Analysis
-
max time kernel
148s -
max time network
132s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
26-02-2021 08:56
Static task
static1
Behavioral task
behavioral1
Sample
$267700.xlsx
Resource
win7v20201028
Behavioral task
behavioral2
Sample
$267700.xlsx
Resource
win10v20201028
General
-
Target
$267700.xlsx
-
Size
200KB
-
MD5
df0dbb4b27bda8afcdc08455003739e7
-
SHA1
86057b50f54296163776720171c21c2a946778e6
-
SHA256
86e3101420d0467712a6920229e34bce70e978598abb37373c53306f937f8db7
-
SHA512
4836c2aaf5dc450fb1a859770c735c1cfd2887dbeb779cc15c56e9a840f63e3a7d43d352dad3583eae4db2bcb7d31ea807f7f68258c258b423e9992c652cc3e2
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEEXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
WINWORD.EXEEXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
EXCEL.EXEWINWORD.EXEpid process 504 EXCEL.EXE 576 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WINWORD.EXEdescription pid process Token: SeAuditPrivilege 576 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 16 IoCs
Processes:
EXCEL.EXEWINWORD.EXEpid process 504 EXCEL.EXE 504 EXCEL.EXE 504 EXCEL.EXE 504 EXCEL.EXE 504 EXCEL.EXE 504 EXCEL.EXE 504 EXCEL.EXE 504 EXCEL.EXE 504 EXCEL.EXE 576 WINWORD.EXE 504 EXCEL.EXE 504 EXCEL.EXE 576 WINWORD.EXE 504 EXCEL.EXE 576 WINWORD.EXE 576 WINWORD.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 576 wrote to memory of 3908 576 WINWORD.EXE splwow64.exe PID 576 wrote to memory of 3908 576 WINWORD.EXE splwow64.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\$267700.xlsx"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868MD5
22ba402e0739745b8696dd96469a51f0
SHA19e96368116f98716356816f5788f9b121a1145f8
SHA2565fc371f8c7a7d9f430866ad606d43872f0b138384d684a1aa88207ed937d34c7
SHA5123dcbb7b6ffe1580492cfe7db070c4b13abb71e582b8c1ed224353bdab48e5e91a13dd123afd1ddd4fb0bbebb0f9cde5f129777ea18daba627ab0f0e2fa0a7c36
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868MD5
9dc9b338c6ca616d4275e201f5ab8d2a
SHA1d052481960e1bcc934a0ea0c4ae2e5607800e93f
SHA25625634344d36cb3c21ef2eac466ad693dbded949805e7a7d9b81a22fb9bc3b3e9
SHA512bda5c734c55c9dffdd0bd02791060636f469c99161dda430fd3e512a0ee14709bcefd85c32a154bcd0d48897721972d8ca10a914ac90ef8d93b69410890dd270
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\UOAPEAJQ\invoice_4152112[1].docMD5
2c15d6b5dacee38f2b9d5bb1236f0bc3
SHA19a217860103db9c5b8e0eb4d9c5e0d5667b8f390
SHA25631e0ea87983451b4c759b630005e2cdfe620c49eebef6bd0d8552268abd322c7
SHA5126babf0dea8f79d390f85723c2708b526bad9d0e3bda2ae22d274608428fdd9c769a85e26d575e77eba99b95e42a73295bc1d87a5ca88083e601fbafb37d46b24
-
memory/504-2-0x00007FF7DFCE0000-0x00007FF7DFCF0000-memory.dmpFilesize
64KB
-
memory/504-3-0x00007FF7DFCE0000-0x00007FF7DFCF0000-memory.dmpFilesize
64KB
-
memory/504-4-0x00007FF7DFCE0000-0x00007FF7DFCF0000-memory.dmpFilesize
64KB
-
memory/504-5-0x00007FF7DFCE0000-0x00007FF7DFCF0000-memory.dmpFilesize
64KB
-
memory/504-6-0x00007FF803060000-0x00007FF803697000-memory.dmpFilesize
6.2MB
-
memory/576-10-0x00007FF803060000-0x00007FF803697000-memory.dmpFilesize
6.2MB
-
memory/3908-13-0x0000000000000000-mapping.dmp
-
memory/3908-14-0x0000000002B50000-0x0000000002C51000-memory.dmpFilesize
1.0MB