ddb9c70c6d9428409e70efc80dab34a1e18378c3bb73ed6ec24507e998342052

General

Target

ddb9c70c6d9428409e70efc80dab34a1e18378c3bb73ed6ec24507e998342052_JC.xls
Size

622KB
MD5

7ca3897ae90106d8eb4ce36919306905
SHA1

fb8769dc6a5a4f8818e8f94682180de57ab51051
SHA256

ddb9c70c6d9428409e70efc80dab34a1e18378c3bb73ed6ec24507e998342052
SHA512

d4659bd3fb3ab7401a94b960bb7048b93a25b0c4da6bae5af464735f4137dbcad936c6b48ece1c07012d1ebad9349e4dfa0d5d7169e2c19fec27d3dec35faf13
SSDEEP

12288:u8lMMFeGfxkGhx5ydiaPjSAjbiOSzJ2OHCwOkx:1MMFeGMdVPtjbiOZKCw3x

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3676	EXCEL.EXE
1584	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeAuditPrivilege	1584	WINWORD.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
3676	EXCEL.EXE
3676	EXCEL.EXE
3676	EXCEL.EXE
3676	EXCEL.EXE
3676	EXCEL.EXE
3676	EXCEL.EXE
3676	EXCEL.EXE
3676	EXCEL.EXE
3676	EXCEL.EXE
3676	EXCEL.EXE
3676	EXCEL.EXE
3676	EXCEL.EXE
1584	WINWORD.EXE
1584	WINWORD.EXE
1584	WINWORD.EXE
1584	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1584 wrote to memory of 1804	1584	WINWORD.EXE	94
PID 1584 wrote to memory of 1804	1584	WINWORD.EXE	94

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\ddb9c70c6d9428409e70efc80dab34a1e18378c3bb73ed6ec24507e998342052_JC.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3676

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1584
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1804

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:3828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\5C0AD5FA-50A1-4EF5-8206-BFE3BD972486

Filesize
156KB

MD5
68ec0272307a3f2b48ff994ad5f95199

SHA1
770a20e75d80440c6270ca3e6427c1c9073e0dd8

SHA256
62bfe110a2e4ee3706aa1ff8891e7244273256b832e3958a146477cac224afda

SHA512
285726825af99d162120f48c8a601abd2960de730dfdc35bdb4a77507190b01729731a14ba36a5f55c7e73f608214c73bfb7c127063989213c4c254632fde180

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\XE9C1B9R\O0I0OIO0OIOioi0ioi0oi0oioioIO0I0IOIOI00I00000##############00000000000##############0000000000[1].doc

Filesize
23KB

MD5
de892b33c34e238fd19d054fb14eca8e

SHA1
81daca75d74cbedf869fa4247f9fae3d587579f6

SHA256
db255dcad4ccdffe6369fddff06e0aa87581809870b0e918c7b61c57495a426d

SHA512
eceefb5f400f7f1d36f455838b50ac51cb52f76b738f5540cafe06ee4ef671dfb01570e54e3103f88fd702772ec3a01dd187eb2ff4ae237605049cfb3214a883

Download Submit
memory/1584-37-0x00007FFAC1090000-0x00007FFAC1285000-memory.dmp

Filesize
2.0MB

Download
memory/1584-55-0x00007FFAC1090000-0x00007FFAC1285000-memory.dmp

Filesize
2.0MB

Download
memory/1584-56-0x00007FFAC1090000-0x00007FFAC1285000-memory.dmp

Filesize
2.0MB

Download
memory/1584-57-0x00007FFAC1090000-0x00007FFAC1285000-memory.dmp

Filesize
2.0MB

Download
memory/1584-24-0x00007FFAC1090000-0x00007FFAC1285000-memory.dmp

Filesize
2.0MB

Download
memory/1584-36-0x00007FFAC1090000-0x00007FFAC1285000-memory.dmp

Filesize
2.0MB

Download
memory/1584-35-0x00007FFAC1090000-0x00007FFAC1285000-memory.dmp

Filesize
2.0MB

Download
memory/1584-34-0x00007FFAC1090000-0x00007FFAC1285000-memory.dmp

Filesize
2.0MB

Download
memory/1584-33-0x00007FFAC1090000-0x00007FFAC1285000-memory.dmp

Filesize
2.0MB

Download
memory/1584-31-0x00007FFAC1090000-0x00007FFAC1285000-memory.dmp

Filesize
2.0MB

Download
memory/1584-29-0x00007FFAC1090000-0x00007FFAC1285000-memory.dmp

Filesize
2.0MB

Download
memory/1584-27-0x00007FFAC1090000-0x00007FFAC1285000-memory.dmp

Filesize
2.0MB

Download
memory/1584-25-0x00007FFAC1090000-0x00007FFAC1285000-memory.dmp

Filesize
2.0MB

Download
memory/3676-10-0x00007FFAC1090000-0x00007FFAC1285000-memory.dmp

Filesize
2.0MB

Download
memory/3676-9-0x00007FFA81110000-0x00007FFA81120000-memory.dmp

Filesize
64KB

Download
memory/3676-18-0x00007FFAC1090000-0x00007FFAC1285000-memory.dmp

Filesize
2.0MB

Download
memory/3676-16-0x00007FFA7EE00000-0x00007FFA7EE10000-memory.dmp

Filesize
64KB

Download
memory/3676-15-0x00007FFAC1090000-0x00007FFAC1285000-memory.dmp

Filesize
2.0MB

Download
memory/3676-14-0x00007FFAC1090000-0x00007FFAC1285000-memory.dmp

Filesize
2.0MB

Download
memory/3676-13-0x00007FFA7EE00000-0x00007FFA7EE10000-memory.dmp

Filesize
64KB

Download
memory/3676-8-0x00007FFAC1090000-0x00007FFAC1285000-memory.dmp

Filesize
2.0MB

Download
memory/3676-12-0x00007FFAC1090000-0x00007FFAC1285000-memory.dmp

Filesize
2.0MB

Download
memory/3676-11-0x00007FFAC1090000-0x00007FFAC1285000-memory.dmp

Filesize
2.0MB

Download
memory/3676-0-0x00007FFA81110000-0x00007FFA81120000-memory.dmp

Filesize
64KB

Download
memory/3676-17-0x00007FFAC1090000-0x00007FFAC1285000-memory.dmp

Filesize
2.0MB

Download
memory/3676-7-0x00007FFAC1090000-0x00007FFAC1285000-memory.dmp

Filesize
2.0MB

Download
memory/3676-6-0x00007FFA81110000-0x00007FFA81120000-memory.dmp

Filesize
64KB

Download
memory/3676-5-0x00007FFAC1090000-0x00007FFAC1285000-memory.dmp

Filesize
2.0MB

Download
memory/3676-3-0x00007FFAC1090000-0x00007FFAC1285000-memory.dmp

Filesize
2.0MB

Download
memory/3676-49-0x00007FFAC1090000-0x00007FFAC1285000-memory.dmp

Filesize
2.0MB

Download
memory/3676-51-0x00007FFAC1090000-0x00007FFAC1285000-memory.dmp

Filesize
2.0MB

Download
memory/3676-2-0x00007FFA81110000-0x00007FFA81120000-memory.dmp

Filesize
64KB

Download
memory/3676-4-0x00007FFA81110000-0x00007FFA81120000-memory.dmp

Filesize
64KB

Download
memory/3676-1-0x00007FFAC1090000-0x00007FFAC1285000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads