1ce46f86a092a55271cc028739981ea665f13482a9b8361959a0c8a70c626e4e

General

Target

1ce46f86a092a55271cc028739981ea665f13482a9b8361959a0c8a70c626e4exls_JC.xls
Size

444KB
MD5

de2866f237dbf0a2b85e26d80c56279b
SHA1

f717129b1873e90e78173794e51ee056fb0dd342
SHA256

1ce46f86a092a55271cc028739981ea665f13482a9b8361959a0c8a70c626e4e
SHA512

249dec13bb83cb8b797b1cafb85b0b557b2d3cd5b090817f1a871039f7362647f8bfa19320ed8db8bbdd7b733bef18355a8117b76b1a54322cc41173aa7c8f38
SSDEEP

12288:4SwooWQmmme6v3QLQuEeArYz/4eVRFqPhvGE75S:UWQmmav30x/NVRFqJvG

Score

1^/10

Malware Config

Signatures

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3384	EXCEL.EXE
2548	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeAuditPrivilege	2548	WINWORD.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
3384	EXCEL.EXE
3384	EXCEL.EXE
3384	EXCEL.EXE
3384	EXCEL.EXE
3384	EXCEL.EXE
3384	EXCEL.EXE
3384	EXCEL.EXE
3384	EXCEL.EXE
3384	EXCEL.EXE
3384	EXCEL.EXE
3384	EXCEL.EXE
3384	EXCEL.EXE
2548	WINWORD.EXE
2548	WINWORD.EXE
2548	WINWORD.EXE
2548	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 3940	2548	WINWORD.EXE	88
PID 2548 wrote to memory of 3940	2548	WINWORD.EXE	88

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\1ce46f86a092a55271cc028739981ea665f13482a9b8361959a0c8a70c626e4exls_JC.xls"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3384

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:3940

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:4632

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53

Filesize
471B

MD5
6b6ce169ee26f1abda45db3b831a426e

SHA1
14c74d6c87830e91e36832f131a76c73d3d0df74

SHA256
df50b491f4afcdf7c396594bea708188345334e5a321cfab7a6b3f6ee65c494c

SHA512
432439bd7fc75121c34a843cabf277d2e6de7c66aa8e8f776ce598fb021535ebdde9452a44ec62951c8df5c4cc08f18e5f5b52eea22b0691aec553b41543784c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53

Filesize
412B

MD5
3c06d9cdfafbc85b04770f52631c7991

SHA1
b80fccacf55c92b4382f7d0c2e28da7c8826aab7

SHA256
34acc6627fd2ec9b69ef2182e08b19ace7d1bd9ba3e9e2ee7a0a7d291350028c

SHA512
e10f543ada6aa43a8eaddd2d22dcbd344d0402921318dbc14a88d6eb21fcbb7e355cbb8180b5202385b9b8d1c555d30e98cdcb51637bc375a1a3bc92d1f14190

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\9BF8E327-FD76-4C44-AA43-F8C1DD462D0D

Filesize
156KB

MD5
a712379e08406c65ffbba5eea4816a86

SHA1
f7a1fd664884d3b6e21875142bdb9028d132f182

SHA256
e95be1a110e25d0af7ccd789160ba339fda3a6277d77344885d762a58ed2c964

SHA512
b7a32327c1cea138a565cd63126731fb64af3cbd907d30adf06696b5d1f73212317fb037b07c0c2b85b18885e19f1b3843c9cb6520cca4a78f29b93a5d432ae8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\5XLATO3O\Document_20022949450#[1].doc

Filesize
42KB

MD5
5c90c56d044b8660bd78f51bec0b4795

SHA1
57a3c136ff7fcb1dcd234425f882d1ccd187e308

SHA256
4367de34635c09b60a24d8575d1253aabbe878daafaa6ee0e4504d7567332e45

SHA512
e6e0be75077e9a1234a2be515e4f10ad9461ca06e0b1709727f1203d1629afddc51aa79e2e308d8f20f40e2f50398ac12179198cac9f114f098c7a85fefe83c2

Download Submit
memory/2548-189-0x00007FF921650000-0x00007FF921845000-memory.dmp

Filesize
2.0MB

Download
memory/2548-188-0x00007FF921650000-0x00007FF921845000-memory.dmp

Filesize
2.0MB

Download
memory/2548-157-0x00007FF921650000-0x00007FF921845000-memory.dmp

Filesize
2.0MB

Download
memory/2548-168-0x00007FF921650000-0x00007FF921845000-memory.dmp

Filesize
2.0MB

Download
memory/2548-167-0x00007FF921650000-0x00007FF921845000-memory.dmp

Filesize
2.0MB

Download
memory/2548-165-0x00007FF921650000-0x00007FF921845000-memory.dmp

Filesize
2.0MB

Download
memory/2548-164-0x00007FF921650000-0x00007FF921845000-memory.dmp

Filesize
2.0MB

Download
memory/2548-162-0x00007FF921650000-0x00007FF921845000-memory.dmp

Filesize
2.0MB

Download
memory/2548-161-0x00007FF921650000-0x00007FF921845000-memory.dmp

Filesize
2.0MB

Download
memory/2548-158-0x00007FF921650000-0x00007FF921845000-memory.dmp

Filesize
2.0MB

Download
memory/3384-141-0x00007FF8E16D0000-0x00007FF8E16E0000-memory.dmp

Filesize
64KB

Download
memory/3384-140-0x00007FF921650000-0x00007FF921845000-memory.dmp

Filesize
2.0MB

Download
memory/3384-149-0x00007FF8DF0E0000-0x00007FF8DF0F0000-memory.dmp

Filesize
64KB

Download
memory/3384-150-0x00007FF921650000-0x00007FF921845000-memory.dmp

Filesize
2.0MB

Download
memory/3384-147-0x00007FF921650000-0x00007FF921845000-memory.dmp

Filesize
2.0MB

Download
memory/3384-146-0x00007FF921650000-0x00007FF921845000-memory.dmp

Filesize
2.0MB

Download
memory/3384-144-0x00007FF921650000-0x00007FF921845000-memory.dmp

Filesize
2.0MB

Download
memory/3384-145-0x00007FF8DF0E0000-0x00007FF8DF0F0000-memory.dmp

Filesize
64KB

Download
memory/3384-143-0x00007FF921650000-0x00007FF921845000-memory.dmp

Filesize
2.0MB

Download
memory/3384-142-0x00007FF921650000-0x00007FF921845000-memory.dmp

Filesize
2.0MB

Download
memory/3384-134-0x00007FF921650000-0x00007FF921845000-memory.dmp

Filesize
2.0MB

Download
memory/3384-148-0x00007FF921650000-0x00007FF921845000-memory.dmp

Filesize
2.0MB

Download
memory/3384-135-0x00007FF8E16D0000-0x00007FF8E16E0000-memory.dmp

Filesize
64KB

Download
memory/3384-138-0x00007FF921650000-0x00007FF921845000-memory.dmp

Filesize
2.0MB

Download
memory/3384-180-0x00007FF921650000-0x00007FF921845000-memory.dmp

Filesize
2.0MB

Download
memory/3384-181-0x00007FF921650000-0x00007FF921845000-memory.dmp

Filesize
2.0MB

Download
memory/3384-182-0x00007FF921650000-0x00007FF921845000-memory.dmp

Filesize
2.0MB

Download
memory/3384-139-0x00007FF8E16D0000-0x00007FF8E16E0000-memory.dmp

Filesize
64KB

Download
memory/3384-137-0x00007FF8E16D0000-0x00007FF8E16E0000-memory.dmp

Filesize
64KB

Download
memory/3384-136-0x00007FF921650000-0x00007FF921845000-memory.dmp

Filesize
2.0MB

Download
memory/3384-133-0x00007FF8E16D0000-0x00007FF8E16E0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing