1eb2d10deb038b86eaaadece40a705184b6f8ed3a24cb1f0804a1e556923e45c

Analysis

max time kernel
147s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
03-10-2023 06:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Part number 91875-11400 x 6.xls
Size

416KB
MD5

66bd2064e933a06c4af53c4347c8de9e
SHA1

f8d79bb57a9d26cc95c7401f6ca962cdf59a0034
SHA256

1eb2d10deb038b86eaaadece40a705184b6f8ed3a24cb1f0804a1e556923e45c
SHA512

021dd1fe5592efbfd3c8d772bbcc33be0535ca5e9425a86c575e39fa6f307da25c2ad6c30c413e3a604fef2592a3ef5ca37dd752c43f45f68ed78b9199654d27
SSDEEP

12288:JFesxot3VtvejSD/WtH3JYqFxM8Am+ROYJUK:JFes2XwWD/WhZYkrA1OYi

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1348	EXCEL.EXE
2412	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeAuditPrivilege	2412	WINWORD.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
1348	EXCEL.EXE
1348	EXCEL.EXE
1348	EXCEL.EXE
1348	EXCEL.EXE
1348	EXCEL.EXE
1348	EXCEL.EXE
1348	EXCEL.EXE
1348	EXCEL.EXE
1348	EXCEL.EXE
1348	EXCEL.EXE
1348	EXCEL.EXE
1348	EXCEL.EXE
2412	WINWORD.EXE
2412	WINWORD.EXE
2412	WINWORD.EXE
2412	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2412 wrote to memory of 792	2412	WINWORD.EXE	92
PID 2412 wrote to memory of 792	2412	WINWORD.EXE	92

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Part number 91875-11400 x 6.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1348

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2412
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:792

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:4872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\1B6969F0-6BD4-4216-82DB-D086CF265C08

Filesize
156KB

MD5
4ea52664813c6685b1424a01bff0f24a

SHA1
3bcf9bc67acf29b2a13db38f659cd82711c6ccf8

SHA256
1e8080c573f59e0b4edd34b3c0bf9dd53b63a7f48e181c39142fdeda911eb0aa

SHA512
cac48b7f8386cec2e7842df6f834337e9c9422e5bc635cb1aa5f241896569221aead9792ee61f54df52ff3ccd8a725f96722d81ad9a40ec65c9836f89e1eaa95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\Y9DO0VHG\ioi0ioi0ioioioo0IOIOI0IOoioi0ioii0IOIIOII0I0oioiioi0ioi0000##############00000000##############0000000[1].doc

Filesize
33KB

MD5
de3b51e37b7edd56b0ac9ccf49580ea5

SHA1
6daa943aa301b406e528584d42e4071e56c9fc7e

SHA256
12ca6fd65bdfb318cbfa0090317052ec53d70f67a9802a721cd361e090e4e33f

SHA512
090858e453de3032ce2143461a1ed6e9f307483a5dfaec0faa15328c577d87ba64a2a445de0e2030ea567a55e3a4093da03e86534896767ed9b34b82e305fa49

Download Submit
memory/1348-21-0x00007FFC76EF0000-0x00007FFC770E5000-memory.dmp

Filesize
2.0MB

Download
memory/1348-1-0x00007FFC76EF0000-0x00007FFC770E5000-memory.dmp

Filesize
2.0MB

Download
memory/1348-5-0x00007FFC76EF0000-0x00007FFC770E5000-memory.dmp

Filesize
2.0MB

Download
memory/1348-6-0x00007FFC36F70000-0x00007FFC36F80000-memory.dmp

Filesize
64KB

Download
memory/1348-7-0x00007FFC36F70000-0x00007FFC36F80000-memory.dmp

Filesize
64KB

Download
memory/1348-8-0x00007FFC76EF0000-0x00007FFC770E5000-memory.dmp

Filesize
2.0MB

Download
memory/1348-9-0x00007FFC76EF0000-0x00007FFC770E5000-memory.dmp

Filesize
2.0MB

Download
memory/1348-3-0x00007FFC36F70000-0x00007FFC36F80000-memory.dmp

Filesize
64KB

Download
memory/1348-11-0x00007FFC34C20000-0x00007FFC34C30000-memory.dmp

Filesize
64KB

Download
memory/1348-10-0x00007FFC76EF0000-0x00007FFC770E5000-memory.dmp

Filesize
2.0MB

Download
memory/1348-12-0x00007FFC76EF0000-0x00007FFC770E5000-memory.dmp

Filesize
2.0MB

Download
memory/1348-13-0x00007FFC76EF0000-0x00007FFC770E5000-memory.dmp

Filesize
2.0MB

Download
memory/1348-14-0x00007FFC34C20000-0x00007FFC34C30000-memory.dmp

Filesize
64KB

Download
memory/1348-18-0x00007FFC76EF0000-0x00007FFC770E5000-memory.dmp

Filesize
2.0MB

Download
memory/1348-16-0x00007FFC76EF0000-0x00007FFC770E5000-memory.dmp

Filesize
2.0MB

Download
memory/1348-17-0x00007FFC76EF0000-0x00007FFC770E5000-memory.dmp

Filesize
2.0MB

Download
memory/1348-19-0x00007FFC76EF0000-0x00007FFC770E5000-memory.dmp

Filesize
2.0MB

Download
memory/1348-20-0x00007FFC76EF0000-0x00007FFC770E5000-memory.dmp

Filesize
2.0MB

Download
memory/1348-0-0x00007FFC36F70000-0x00007FFC36F80000-memory.dmp

Filesize
64KB

Download
memory/1348-4-0x00007FFC76EF0000-0x00007FFC770E5000-memory.dmp

Filesize
2.0MB

Download
memory/1348-15-0x00007FFC76EF0000-0x00007FFC770E5000-memory.dmp

Filesize
2.0MB

Download
memory/1348-54-0x00007FFC76EF0000-0x00007FFC770E5000-memory.dmp

Filesize
2.0MB

Download
memory/1348-53-0x00007FFC76EF0000-0x00007FFC770E5000-memory.dmp

Filesize
2.0MB

Download
memory/1348-22-0x00007FFC76EF0000-0x00007FFC770E5000-memory.dmp

Filesize
2.0MB

Download
memory/1348-2-0x00007FFC36F70000-0x00007FFC36F80000-memory.dmp

Filesize
64KB

Download
memory/2412-32-0x00007FFC76EF0000-0x00007FFC770E5000-memory.dmp

Filesize
2.0MB

Download
memory/2412-41-0x00007FFC76EF0000-0x00007FFC770E5000-memory.dmp

Filesize
2.0MB

Download
memory/2412-37-0x00007FFC76EF0000-0x00007FFC770E5000-memory.dmp

Filesize
2.0MB

Download
memory/2412-38-0x00007FFC76EF0000-0x00007FFC770E5000-memory.dmp

Filesize
2.0MB

Download
memory/2412-39-0x00007FFC76EF0000-0x00007FFC770E5000-memory.dmp

Filesize
2.0MB

Download
memory/2412-34-0x00007FFC76EF0000-0x00007FFC770E5000-memory.dmp

Filesize
2.0MB

Download
memory/2412-36-0x00007FFC76EF0000-0x00007FFC770E5000-memory.dmp

Filesize
2.0MB

Download
memory/2412-40-0x00007FFC76EF0000-0x00007FFC770E5000-memory.dmp

Filesize
2.0MB

Download
memory/2412-27-0x00007FFC76EF0000-0x00007FFC770E5000-memory.dmp

Filesize
2.0MB

Download
memory/2412-30-0x00007FFC76EF0000-0x00007FFC770E5000-memory.dmp

Filesize
2.0MB

Download
memory/2412-31-0x00007FFC76EF0000-0x00007FFC770E5000-memory.dmp

Filesize
2.0MB

Download
memory/2412-56-0x00007FFC76EF0000-0x00007FFC770E5000-memory.dmp

Filesize
2.0MB

Download
memory/2412-57-0x00007FFC76EF0000-0x00007FFC770E5000-memory.dmp

Filesize
2.0MB

Download
memory/2412-58-0x00007FFC76EF0000-0x00007FFC770E5000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads