Analysis
-
max time kernel
147s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
23/05/2023, 11:35
Static task
static1
Behavioral task
behavioral1
Sample
MV T SYMPHONY.xlsx
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
MV T SYMPHONY.xlsx
Resource
win10v2004-20230220-en
Behavioral task
behavioral3
Sample
decrypted.xlsx
Resource
win7-20230220-en
Behavioral task
behavioral4
Sample
decrypted.xlsx
Resource
win10v2004-20230220-en
General
-
Target
decrypted.xlsx
-
Size
273KB
-
MD5
b02688382e3717cb72d564ba99e5fade
-
SHA1
3a3ea7347b6bf46199be3641c3ded990f05f8dab
-
SHA256
d471563f99a869932ca9b383e00c609c1dbcf07528b0a5d76535d49623c30696
-
SHA512
f9f6263d0c6d832271e9fb41622530aa0a49d23d7acf280920ab95517e260476c03b675f0c7f10ee69d33249edf231d58ed56c24145bd9bebceba72650cafd79
-
SSDEEP
6144:xTnG7OC2gAjuSbCsLyMtqcY874dVTSRqU10EWz2/sSGhtjk+xD:xTnC2CSbp1p74dVQrmAgjjD
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4432 EXCEL.EXE 4968 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeAuditPrivilege 4968 WINWORD.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 4432 EXCEL.EXE 4432 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 16 IoCs
pid Process 4432 EXCEL.EXE 4432 EXCEL.EXE 4432 EXCEL.EXE 4432 EXCEL.EXE 4432 EXCEL.EXE 4432 EXCEL.EXE 4968 WINWORD.EXE 4968 WINWORD.EXE 4968 WINWORD.EXE 4968 WINWORD.EXE 4432 EXCEL.EXE 4432 EXCEL.EXE 4432 EXCEL.EXE 4432 EXCEL.EXE 4432 EXCEL.EXE 4432 EXCEL.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 4968 wrote to memory of 4220 4968 WINWORD.EXE 88 PID 4968 wrote to memory of 4220 4968 WINWORD.EXE 88 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\decrypted.xlsx"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4432
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:4220
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:1844
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177
Filesize471B
MD5f3aed731e8e3ac81138b3d67d027b1f8
SHA14187ff6ba4a3c1ccda4af1b0c2026974b3fea432
SHA2567574043812c0ea984f4be4ab0018a1bcb6c2e6a04c517287a2e0d64a1096d078
SHA51264a75f37df9141b5b4df99e2fce15a4147ed7fc9f06e65b28287e3588710cdba2712cc75ebab1157a47f71cadafea68e84a90c0879c84ad4fa870200bf374041
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177
Filesize442B
MD58c72fa4586915b07b77cf2ea6b00c777
SHA1056eca85bd8b9fd6e916fa050f6c37e0411cea2b
SHA2562647bddc9d1851005d211112d7cedf5ef8628306752f5bd25411ccc2fa5b7ede
SHA512ae20456ceaa94735aa9971c47fd24495edecb0c38620ca2788cdc2482e7c761590af43a2bdef6c387063addd2291787eaa95ed454044e86dbc948ccbb06669fa
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\G1ORIWBN\qiiiiiiqiiii##################################qiqiqiqi[1].doc
Filesize28KB
MD51dcdb9e238b956e5768b2367fc310a70
SHA16e96e094f6098f3224b1aa0707b94b4863240072
SHA2569f017be23619d836a704478a2b1a31cfb60e4b6fc40e8e94ffde205bc195e963
SHA512ceb0c59fa2423a5b959315657ce3fc476d3581e997409694269a838c61b0586227e5e8cc06b10a388a51e29dda156bea86e157c731bc0e0aaccb0f6dd0a3715f