Analysis
-
max time kernel
147s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
05-07-2022 12:14
Static task
static1
Behavioral task
behavioral1
Sample
88160011B.xlsx
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
88160011B.xlsx
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
decrypted.xlsx
Resource
win7-20220414-en
Behavioral task
behavioral4
Sample
decrypted.xlsx
Resource
win10v2004-20220414-en
General
-
Target
decrypted.xlsx
-
Size
35KB
-
MD5
3910d5d3b292f25def60bb76fbf17f9a
-
SHA1
0f0fbab3541b7f82cf95f207293a5c0e1935f115
-
SHA256
1edcbce9fb67ee7b09caf7a75f2f5d55ef61e3238d265b1e25fa78b8aaeb30e5
-
SHA512
dc800cbbfedf12c57128e198c9b0d662dc680cda47159753e79914d688c7de7b177d9fc9c95b46afd9379edb2976ccb538e1c6d813e99f80c51595388e03c931
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEEXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
EXCEL.EXEWINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
EXCEL.EXEWINWORD.EXEpid process 3768 EXCEL.EXE 3180 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WINWORD.EXEdescription pid process Token: SeAuditPrivilege 3180 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 16 IoCs
Processes:
EXCEL.EXEWINWORD.EXEpid process 3768 EXCEL.EXE 3768 EXCEL.EXE 3768 EXCEL.EXE 3768 EXCEL.EXE 3768 EXCEL.EXE 3768 EXCEL.EXE 3768 EXCEL.EXE 3768 EXCEL.EXE 3180 WINWORD.EXE 3768 EXCEL.EXE 3768 EXCEL.EXE 3768 EXCEL.EXE 3768 EXCEL.EXE 3180 WINWORD.EXE 3180 WINWORD.EXE 3180 WINWORD.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 3180 wrote to memory of 5032 3180 WINWORD.EXE splwow64.exe PID 3180 wrote to memory of 5032 3180 WINWORD.EXE splwow64.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\decrypted.xlsx"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\DA88D834-FDBC-414D-A882-B3EBDB2FC925Filesize
146KB
MD56b9ff343d92272c83e1062bd9dbb37a4
SHA1f5aca07a4eb2b23a355eba4455f0acb94671d7ec
SHA256448ca76032eae07f4be3b75529ca26fb10b9dd35e836b7b444bd039eb1bb1072
SHA512f0dea23996debd4f7d7fbf853de9da2354567ef12445835ab66ff186f03b4adcc4b4bcdaa5114a3b55d14c2b54de570132c9ebb85b9337ebf2236c040a98c53b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8SYI24T6\receipt[1].docFilesize
20KB
MD58531e389071583bf24756116a1770018
SHA1e99795a4a4cf509a4d8efec6c573e3be4b3477db
SHA2564aa2cd3f90eb232a9ea09d5e49fa1b94a038313bb482faecd2961778174f8e88
SHA512c117d141b0d03da382b10ba567532dc3b6d9768f5bc71193da6ebec0b47cc030bdfd0ef7d0a110c28daacc2d6be2a723de0001476104503ae66089a864bb5fe0
-
memory/3768-130-0x00007FFC2A490000-0x00007FFC2A4A0000-memory.dmpFilesize
64KB
-
memory/3768-131-0x00007FFC2A490000-0x00007FFC2A4A0000-memory.dmpFilesize
64KB
-
memory/3768-132-0x00007FFC2A490000-0x00007FFC2A4A0000-memory.dmpFilesize
64KB
-
memory/3768-133-0x00007FFC2A490000-0x00007FFC2A4A0000-memory.dmpFilesize
64KB
-
memory/3768-134-0x00007FFC2A490000-0x00007FFC2A4A0000-memory.dmpFilesize
64KB
-
memory/3768-135-0x00007FFC28140000-0x00007FFC28150000-memory.dmpFilesize
64KB
-
memory/3768-136-0x00007FFC28140000-0x00007FFC28150000-memory.dmpFilesize
64KB
-
memory/5032-146-0x0000000000000000-mapping.dmp