ed3466cf064567f9810b52ded06470ec46825f17e9cc7c69756b71f9053d7a4c

General

Target

new.xls
Size

412KB
MD5

396d29748f5dbaa83f78a01831f86486
SHA1

cdf3ce7ee72966b49677430ec333dcb9f7fb8890
SHA256

ed3466cf064567f9810b52ded06470ec46825f17e9cc7c69756b71f9053d7a4c
SHA512

bdac22a605eae6fddb6c91c353c709f81c420cb98e6adbe127b01a434d7145d294c06d974144c3127b428c7393a3fccb24a7d5196a162c0f1e673804cd5a13c6
SSDEEP

12288:vaFiKXKWiWQmmme6v3QLQuEMpSCyk1k+rNti6KBqAh/j:SLKRWQmmav30xkCjeBxh

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3196	EXCEL.EXE
4000	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeAuditPrivilege	4000	WINWORD.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
3196	EXCEL.EXE
3196	EXCEL.EXE
3196	EXCEL.EXE
3196	EXCEL.EXE
3196	EXCEL.EXE
3196	EXCEL.EXE
3196	EXCEL.EXE
3196	EXCEL.EXE
4000	WINWORD.EXE
3196	EXCEL.EXE
4000	WINWORD.EXE
3196	EXCEL.EXE
3196	EXCEL.EXE
4000	WINWORD.EXE
3196	EXCEL.EXE
4000	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4000 wrote to memory of 4856	4000	WINWORD.EXE	89
PID 4000 wrote to memory of 4856	4000	WINWORD.EXE	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\new.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3196

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4000
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:4856

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:3344

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177

Filesize
471B

MD5
fa930c4f65e6f5d5da4d91965cb89555

SHA1
28256be098ba9cbfc82031414830fe5d063c40ef

SHA256
cfcbdcd7d7670f5daa7646b9228f0208e2aade7a6ac63c60f5027cebed91efad

SHA512
226f1b2dd7c713121d6ac14eac5731410b038ff5e685e6eacb444bece0141f8a9138216709a33b51e27933d28fa3da7782d867020385a351f4173acf2a7c13cc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177

Filesize
442B

MD5
c9d1578184a6e5ae35fbc91ab08a60d0

SHA1
c66253d7f4b7936a5a452f470e2fdd2acaa576b7

SHA256
d578ba25e561aa4979ec450f146a195bf850df8a65bd9391a93e28a23ee6a0ff

SHA512
7c112449fe7cb99007c201d07e03399959434892b58ef7737b209f04308ec57b7299d9a906638d799b9d468560ef14d3d7dccafd8a85e3bd973458df61764ece

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\DCEBD0E3-5F3A-4B77-A931-701B53F4D8F1

Filesize
152KB

MD5
e8b202b56b257864e04886e39b66bac7

SHA1
a0a0b02e82db2776d82991b7404b1ff14be2811b

SHA256
29df1ae9856da4693cdae4307fe2b7703f969d03b6c20fd576b8e047e377d901

SHA512
38c105c6225f18ac998ee8e0c2b9c9cc00330d9a04d7c6e51ffa1076844f278ad94a114558b6b8e374cbe03b719f9889ef2cbdc225b06c79d0e3dc16f5b77906

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\4VT6R2QM\###############################[1].doc

Filesize
17KB

MD5
e35378796dfe5bd6db6e12178247de53

SHA1
9200a573a088f801e9dbd717689188de5cb59be3

SHA256
a2776f25f2a104054e2eb82772f7a1a4ebb6c05c6dd1e9c0835908d3bca0d9bb

SHA512
23d6e42a46e554930e9b19e6ac002232e5bb7b37046cd94161d6c6554ce5f775c106101912e05349b87b9ab382abb798e16d7b64272aced370356755ce3fa5a9

Download Submit
memory/3196-133-0x00007FFC2CE10000-0x00007FFC2CE20000-memory.dmp

Filesize
64KB

Download
memory/3196-134-0x00007FFC2CE10000-0x00007FFC2CE20000-memory.dmp

Filesize
64KB

Download
memory/3196-135-0x00007FFC2CE10000-0x00007FFC2CE20000-memory.dmp

Filesize
64KB

Download
memory/3196-136-0x00007FFC2CE10000-0x00007FFC2CE20000-memory.dmp

Filesize
64KB

Download
memory/3196-137-0x00007FFC2CE10000-0x00007FFC2CE20000-memory.dmp

Filesize
64KB

Download
memory/3196-138-0x00007FFC2A730000-0x00007FFC2A740000-memory.dmp

Filesize
64KB

Download
memory/3196-139-0x00007FFC2A730000-0x00007FFC2A740000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads