fae3d2cb5534a8614ceb2c9101939ef6146e94bf204bafc4f8cda572664a5f05

General

Target

MV T SYMPHONY.xlsx
Size

282KB
MD5

1c49263fddb5f345067a8daf75e587fa
SHA1

fd1c55d9b6a4fa0718395548788097b9cafd6799
SHA256

fae3d2cb5534a8614ceb2c9101939ef6146e94bf204bafc4f8cda572664a5f05
SHA512

be97f4f2a335c8eb258f457e9dfbc608bbd6067830a8ee1b0277dd060455a61071957f7b0e86bea63c074ce3e52567db28a25f0528505b0d8e0a276b8ee5b765
SSDEEP

6144:ZJEIzKW6L0lYEokLp5TDMWxcmdUxM8dx/Xtg9dhfmjyX7ACrbl:7EIzZ+iSAp5vzYXPS9dh+xCvl

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2028	EXCEL.EXE
4792	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeAuditPrivilege	4792	WINWORD.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2028	EXCEL.EXE
2028	EXCEL.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
2028	EXCEL.EXE
2028	EXCEL.EXE
2028	EXCEL.EXE
2028	EXCEL.EXE
2028	EXCEL.EXE
2028	EXCEL.EXE
4792	WINWORD.EXE
4792	WINWORD.EXE
4792	WINWORD.EXE
4792	WINWORD.EXE
2028	EXCEL.EXE
2028	EXCEL.EXE
2028	EXCEL.EXE
2028	EXCEL.EXE
2028	EXCEL.EXE
2028	EXCEL.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4792 wrote to memory of 4608	4792	WINWORD.EXE	83
PID 4792 wrote to memory of 4608	4792	WINWORD.EXE	83

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\MV T SYMPHONY.xlsx"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2028

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4792
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:4608

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:1656

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868

Filesize
471B

MD5
aaf21867a7f0dc07edc4035c1a4b5aee

SHA1
03141ac96ce1155483596a0cae73d5cb3e41fa1a

SHA256
51ab191bff0d79632fc20199f7eac3a75ba3d39ba24a14940b2c743d0b90c260

SHA512
87d0bba91f42e146db6fde1a16697e855aea62460d8dd827434d85d77a7307b8c9a749c7fd893cb936ba770658bfcc83f1444e8c8a72e4c895e40972bf09e01a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868

Filesize
412B

MD5
aa05a5436c5beb4873a471c3172d89b7

SHA1
de6e74211bf19385d3e9e90ae559700795d21e00

SHA256
3f1fedd308a36866ae8208f8dd94c8cb5abe6069414c4af82072adbdb2a2a05a

SHA512
1a0d4eddc81f426f50bc0429b23740813f6a31a279a8ed3ce44bafcd7c70b8a479331ae4612808c0956cdd6c25d3ac01b548384f4ef002b703d50a366c820e26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\JXO1ZP0L\qiiiiiiqiiii##################################qiqiqiqi[1].doc

Filesize
28KB

MD5
1dcdb9e238b956e5768b2367fc310a70

SHA1
6e96e094f6098f3224b1aa0707b94b4863240072

SHA256
9f017be23619d836a704478a2b1a31cfb60e4b6fc40e8e94ffde205bc195e963

SHA512
ceb0c59fa2423a5b959315657ce3fc476d3581e997409694269a838c61b0586227e5e8cc06b10a388a51e29dda156bea86e157c731bc0e0aaccb0f6dd0a3715f

Download Submit
memory/2028-133-0x00007FF84D990000-0x00007FF84D9A0000-memory.dmp

Filesize
64KB

Download
memory/2028-134-0x00007FF84D990000-0x00007FF84D9A0000-memory.dmp

Filesize
64KB

Download
memory/2028-135-0x00007FF84D990000-0x00007FF84D9A0000-memory.dmp

Filesize
64KB

Download
memory/2028-136-0x00007FF84D990000-0x00007FF84D9A0000-memory.dmp

Filesize
64KB

Download
memory/2028-137-0x00007FF84D990000-0x00007FF84D9A0000-memory.dmp

Filesize
64KB

Download
memory/2028-138-0x00007FF84B780000-0x00007FF84B790000-memory.dmp

Filesize
64KB

Download
memory/2028-139-0x00007FF84B780000-0x00007FF84B790000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads