fae3d2cb5534a8614ceb2c9101939ef6146e94bf204bafc4f8cda572664a5f05

General

Target

decrypted.xlsx
Size

273KB
MD5

b02688382e3717cb72d564ba99e5fade
SHA1

3a3ea7347b6bf46199be3641c3ded990f05f8dab
SHA256

d471563f99a869932ca9b383e00c609c1dbcf07528b0a5d76535d49623c30696
SHA512

f9f6263d0c6d832271e9fb41622530aa0a49d23d7acf280920ab95517e260476c03b675f0c7f10ee69d33249edf231d58ed56c24145bd9bebceba72650cafd79
SSDEEP

6144:xTnG7OC2gAjuSbCsLyMtqcY874dVTSRqU10EWz2/sSGhtjk+xD:xTnC2CSbp1p74dVQrmAgjjD

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4432	EXCEL.EXE
4968	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeAuditPrivilege	4968	WINWORD.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4432	EXCEL.EXE
4432	EXCEL.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
4432	EXCEL.EXE
4432	EXCEL.EXE
4432	EXCEL.EXE
4432	EXCEL.EXE
4432	EXCEL.EXE
4432	EXCEL.EXE
4968	WINWORD.EXE
4968	WINWORD.EXE
4968	WINWORD.EXE
4968	WINWORD.EXE
4432	EXCEL.EXE
4432	EXCEL.EXE
4432	EXCEL.EXE
4432	EXCEL.EXE
4432	EXCEL.EXE
4432	EXCEL.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4968 wrote to memory of 4220	4968	WINWORD.EXE	88
PID 4968 wrote to memory of 4220	4968	WINWORD.EXE	88

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\decrypted.xlsx"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4432

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4968
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:4220

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:1844

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177

Filesize
471B

MD5
f3aed731e8e3ac81138b3d67d027b1f8

SHA1
4187ff6ba4a3c1ccda4af1b0c2026974b3fea432

SHA256
7574043812c0ea984f4be4ab0018a1bcb6c2e6a04c517287a2e0d64a1096d078

SHA512
64a75f37df9141b5b4df99e2fce15a4147ed7fc9f06e65b28287e3588710cdba2712cc75ebab1157a47f71cadafea68e84a90c0879c84ad4fa870200bf374041

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177

Filesize
442B

MD5
8c72fa4586915b07b77cf2ea6b00c777

SHA1
056eca85bd8b9fd6e916fa050f6c37e0411cea2b

SHA256
2647bddc9d1851005d211112d7cedf5ef8628306752f5bd25411ccc2fa5b7ede

SHA512
ae20456ceaa94735aa9971c47fd24495edecb0c38620ca2788cdc2482e7c761590af43a2bdef6c387063addd2291787eaa95ed454044e86dbc948ccbb06669fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\G1ORIWBN\qiiiiiiqiiii##################################qiqiqiqi[1].doc

Filesize
28KB

MD5
1dcdb9e238b956e5768b2367fc310a70

SHA1
6e96e094f6098f3224b1aa0707b94b4863240072

SHA256
9f017be23619d836a704478a2b1a31cfb60e4b6fc40e8e94ffde205bc195e963

SHA512
ceb0c59fa2423a5b959315657ce3fc476d3581e997409694269a838c61b0586227e5e8cc06b10a388a51e29dda156bea86e157c731bc0e0aaccb0f6dd0a3715f

Download Submit
memory/4432-133-0x00007FFC8C1B0000-0x00007FFC8C1C0000-memory.dmp

Filesize
64KB

Download
memory/4432-135-0x00007FFC8C1B0000-0x00007FFC8C1C0000-memory.dmp

Filesize
64KB

Download
memory/4432-134-0x00007FFC8C1B0000-0x00007FFC8C1C0000-memory.dmp

Filesize
64KB

Download
memory/4432-136-0x00007FFC8C1B0000-0x00007FFC8C1C0000-memory.dmp

Filesize
64KB

Download
memory/4432-137-0x00007FFC8C1B0000-0x00007FFC8C1C0000-memory.dmp

Filesize
64KB

Download
memory/4432-138-0x00007FFC89DB0000-0x00007FFC89DC0000-memory.dmp

Filesize
64KB

Download
memory/4432-139-0x00007FFC89DB0000-0x00007FFC89DC0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads