dd508146ad5a649b3a7b95f241f645406052d7d7df9479246a9bb5f721505a99

Analysis

max time kernel
144s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
16/08/2023, 10:35

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Quotation.xls
Size

1.7MB
MD5

91b74843c1331a494baed98c8234bc95
SHA1

424fc6c1b33f666d8b6ad211cef14714d45aa513
SHA256

dd508146ad5a649b3a7b95f241f645406052d7d7df9479246a9bb5f721505a99
SHA512

34fee3770255c2750d43c0fd44e17fc6f17f4e91b12d3896c1093864cb62420f6bbfe6b6edb0ebd3439bf6e846d7015601620a35fc6160fbf9044cca143b96dd
SSDEEP

24576:9LQqSXdQp/XX46rg1HiA+6bvdXXXXXXXXXXXXUXXXXXXXXXXXXXXXX5XLQqSXdQ8:90XdOwBEl680XdOwBExre4ErDcF3BO

Score

1^/10

Malware Config

Signatures

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
996	EXCEL.EXE
3632	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeAuditPrivilege	3632	WINWORD.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
996	EXCEL.EXE
996	EXCEL.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
996	EXCEL.EXE
996	EXCEL.EXE
996	EXCEL.EXE
996	EXCEL.EXE
996	EXCEL.EXE
996	EXCEL.EXE
996	EXCEL.EXE
996	EXCEL.EXE
996	EXCEL.EXE
996	EXCEL.EXE
996	EXCEL.EXE
996	EXCEL.EXE
3632	WINWORD.EXE
3632	WINWORD.EXE
3632	WINWORD.EXE
3632	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3632 wrote to memory of 4972	3632	WINWORD.EXE	85
PID 3632 wrote to memory of 4972	3632	WINWORD.EXE	85

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Quotation.xls"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:996

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3632
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:4972

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:2252

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53

Filesize
471B

MD5
6019dd7ce982695d726e68b902b891c6

SHA1
a83008e59325c183903ac8695ba4e46266ce7947

SHA256
a895b9851340375527899c056b3523139eb1669bf25d1384cc911e7e68339bbe

SHA512
14087d1c826c3d52bab1bf876d1596ff8b9f0d5017cb63b45d241e9fd17d918f37e62baea7983e6b79da2bf8f2e4cc868a37ed6c0ee6a22ee87b3bdc954a6d2b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53

Filesize
412B

MD5
e8263ed66c7b57a49af7217c259fe38b

SHA1
2e9d3843395cf7d14cadf855309e44182648acff

SHA256
c639abe7131fb14189ec67aee09e6f62826fea327fce84802160fb466ad54e44

SHA512
9ec08a2a5b1cb38671c8fc51a54abd9195a41438c3539c946af500c56d83c22be3f25a550193aa948f2c728dc2d553dd8c1d5a97ab6ca9f2b2a557f3a004b686

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\7F93ABFD-8CCD-4921-B133-EF373912C0A2

Filesize
156KB

MD5
89b0bee8523904c5b25ac28c66d8cef3

SHA1
0bb6f74cbf78002ed1eebf62571007a286f3069e

SHA256
a9119f55f7a246b6e53ef8fd0ea937db3a5966793e21ec05ed73e17f872236e9

SHA512
58204af12f176b974dddc2d71f3b1eec64a961cf546c416f6bc35681d440d510d05ec60c4ec0b9ca398df98db4abb4adc7bb7edbc72464ca2ba89482b0d5a794

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\HW3GGUK8\00000O0O0OOO0000O0OO0Oo0o00o0o000000000##############000000000##############00000000000[1].doc

Filesize
26KB

MD5
c56ab202de96a4eeee43ffbe0a8ae3c3

SHA1
db6700b75353d157c571de5bd6950f56cfc16c38

SHA256
b1efbf9bc1589f00c095291d6dfe2a869983440ca1961ddcc5ed1fd8db5a0b9b

SHA512
9e2bc312ff2f9c50ed87e77acc3597c24f2c5add09fb49cb542832997b089f4e17d601561f0bfb9e151ffb0e7cffa03ad619aa064c6c8d371bcb08f5363fc488

Download Submit
memory/996-151-0x00007FFD632B0000-0x00007FFD634A5000-memory.dmp

Filesize
2.0MB

Download
memory/996-137-0x00007FFD632B0000-0x00007FFD634A5000-memory.dmp

Filesize
2.0MB

Download
memory/996-139-0x00007FFD23330000-0x00007FFD23340000-memory.dmp

Filesize
64KB

Download
memory/996-140-0x00007FFD632B0000-0x00007FFD634A5000-memory.dmp

Filesize
2.0MB

Download
memory/996-141-0x00007FFD23330000-0x00007FFD23340000-memory.dmp

Filesize
64KB

Download
memory/996-134-0x00007FFD632B0000-0x00007FFD634A5000-memory.dmp

Filesize
2.0MB

Download
memory/996-143-0x00007FFD632B0000-0x00007FFD634A5000-memory.dmp

Filesize
2.0MB

Download
memory/996-145-0x00007FFD632B0000-0x00007FFD634A5000-memory.dmp

Filesize
2.0MB

Download
memory/996-144-0x00007FFD210D0000-0x00007FFD210E0000-memory.dmp

Filesize
64KB

Download
memory/996-146-0x00007FFD632B0000-0x00007FFD634A5000-memory.dmp

Filesize
2.0MB

Download
memory/996-147-0x00007FFD632B0000-0x00007FFD634A5000-memory.dmp

Filesize
2.0MB

Download
memory/996-148-0x00007FFD632B0000-0x00007FFD634A5000-memory.dmp

Filesize
2.0MB

Download
memory/996-149-0x00007FFD632B0000-0x00007FFD634A5000-memory.dmp

Filesize
2.0MB

Download
memory/996-150-0x00007FFD632B0000-0x00007FFD634A5000-memory.dmp

Filesize
2.0MB

Download
memory/996-152-0x00007FFD210D0000-0x00007FFD210E0000-memory.dmp

Filesize
64KB

Download
memory/996-153-0x00007FFD632B0000-0x00007FFD634A5000-memory.dmp

Filesize
2.0MB

Download
memory/996-133-0x00007FFD23330000-0x00007FFD23340000-memory.dmp

Filesize
64KB

Download
memory/996-154-0x00007FFD632B0000-0x00007FFD634A5000-memory.dmp

Filesize
2.0MB

Download
memory/996-138-0x00007FFD632B0000-0x00007FFD634A5000-memory.dmp

Filesize
2.0MB

Download
memory/996-135-0x00007FFD23330000-0x00007FFD23340000-memory.dmp

Filesize
64KB

Download
memory/996-142-0x00007FFD632B0000-0x00007FFD634A5000-memory.dmp

Filesize
2.0MB

Download
memory/996-187-0x00007FFD632B0000-0x00007FFD634A5000-memory.dmp

Filesize
2.0MB

Download
memory/996-186-0x00007FFD632B0000-0x00007FFD634A5000-memory.dmp

Filesize
2.0MB

Download
memory/996-136-0x00007FFD23330000-0x00007FFD23340000-memory.dmp

Filesize
64KB

Download
memory/3632-162-0x00007FFD632B0000-0x00007FFD634A5000-memory.dmp

Filesize
2.0MB

Download
memory/3632-172-0x00007FFD632B0000-0x00007FFD634A5000-memory.dmp

Filesize
2.0MB

Download
memory/3632-173-0x00007FFD632B0000-0x00007FFD634A5000-memory.dmp

Filesize
2.0MB

Download
memory/3632-174-0x00007FFD632B0000-0x00007FFD634A5000-memory.dmp

Filesize
2.0MB

Download
memory/3632-161-0x00007FFD632B0000-0x00007FFD634A5000-memory.dmp

Filesize
2.0MB

Download
memory/3632-166-0x00007FFD632B0000-0x00007FFD634A5000-memory.dmp

Filesize
2.0MB

Download
memory/3632-169-0x00007FFD632B0000-0x00007FFD634A5000-memory.dmp

Filesize
2.0MB

Download
memory/3632-171-0x00007FFD632B0000-0x00007FFD634A5000-memory.dmp

Filesize
2.0MB

Download
memory/3632-192-0x00007FFD632B0000-0x00007FFD634A5000-memory.dmp

Filesize
2.0MB

Download
memory/3632-194-0x00007FFD632B0000-0x00007FFD634A5000-memory.dmp

Filesize
2.0MB

Download
memory/3632-195-0x00007FFD632B0000-0x00007FFD634A5000-memory.dmp

Filesize
2.0MB

Download
memory/3632-167-0x00007FFD632B0000-0x00007FFD634A5000-memory.dmp

Filesize
2.0MB

Download
memory/3632-164-0x00007FFD632B0000-0x00007FFD634A5000-memory.dmp

Filesize
2.0MB

Download