4da0fa732b3cb2b77f92db9ed169eae7606d5646aa38dbaf9667565556b3e223

General

Target

decrypted.xlsx
Size

35KB
MD5

3910d5d3b292f25def60bb76fbf17f9a
SHA1

0f0fbab3541b7f82cf95f207293a5c0e1935f115
SHA256

1edcbce9fb67ee7b09caf7a75f2f5d55ef61e3238d265b1e25fa78b8aaeb30e5
SHA512

dc800cbbfedf12c57128e198c9b0d662dc680cda47159753e79914d688c7de7b177d9fc9c95b46afd9379edb2976ccb538e1c6d813e99f80c51595388e03c931

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEEXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEWINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid process

3768 EXCEL.EXE
3180 WINWORD.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WINWORD.EXE

description pid process

Token: SeAuditPrivilege 3180 WINWORD.EXE

description	pid	process
Token: SeAuditPrivilege	3180	WINWORD.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid	process
3768	EXCEL.EXE
3768	EXCEL.EXE
3768	EXCEL.EXE
3768	EXCEL.EXE
3768	EXCEL.EXE
3768	EXCEL.EXE
3768	EXCEL.EXE
3768	EXCEL.EXE
3180	WINWORD.EXE
3768	EXCEL.EXE
3768	EXCEL.EXE
3768	EXCEL.EXE
3768	EXCEL.EXE
3180	WINWORD.EXE
3180	WINWORD.EXE
3180	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 3180 wrote to memory of 5032	3180	WINWORD.EXE	splwow64.exe
PID 3180 wrote to memory of 5032	3180	WINWORD.EXE	splwow64.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\decrypted.xlsx"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3768

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3180

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:5032

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:3260

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\DA88D834-FDBC-414D-A882-B3EBDB2FC925
Filesize
146KB

MD5
6b9ff343d92272c83e1062bd9dbb37a4

SHA1
f5aca07a4eb2b23a355eba4455f0acb94671d7ec

SHA256
448ca76032eae07f4be3b75529ca26fb10b9dd35e836b7b444bd039eb1bb1072

SHA512
f0dea23996debd4f7d7fbf853de9da2354567ef12445835ab66ff186f03b4adcc4b4bcdaa5114a3b55d14c2b54de570132c9ebb85b9337ebf2236c040a98c53b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8SYI24T6\receipt[1].doc
Filesize
20KB

MD5
8531e389071583bf24756116a1770018

SHA1
e99795a4a4cf509a4d8efec6c573e3be4b3477db

SHA256
4aa2cd3f90eb232a9ea09d5e49fa1b94a038313bb482faecd2961778174f8e88

SHA512
c117d141b0d03da382b10ba567532dc3b6d9768f5bc71193da6ebec0b47cc030bdfd0ef7d0a110c28daacc2d6be2a723de0001476104503ae66089a864bb5fe0

Download Submit
memory/3768-130-0x00007FFC2A490000-0x00007FFC2A4A0000-memory.dmp

Filesize
64KB

Download
memory/3768-131-0x00007FFC2A490000-0x00007FFC2A4A0000-memory.dmp

Filesize
64KB

Download
memory/3768-132-0x00007FFC2A490000-0x00007FFC2A4A0000-memory.dmp

Filesize
64KB

Download
memory/3768-133-0x00007FFC2A490000-0x00007FFC2A4A0000-memory.dmp

Filesize
64KB

Download
memory/3768-134-0x00007FFC2A490000-0x00007FFC2A4A0000-memory.dmp

Filesize
64KB

Download
memory/3768-135-0x00007FFC28140000-0x00007FFC28150000-memory.dmp

Filesize
64KB

Download
memory/3768-136-0x00007FFC28140000-0x00007FFC28150000-memory.dmp

Filesize
64KB

Download
memory/5032-146-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads