9b25f1b5b77466f9bd0e8b3f69cf5b5ec10dd5691a59767e5d8ae34f226a4a7f

General

Target

7030200100.xls
Size

1.0MB
MD5

db838e896fe65e782fde6004f549d93d
SHA1

934e383c200be732053ff5eb47bbd815c3ca2576
SHA256

9b25f1b5b77466f9bd0e8b3f69cf5b5ec10dd5691a59767e5d8ae34f226a4a7f
SHA512

3f27b47b710237ec605d4fa85f2067749e58e86f414cb41457fc4121a81c82905d53fa9575578c60a51099e11412aba918aebd033ae75e137d369a8c2552c332
SSDEEP

24576:PX8DK69PFoheP1QPHwLFRkLFR8/fFX0wv4knkL9kmJZODqcx2X:4L9Nohy1QP4K+4kkLCd

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3976	EXCEL.EXE
3160	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeAuditPrivilege	3160	WINWORD.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3976	EXCEL.EXE
3976	EXCEL.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
3976	EXCEL.EXE
3976	EXCEL.EXE
3976	EXCEL.EXE
3976	EXCEL.EXE
3976	EXCEL.EXE
3976	EXCEL.EXE
3976	EXCEL.EXE
3976	EXCEL.EXE
3976	EXCEL.EXE
3976	EXCEL.EXE
3976	EXCEL.EXE
3976	EXCEL.EXE
3160	WINWORD.EXE
3160	WINWORD.EXE
3160	WINWORD.EXE
3160	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3160 wrote to memory of 3384	3160	WINWORD.EXE	98
PID 3160 wrote to memory of 3384	3160	WINWORD.EXE	98

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\7030200100.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3976

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3160
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:3384

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:3812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\D6A7B641-F429-4783-9291-20A9D898325C

Filesize
156KB

MD5
fcc22d9a2d21aec5faeb744365c850eb

SHA1
d8b632126c1cbd751d20c3ba0dacb6551daa8257

SHA256
77bdd8c7a012ef67403791d674f0e7923bff83a78a82f1d26857718e5a4b4b24

SHA512
670c9d4c6a3677b952915d64f8a5e313862f6da13fc39cbd93e4f86d44c0b911bd2a2b92e6d3386168b05d70b6c5b8bc090323c190b2d1af020227963d2ba1f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\EGWOM5I1\ioi0OIOoi0IOIOIoi0OIOIioI0IOioi0000##############00ioi0ioiOI0oioiOIOI0ioIOIOI00##############000[1].doc

Filesize
26KB

MD5
432af76c6e1aaf2f1848808a1ccb3f8b

SHA1
e17341ee87423994c5643c0ae8215a40913110e2

SHA256
6084216cf7ff4dbdf9047a82c60170eb8d09dc6003469dbf5c98465ca640f5f9

SHA512
332055234d95f36acf4d6d99c0266ecb6d5381b485c7b1a3c51be7840fd8078d27ac8387a466ce52edd78c6f0ef61f37cf90514187ab0bf664068bbdc8fcb77a

Download Submit
memory/3160-28-0x00007FFD97590000-0x00007FFD97785000-memory.dmp

Filesize
2.0MB

Download
memory/3160-42-0x00007FFD97590000-0x00007FFD97785000-memory.dmp

Filesize
2.0MB

Download
memory/3160-41-0x00007FFD97590000-0x00007FFD97785000-memory.dmp

Filesize
2.0MB

Download
memory/3160-34-0x00007FFD97590000-0x00007FFD97785000-memory.dmp

Filesize
2.0MB

Download
memory/3160-33-0x00007FFD97590000-0x00007FFD97785000-memory.dmp

Filesize
2.0MB

Download
memory/3160-31-0x00007FFD97590000-0x00007FFD97785000-memory.dmp

Filesize
2.0MB

Download
memory/3160-30-0x00007FFD97590000-0x00007FFD97785000-memory.dmp

Filesize
2.0MB

Download
memory/3160-29-0x00007FFD97590000-0x00007FFD97785000-memory.dmp

Filesize
2.0MB

Download
memory/3976-8-0x00007FFD97590000-0x00007FFD97785000-memory.dmp

Filesize
2.0MB

Download
memory/3976-10-0x00007FFD97590000-0x00007FFD97785000-memory.dmp

Filesize
2.0MB

Download
memory/3976-11-0x00007FFD54EA0000-0x00007FFD54EB0000-memory.dmp

Filesize
64KB

Download
memory/3976-13-0x00007FFD97590000-0x00007FFD97785000-memory.dmp

Filesize
2.0MB

Download
memory/3976-14-0x00007FFD97590000-0x00007FFD97785000-memory.dmp

Filesize
2.0MB

Download
memory/3976-15-0x00007FFD54EA0000-0x00007FFD54EB0000-memory.dmp

Filesize
64KB

Download
memory/3976-18-0x00007FFD97590000-0x00007FFD97785000-memory.dmp

Filesize
2.0MB

Download
memory/3976-20-0x00007FFD97590000-0x00007FFD97785000-memory.dmp

Filesize
2.0MB

Download
memory/3976-21-0x00007FFD97590000-0x00007FFD97785000-memory.dmp

Filesize
2.0MB

Download
memory/3976-23-0x00007FFD97590000-0x00007FFD97785000-memory.dmp

Filesize
2.0MB

Download
memory/3976-26-0x00007FFD97590000-0x00007FFD97785000-memory.dmp

Filesize
2.0MB

Download
memory/3976-12-0x00007FFD97590000-0x00007FFD97785000-memory.dmp

Filesize
2.0MB

Download
memory/3976-9-0x00007FFD97590000-0x00007FFD97785000-memory.dmp

Filesize
2.0MB

Download
memory/3976-1-0x00007FFD97590000-0x00007FFD97785000-memory.dmp

Filesize
2.0MB

Download
memory/3976-7-0x00007FFD57610000-0x00007FFD57620000-memory.dmp

Filesize
64KB

Download
memory/3976-6-0x00007FFD97590000-0x00007FFD97785000-memory.dmp

Filesize
2.0MB

Download
memory/3976-5-0x00007FFD57610000-0x00007FFD57620000-memory.dmp

Filesize
64KB

Download
memory/3976-35-0x00007FFD97590000-0x00007FFD97785000-memory.dmp

Filesize
2.0MB

Download
memory/3976-3-0x00007FFD57610000-0x00007FFD57620000-memory.dmp

Filesize
64KB

Download
memory/3976-4-0x00007FFD97590000-0x00007FFD97785000-memory.dmp

Filesize
2.0MB

Download
memory/3976-2-0x00007FFD57610000-0x00007FFD57620000-memory.dmp

Filesize
64KB

Download
memory/3976-0-0x00007FFD57610000-0x00007FFD57620000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads