851f18390b03cfa2c1cd793a5bf6be5f5fb1255570be7092c5046147786e53df

General

Target

SP24_Invoice.xls
Size

268KB
MD5

e2d1bb1617d96816d08f5fe5009abff6
SHA1

7c70d665c3ef213c49b3f1e3cbcd6d77fcd34ff2
SHA256

851f18390b03cfa2c1cd793a5bf6be5f5fb1255570be7092c5046147786e53df
SHA512

6c18b70faace8604f776bfcff5b26c32e46014b6c115b1ade106a3ac6d602095089be0182f23db555cf6d09aef03d1943744dffb4ea82e45160c545ee97dc48c
SSDEEP

6144:DkaFJkKXiDU7w5NT/qGSHglRwfV2DiJLG6F+OdD7Rpsd9imkR:DkaFiKXK7/KglRTWLGsB7RpSsm

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2272	EXCEL.EXE
4548	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeAuditPrivilege	4548	WINWORD.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
2272	EXCEL.EXE
2272	EXCEL.EXE
2272	EXCEL.EXE
2272	EXCEL.EXE
2272	EXCEL.EXE
2272	EXCEL.EXE
2272	EXCEL.EXE
2272	EXCEL.EXE
2272	EXCEL.EXE
2272	EXCEL.EXE
4548	WINWORD.EXE
2272	EXCEL.EXE
2272	EXCEL.EXE
4548	WINWORD.EXE
4548	WINWORD.EXE
4548	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4548 wrote to memory of 1196	4548	WINWORD.EXE	88
PID 4548 wrote to memory of 1196	4548	WINWORD.EXE	88

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\SP24_Invoice.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2272

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4548
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1196

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:1760

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177

Filesize
471B

MD5
5bf93fccb7739b955cc87520e5848d84

SHA1
64f35f47870ac2f5c79037feae7fc8aeda1a5e22

SHA256
227a6f4a9df10a772b01c576f5e3fdfee504d98e09d35401379a29dcdab1e787

SHA512
cce3047f63b5c47ce94f89fac51f92240d4f43c59b5a3d78872dfc2fd948c462c240c8d3e413761091e4c126759345f3f2a09a7dd9323181c5d0123b6b8f18ec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177

Filesize
412B

MD5
245cfcbb3534dbd7f3ebb896e2242d00

SHA1
a539ee49d3b1ebf9809c25b42e9f9d04f356e117

SHA256
59164e3fc6b456c13df3b5ae4cf0d08fe5a7bb0c516ae9820eefad695ded2897

SHA512
4b23eb73fce1a7c86460b845d27697d33ee35ca2b1a9f434caa174cd3e18d7d300ce336d72de95d3a76512b4d6dda37b2c13cf42f86222bf04c4eefb4a6cced1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0BMP3ERH\iiiiiiiiiiiiiiiiiii###############################################iiiii[1].doc

Filesize
28KB

MD5
f01309c8d6e72a17d4458a7cade1d8d3

SHA1
f65195d048707d6b63a9304cdcd7a08dc9a06fd2

SHA256
3e6dbd69f52784032708459dafc3f8a6c31c8b8aefcfe46cdb0a0f10c408ba2e

SHA512
5ad2964d0b585ad74e922723f4ff4ec6a65407466fc90bb30e5969bb324bee29ec681e76f83fbacba6949ced99b34ae6c52e9b1aa4470fa3086a29f9218dbf8c

Download Submit
memory/2272-136-0x00007FFAB04F0000-0x00007FFAB0500000-memory.dmp

Filesize
64KB

Download
memory/2272-137-0x00007FFAB04F0000-0x00007FFAB0500000-memory.dmp

Filesize
64KB

Download
memory/2272-138-0x00007FFAADBE0000-0x00007FFAADBF0000-memory.dmp

Filesize
64KB

Download
memory/2272-140-0x00007FFAADBE0000-0x00007FFAADBF0000-memory.dmp

Filesize
64KB

Download
memory/2272-133-0x00007FFAB04F0000-0x00007FFAB0500000-memory.dmp

Filesize
64KB

Download
memory/2272-135-0x00007FFAB04F0000-0x00007FFAB0500000-memory.dmp

Filesize
64KB

Download
memory/2272-134-0x00007FFAB04F0000-0x00007FFAB0500000-memory.dmp

Filesize
64KB

Download
memory/4548-205-0x00007FFAB04F0000-0x00007FFAB0500000-memory.dmp

Filesize
64KB

Download
memory/4548-206-0x00007FFAB04F0000-0x00007FFAB0500000-memory.dmp

Filesize
64KB

Download
memory/4548-207-0x00007FFAB04F0000-0x00007FFAB0500000-memory.dmp

Filesize
64KB

Download
memory/4548-208-0x00007FFAB04F0000-0x00007FFAB0500000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads