86e3101420d0467712a6920229e34bce70e978598abb37373c53306f937f8db7

General

Target

$267700.xlsx
Size

200KB
MD5

df0dbb4b27bda8afcdc08455003739e7
SHA1

86057b50f54296163776720171c21c2a946778e6
SHA256

86e3101420d0467712a6920229e34bce70e978598abb37373c53306f937f8db7
SHA512

4836c2aaf5dc450fb1a859770c735c1cfd2887dbeb779cc15c56e9a840f63e3a7d43d352dad3583eae4db2bcb7d31ea807f7f68258c258b423e9992c652cc3e2

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEEXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEEXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid process

504 EXCEL.EXE
576 WINWORD.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WINWORD.EXE

description pid process

Token: SeAuditPrivilege 576 WINWORD.EXE

description	pid	process
Token: SeAuditPrivilege	576	WINWORD.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid	process
504	EXCEL.EXE
504	EXCEL.EXE
504	EXCEL.EXE
504	EXCEL.EXE
504	EXCEL.EXE
504	EXCEL.EXE
504	EXCEL.EXE
504	EXCEL.EXE
504	EXCEL.EXE
576	WINWORD.EXE
504	EXCEL.EXE
504	EXCEL.EXE
576	WINWORD.EXE
504	EXCEL.EXE
576	WINWORD.EXE
576	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 576 wrote to memory of 3908	576	WINWORD.EXE	splwow64.exe
PID 576 wrote to memory of 3908	576	WINWORD.EXE	splwow64.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\$267700.xlsx"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:504

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:576

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:3908

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868
MD5
22ba402e0739745b8696dd96469a51f0

SHA1
9e96368116f98716356816f5788f9b121a1145f8

SHA256
5fc371f8c7a7d9f430866ad606d43872f0b138384d684a1aa88207ed937d34c7

SHA512
3dcbb7b6ffe1580492cfe7db070c4b13abb71e582b8c1ed224353bdab48e5e91a13dd123afd1ddd4fb0bbebb0f9cde5f129777ea18daba627ab0f0e2fa0a7c36

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868
MD5
9dc9b338c6ca616d4275e201f5ab8d2a

SHA1
d052481960e1bcc934a0ea0c4ae2e5607800e93f

SHA256
25634344d36cb3c21ef2eac466ad693dbded949805e7a7d9b81a22fb9bc3b3e9

SHA512
bda5c734c55c9dffdd0bd02791060636f469c99161dda430fd3e512a0ee14709bcefd85c32a154bcd0d48897721972d8ca10a914ac90ef8d93b69410890dd270

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\UOAPEAJQ\invoice_4152112[1].doc
MD5
2c15d6b5dacee38f2b9d5bb1236f0bc3

SHA1
9a217860103db9c5b8e0eb4d9c5e0d5667b8f390

SHA256
31e0ea87983451b4c759b630005e2cdfe620c49eebef6bd0d8552268abd322c7

SHA512
6babf0dea8f79d390f85723c2708b526bad9d0e3bda2ae22d274608428fdd9c769a85e26d575e77eba99b95e42a73295bc1d87a5ca88083e601fbafb37d46b24

Download Submit
memory/504-2-0x00007FF7DFCE0000-0x00007FF7DFCF0000-memory.dmp

Filesize
64KB

Download
memory/504-3-0x00007FF7DFCE0000-0x00007FF7DFCF0000-memory.dmp

Filesize
64KB

Download
memory/504-4-0x00007FF7DFCE0000-0x00007FF7DFCF0000-memory.dmp

Filesize
64KB

Download
memory/504-5-0x00007FF7DFCE0000-0x00007FF7DFCF0000-memory.dmp

Filesize
64KB

Download
memory/504-6-0x00007FF803060000-0x00007FF803697000-memory.dmp

Filesize
6.2MB

Download
memory/576-10-0x00007FF803060000-0x00007FF803697000-memory.dmp

Filesize
6.2MB

Download
memory/3908-13-0x0000000000000000-mapping.dmp

Download
memory/3908-14-0x0000000002B50000-0x0000000002C51000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads