7CF480000-0x00007FF7CF490000-memory.dmp

Filesize
64KB

Download
memory/4040-4-0x00007FF7CF480000-0x00007FF7CF490000-memory.dmp

Filesize
64KB

Download
memory/4040-3-0x00007FF7CF480000-0x00007FF7CF490000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads