7714602b44e30e482f50789f308caf60998c93d667ada525934f104ec4bbf8a1

Analysis

max time kernel
141s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
11-06-2023 10:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b8eedd013827b960eee4c0ae07ae5513.docm
Size

351KB
MD5

b8eedd013827b960eee4c0ae07ae5513
SHA1

7c8a8f64ff3367238e1d963d090a99c33677f011
SHA256

8cfa170eb8271b0dc1e27b6792400161b0b8ab7ac49f4a88017bbcfe588d2d1f
SHA512

78fcabd81473f8d51699a8e97e00e5cdfe107fbb3f8c3da3ceac6cf994d71fd280b5d24292947d293621c62adda0031fdc86dc609a75a237572b2203d237d7c0
SSDEEP

6144:lW7fmlEskwkftlYoqDQX+++eUnG1Cg2KyS6g6ixSXprHMqy:lW7OKskwMlED+UnG1f2KySciMXprFy

Score

10^/10

Malware Config

Extracted

Language

xlm4.0

Source

Signatures

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exerundll32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3464	900	rundll32.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3836	4844	rundll32.exe	EXCEL.EXE

Checks processor information in registry 2 TTPs 9 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEEXCEL.EXEEXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEEXCEL.EXEEXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

4988 WINWORD.EXE
4988 WINWORD.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

WINWORD.EXE

pid process

4988 WINWORD.EXE
4988 WINWORD.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

WINWORD.EXEEXCEL.EXEEXCEL.EXE

pid	process
4988	WINWORD.EXE
4988	WINWORD.EXE
4988	WINWORD.EXE
4988	WINWORD.EXE
4988	WINWORD.EXE
4988	WINWORD.EXE
4988	WINWORD.EXE
4988	WINWORD.EXE
900	EXCEL.EXE
900	EXCEL.EXE
900	EXCEL.EXE
900	EXCEL.EXE
4844	EXCEL.EXE
4844	EXCEL.EXE
4844	EXCEL.EXE
4844	EXCEL.EXE

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

WINWORD.EXEEXCEL.EXEEXCEL.EXE

description	pid	process	target process
PID 4988 wrote to memory of 576	4988	WINWORD.EXE	splwow64.exe
PID 4988 wrote to memory of 576	4988	WINWORD.EXE	splwow64.exe
PID 900 wrote to memory of 3464	900	EXCEL.EXE	rundll32.exe
PID 900 wrote to memory of 3464	900	EXCEL.EXE	rundll32.exe
PID 4844 wrote to memory of 3836	4844	EXCEL.EXE	rundll32.exe
PID 4844 wrote to memory of 3836	4844	EXCEL.EXE	rundll32.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\b8eedd013827b960eee4c0ae07ae5513.docm" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4988

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:576

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:4260

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:900

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" c:\programdata\data.dll,Main 4260
2⤵
- Process spawned unexpected child process
PID:3464

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4844

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" c:\programdata\data.dll,Main 4260
2⤵
- Process spawned unexpected child process
PID:3836

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\23C7971B-0F78-4B48-9217-E79EB3334882
Filesize
153KB

MD5
e4ef5d75f4a54cc007b4cdf1efb49a79

SHA1
f5aeb66d30d38a637f6a30614cf0827f5292377f

SHA256
86ee20f1f7fda02748af510844bd0430de00b877b4e07923509340d5e755aa00

SHA512
48251118945b71a450e18ec38d68de7789e54075d5913a6deb5a29f80d0e0cf4a3025d4ab8f908e2ed0b6a2ddbaa7b12198966b4184ebfeef5e2de848e8065b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
Filesize
325KB

MD5
299c52fb8bc7aec7106319bf5083f09f

SHA1
3b387cac52fcfd4eca17b9e85966b225580a8ff8

SHA256
88af5c74a270541d3842a1c2fbdffaf9da4514501e2cae294d9f6084f6cc1610

SHA512
de68fc7b71c727937bdc2404a03c9d9a54aa1f21f46a4a3d660c34b390331a7b0d223159bedefbe0c0fbe6f0ec18b18a9704de62f016bcbe263b624f9c7467d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db
Filesize
4KB

MD5
f138a66469c10d5761c6cbb36f2163c3

SHA1
eea136206474280549586923b7a4a3c6d5db1e25

SHA256
c712d6c7a60f170a0c6c5ec768d962c58b1f59a2d417e98c7c528a037c427ab6

SHA512
9d25f943b6137dd2981ee75d57baf3a9e0ee27eea2df19591d580f02ec8520d837b8e419a8b1eb7197614a3c6d8793c56ebc848c38295ada23c31273daa302d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\1571599D.wmf
Filesize
370B

MD5
c4309ccb7f67f38be21b9c5543eefe98

SHA1
26af97188fe3b97fc4af897ee380a72065f26647

SHA256
9cd08daba0b1a72f512a6f9be3cb835147f7525d44cd877af57a1f6207ac1827

SHA512
50f23a5ca70812a7b5cddc72a3bd930822fff4a7486b9956092ab991cf4ffb13d1293fd7d537699094cafb0d9bbc55cb2c1e095b39ec37218c1a44acb463f25e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\2DB011FB.wmf
Filesize
370B

MD5
3dbccd71982ca9e6aa5c7ea7c1ad6653

SHA1
74284651cebb74c3df443fd7413381103e31f271

SHA256
04785e8f3a169f82be9a0af1651fcc4617467200476f3fbf460319984f3eef08

SHA512
ce2f12807892019cfdd13ecd1376590b7ffeac95738ecc8a023b439aa3d15bc8031c94d12aa8ce6799858c5a712ff122896343f85e7fd5145fbd214308e5ed24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\38F8FA6B.wmf
Filesize
370B

MD5
458c9ef888c332a6de48f07ae4d2b2e1

SHA1
53d6ce9dd35274c163b07af001b232421f22002d

SHA256
8a97f45da1cae1500e52f4ec7035522ea26d7be8f9f93b723a41c63fa4b49440

SHA512
bb71f2b805fc25645f1bd1347d0226bda313e6b3140da584a4dba39966a351ee1681a0be65c95bc7df983339bbd54f323f0a74a7f6f52685e75fdefbfd11100e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\3A9DEBC0.wmf
Filesize
370B

MD5
a8d75a48cce5416cc0fd96937282bafa

SHA1
fb43813b8f369b762823cbb90917970b1ffbab63

SHA256
b986cde283596474678ab49fa2145ee2e8564d8a3c63c2ebc0b28efc647a2d23

SHA512
287114c527ab5bb8450bd574c0c052d03d0f56a7e66fc21e3679bdf9786c630c9dd6cbac68dfbc12337460c81f54678f36d5f40c08184194a82b4a2a11c972e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\451307CE.wmf
Filesize
370B

MD5
74eb91c8c94e6908b4e5cb9621bc2afa

SHA1
1d8bb526ba0adfd958cf0f7954cf1f98d5c0bc49

SHA256
ad7a16b7e0cbb679aad580ead82defd202aa7e00d73bdd6b818a0a688fdcfabe

SHA512
66f2e54052f2758f042eb1ddeb91f67aa11dbd155224415003ca3b6afb5c8f8df887d9812b544f63a64f9ca7f617d5f8aff0fe3a17f9a137c679790899fb5c0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\560EB28D.wmf
Filesize
528B

MD5
da2b72538fbc99038678ebc3d6270a8b

SHA1
8f7ec31f4d96db801f85fdda3e2ce00650fdc4df

SHA256
58128479c5fde1401d37ad7e5389ac16c8961984dd1dcf1b0b7cf87642d52ade

SHA512
fa46e98c5ba85ef6a894f325bdaad2f29621620f8c243d5896b7779a818d9da98358aca6d93de2f68bb03a356652b3f86a48297fd6baebcb66212fb76b8cf4f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\692F85BC.wmf
Filesize
370B

MD5
a2c85259d4b082de9c22528491c64d7d

SHA1
4ff63a581c2b85fdccc9d58a44ec90823c3b31fb

SHA256
e8f14efba5be5d66eae9cabec07f83d8716bef288088f45693eaedad62e67c74

SHA512
8cc0029d1cd65f996393752e4b2a237f3a6087f9d988415418d8a74825ad91a46942d1d82911d10083fd9b176e7e189ee545a40d17b6ff3b8aa781fa10029bba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\8CDE5970.wmf
Filesize
370B

MD5
a2945b46d1d48431952e00204fa76710

SHA1
e962f7a16369d55d9d9bfc2dcc4c9efa0e3a17ce

SHA256
dba9cbbf67cd93cf6754c96ec83d085d94140e352c85094002e907da5c505fb5

SHA512
9a5f7edbf12b656bcf87b3713375a3bccfed0d7ac2531fa65ad99b05ab76ec999258103e025add4bc75147ecedffc31635466fbbc20f77b5f268704f9f82277f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\8F8451AF.wmf
Filesize
370B

MD5
33b19ea5835c7edd76d29d573b3b5442

SHA1
d8fb86e60e44a23d825f4cd3d2dc25d99d51ec81

SHA256
a965d70fa60702d5c13a3b9e026b2cc1e2aefc9edb5a17799d6a8728e2da8b6a

SHA512
83a9ecbf91e252d606f5bda28a22e7d757c02bbc9278041b570e794467eca80c926fcfcbea9c307ad6a2020085a3cd7500f9b8d83bad2dfed91d8a542a4870b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\97AE9568.wmf
Filesize
392B

MD5
78eab2dd546d608523c5e212055bd1c3

SHA1
ade7feeb9fd674ede8ef3e555df4ab5d8647ae4c

SHA256
8ab7b9d396510566d151e437d1f1815242515c65dda0bbe4f2313dee888013ef

SHA512
32e6ed1c4e635d4a323de7a3acb49757b57af6d43e8421983d3856825d5e594db05eda6cacdccc0e527d2a11ae8a0528666f84cddf0bbec3b5eb79e9034efd20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\A787950C.wmf
Filesize
370B

MD5
bc4b895af3cb464cbe49dc2ee99d54aa

SHA1
d4c412a48f7b82187cac73ed7f7299efa909f707

SHA256
47f4ceca4529f85d00393e326594e7d8505ba523e1af7b580ec9cc88bb4e4533

SHA512
63e22ea80934436f2e63e83d391b746988bd0ec53808ea876742ff0cc64d62bc9dc0c70c816e1cca36f48aa5e619d67c8e1fb34e014363ffbbb8e173237b46e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\BD17B332.wmf
Filesize
392B

MD5
7437fbc64db05751b20a4e7a4ea9a76c

SHA1
dfb90e859982d8f5ecbb952535e35f6a27618c94

SHA256
00c9ccf0e889abc97990978c79b1b17aa5971081222d0f7904ce6edfafe8546b

SHA512
fc415d11623e3d389a7b77564275ebfbfb1d2156487eee0c01018fd46f40b30c2b1a58196791171578656446b11a6a3fa2a0942af453a9acd290ee4828313026

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\DAB086.wmf
Filesize
392B

MD5
f7e9f7f5109ea22ce21d750a2bd386cc

SHA1
b1409215fe34fe44a9ae738cdae886dc4c164b99

SHA256
2dc3ed26ec0cabef91c74e3397f78e81ec4223a3cd8960db6df667505ebac3e7

SHA512
7f8925aafa39d6d7c856bae04b1054d5eab92faee6742091b6686527a5a113f9c9ed67f3057937fa04474982706c090818375578ff7a2ba751e57f94f6f2eb32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\EBB378C1.wmf
Filesize
370B

MD5
98f261b06708ec1aa8e2296752da8007

SHA1
f94ee17b5d6a04d87ea57dfeb47ea844835c6eb6

SHA256
b9d6f9bd21c78ebd4f400ce57a5560e13a1ffd4ca732b16ad6ee5cf6bdb4f287

SHA512
5b42d019c0c5a4c20cdf5237b59d9c4d8d8d2fc33e1beec69e60bce16fe45b4860d2c30d0f8557b0fcd0b61496c6e7078e331175856f9b7ff1a9597de5a7b44d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
\??\c:\programdata\data.dll
Filesize
469B

MD5
8a79fc328fcb9d89f90b2029a11bddbd

SHA1
61bff3612fd2991e195f1f65522e4507fa6b467f

SHA256
eef948e1d511bd86ff673f904bf0a97106d5395f0b7ed2cfb043da7ccc6ca6dd

SHA512
8e0a23c92e1923422388e358c67b68007575a5b65a32f0ee846df7bcc1a598e8ffbdb83d90eabd6541f245d43660fadec3b65cd80198cae7c0c9c9a9df702190

Download Submit
memory/900-823-0x00007FF991070000-0x00007FF991080000-memory.dmp

Filesize
64KB

Download
memory/900-822-0x00007FF991070000-0x00007FF991080000-memory.dmp

Filesize
64KB

Download
memory/900-817-0x00007FF991070000-0x00007FF991080000-memory.dmp

Filesize
64KB

Download
memory/900-821-0x00007FF991070000-0x00007FF991080000-memory.dmp

Filesize
64KB

Download
memory/4988-411-0x0000021FC33A0000-0x0000021FC35A0000-memory.dmp

Filesize
2.0MB

Download
memory/4988-137-0x00007FF991070000-0x00007FF991080000-memory.dmp

Filesize
64KB

Download
memory/4988-136-0x00007FF991070000-0x00007FF991080000-memory.dmp

Filesize
64KB

Download
memory/4988-135-0x00007FF991070000-0x00007FF991080000-memory.dmp

Filesize
64KB

Download
memory/4988-134-0x00007FF991070000-0x00007FF991080000-memory.dmp

Filesize
64KB

Download
memory/4988-138-0x00007FF98E9A0000-0x00007FF98E9B0000-memory.dmp

Filesize
64KB

Download
memory/4988-139-0x00007FF98E9A0000-0x00007FF98E9B0000-memory.dmp

Filesize
64KB

Download
memory/4988-133-0x00007FF991070000-0x00007FF991080000-memory.dmp

Filesize
64KB

Download
memory/4988-235-0x0000021FC33A0000-0x0000021FC35A0000-memory.dmp

Filesize
2.0MB

Download