c36edbf6ff6981ab06c2bebafef7340da2c28565751b4e1e6bedb4cd02f992b4

General

Target

Ord.For.NGF2301820.xls
Size

146KB
MD5

3c80a3404a12b03596de173b7c2395d8
SHA1

0f2747a0d918456486c729f6f47f41b1523c7ff0
SHA256

c36edbf6ff6981ab06c2bebafef7340da2c28565751b4e1e6bedb4cd02f992b4
SHA512

94e9da4e191f0282046cd7430b4588534fc0006288f0ba1dbcafb2dae6058d79c95987d8b303daa9c07b487d01329b7e9202b3502bf0e399857bbe67fa8389b9
SSDEEP

3072:F/kJAg15QiSCz0Huru1bsNTL3SupLsld9kgYUWo:F/unQKAOHFpLKdJ

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4728	EXCEL.EXE
544	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeAuditPrivilege	544	WINWORD.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
4728	EXCEL.EXE
4728	EXCEL.EXE
4728	EXCEL.EXE
4728	EXCEL.EXE
4728	EXCEL.EXE
4728	EXCEL.EXE
4728	EXCEL.EXE
4728	EXCEL.EXE
4728	EXCEL.EXE
4728	EXCEL.EXE
4728	EXCEL.EXE
4728	EXCEL.EXE
544	WINWORD.EXE
544	WINWORD.EXE
544	WINWORD.EXE
544	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 544 wrote to memory of 4136	544	WINWORD.EXE	92
PID 544 wrote to memory of 4136	544	WINWORD.EXE	92

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Ord.For.NGF2301820.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4728

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:544
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:4136

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:4428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\1DCB93E2-E566-40FD-A12C-D33A559BDCF5

Filesize
156KB

MD5
b5b37a09dad646fcff110f43aa8b38c1

SHA1
e8c5d19591105687646736be2e9b7eaae5920441

SHA256
62104d5bbddd0635231b298c44e2bb141359382314a4e4bbc27b69304a5ec0aa

SHA512
10c16bb1aee0bcd3dbbbe4866450823a5262cedde738b3bb2a117ba7f77a64b6a036edce4fc19d34dd816dcde13cff9471b39b2ea1f21b79d754605c38513f2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\N8VHZYYG\i0iooi0i0IOI0IOI0i0ioioi0I0I0IIOII0OI0I0IOI0I0OI0I0IOI0OI0I0OI0IOI0I0OI0I0##############00000##############000000000[1].doc

Filesize
22KB

MD5
c525805107dafbab4307168b2544d08c

SHA1
2514a0564bbc807fa2c4f8783232c63d39f9dc1a

SHA256
e5c0df7eb4648577abe7401b2d640479e9736e1a5d389387b92a694e4234c0d7

SHA512
f42fbb17099e0541075601f8443d96469c1fe9de28cdb6c5f9cfd7151d507dad7a3ced3dc4a13bd195aee9e3f097506cdc1a8ed43b38801c57c39a99993e3a0f

Download Submit
memory/544-28-0x00007FFDE8390000-0x00007FFDE8585000-memory.dmp

Filesize
2.0MB

Download
memory/544-58-0x00007FFDE8390000-0x00007FFDE8585000-memory.dmp

Filesize
2.0MB

Download
memory/544-57-0x00007FFDE8390000-0x00007FFDE8585000-memory.dmp

Filesize
2.0MB

Download
memory/544-56-0x00007FFDE8390000-0x00007FFDE8585000-memory.dmp

Filesize
2.0MB

Download
memory/544-38-0x00007FFDE8390000-0x00007FFDE8585000-memory.dmp

Filesize
2.0MB

Download
memory/544-37-0x00007FFDE8390000-0x00007FFDE8585000-memory.dmp

Filesize
2.0MB

Download
memory/544-35-0x00007FFDE8390000-0x00007FFDE8585000-memory.dmp

Filesize
2.0MB

Download
memory/544-33-0x00007FFDE8390000-0x00007FFDE8585000-memory.dmp

Filesize
2.0MB

Download
memory/544-31-0x00007FFDE8390000-0x00007FFDE8585000-memory.dmp

Filesize
2.0MB

Download
memory/544-29-0x00007FFDE8390000-0x00007FFDE8585000-memory.dmp

Filesize
2.0MB

Download
memory/4728-10-0x00007FFDE8390000-0x00007FFDE8585000-memory.dmp

Filesize
2.0MB

Download
memory/4728-5-0x00007FFDA8410000-0x00007FFDA8420000-memory.dmp

Filesize
64KB

Download
memory/4728-14-0x00007FFDE8390000-0x00007FFDE8585000-memory.dmp

Filesize
2.0MB

Download
memory/4728-16-0x00007FFDE8390000-0x00007FFDE8585000-memory.dmp

Filesize
2.0MB

Download
memory/4728-17-0x00007FFDE8390000-0x00007FFDE8585000-memory.dmp

Filesize
2.0MB

Download
memory/4728-15-0x00007FFDA5BC0000-0x00007FFDA5BD0000-memory.dmp

Filesize
64KB

Download
memory/4728-18-0x00007FFDE8390000-0x00007FFDE8585000-memory.dmp

Filesize
2.0MB

Download
memory/4728-19-0x00007FFDE8390000-0x00007FFDE8585000-memory.dmp

Filesize
2.0MB

Download
memory/4728-20-0x00007FFDE8390000-0x00007FFDE8585000-memory.dmp

Filesize
2.0MB

Download
memory/4728-21-0x00007FFDE8390000-0x00007FFDE8585000-memory.dmp

Filesize
2.0MB

Download
memory/4728-22-0x00007FFDE8390000-0x00007FFDE8585000-memory.dmp

Filesize
2.0MB

Download
memory/4728-23-0x00007FFDE8390000-0x00007FFDE8585000-memory.dmp

Filesize
2.0MB

Download
memory/4728-13-0x00007FFDA5BC0000-0x00007FFDA5BD0000-memory.dmp

Filesize
64KB

Download
memory/4728-12-0x00007FFDE8390000-0x00007FFDE8585000-memory.dmp

Filesize
2.0MB

Download
memory/4728-11-0x00007FFDE8390000-0x00007FFDE8585000-memory.dmp

Filesize
2.0MB

Download
memory/4728-0-0x00007FFDA8410000-0x00007FFDA8420000-memory.dmp

Filesize
64KB

Download
memory/4728-9-0x00007FFDE8390000-0x00007FFDE8585000-memory.dmp

Filesize
2.0MB

Download
memory/4728-8-0x00007FFDE8390000-0x00007FFDE8585000-memory.dmp

Filesize
2.0MB

Download
memory/4728-7-0x00007FFDA8410000-0x00007FFDA8420000-memory.dmp

Filesize
64KB

Download
memory/4728-6-0x00007FFDE8390000-0x00007FFDE8585000-memory.dmp

Filesize
2.0MB

Download
memory/4728-3-0x00007FFDE8390000-0x00007FFDE8585000-memory.dmp

Filesize
2.0MB

Download
memory/4728-50-0x00007FFDE8390000-0x00007FFDE8585000-memory.dmp

Filesize
2.0MB

Download
memory/4728-51-0x00007FFDE8390000-0x00007FFDE8585000-memory.dmp

Filesize
2.0MB

Download
memory/4728-4-0x00007FFDA8410000-0x00007FFDA8420000-memory.dmp

Filesize
64KB

Download
memory/4728-2-0x00007FFDA8410000-0x00007FFDA8420000-memory.dmp

Filesize
64KB

Download
memory/4728-1-0x00007FFDE8390000-0x00007FFDE8585000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads