2672783b07d4a03225cd11b484092db5792617647ba2f3ac4b447e22a9d0ed16

Analysis

max time kernel
142s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
23/10/2023, 16:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.2672783b07d4a03225cd11b484092db5792617647ba2f3ac4b447e22a9d0ed16xlsx_JC.xls
Size

220KB
MD5

15c921cb2dac8d0ee2ca4fbe7f7c0989
SHA1

18bbe85e71bc15b10da55f70796ac86bd75936d9
SHA256

2672783b07d4a03225cd11b484092db5792617647ba2f3ac4b447e22a9d0ed16
SHA512

6000006878ddf4446602606e85f2aa958b3952c1e109f85651b1254018faac844841418fb3f0bd951693aa5e6867e89997fe070785aed857566d4b93e60365ce
SSDEEP

6144:9Y35qAOJl/YrLYz+WrNhZF+E+fgL+0dD8ivSbVqfMIkoR0/WU/6FG07W:E3bVqfMIkoR0wG07W

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3160	EXCEL.EXE
3564	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeAuditPrivilege	3564	WINWORD.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
3160	EXCEL.EXE
3160	EXCEL.EXE
3160	EXCEL.EXE
3160	EXCEL.EXE
3160	EXCEL.EXE
3160	EXCEL.EXE
3160	EXCEL.EXE
3160	EXCEL.EXE
3564	WINWORD.EXE
3564	WINWORD.EXE
3564	WINWORD.EXE
3564	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3564 wrote to memory of 4564	3564	WINWORD.EXE	96
PID 3564 wrote to memory of 4564	3564	WINWORD.EXE	96

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\NEAS.2672783b07d4a03225cd11b484092db5792617647ba2f3ac4b447e22a9d0ed16xlsx_JC.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3160

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3564
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:4564

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\77CBC17E-76B4-4473-9AAE-4FB2F7A0CED9

Filesize
156KB

MD5
f83aba37e38757d25427b3d0beb77880

SHA1
4b2cb1ab6215022f0049734ddf5f1a62776f45af

SHA256
1a5ecbe979d773d5a1baf3a649ea01b71bce199a9dd6ae004f13492b48df9523

SHA512
ad277a08992510178211698a9bf845f06a464c849b3e4de95e064efe58c9836b90a8f3b53c3102e39a7697d25a9d43b5c3e0a58adcaf1f198e44bd653bb21488

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
86b3488f0fe6150435c4c5c1ebeca6e4

SHA1
21ab10c828b35282c2d406b111cd031867cde391

SHA256
2620b3bf1420abd8e761a0522805642085d70ab9ca757de7bb97e83db010be9d

SHA512
0754cef30512070ec161267f6a7c4ea50bfb9b1d9f5a33ad386d1e3984a15d26b60e080a11fc3c00e4bb11d3796b04e3d8b7b86de2ffeada34b69578b1d32229

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\f3df91c436730d7a37c58d5f25d9bf4a56fa3a34.tbres

Filesize
4KB

MD5
f291d6d67b5a61c3440d399350dc4bfd

SHA1
078601db1e116c3d4f093841b099b340f0cd7bc1

SHA256
003c91a2613a7773af41be96061363a311834ed942664d0d8f8b84d2945eb814

SHA512
5d96fffd1aa9bdca2a578f6cbf83aaa75deebcadb676146ec35c738e5f7f3adedd39841091188d262868a804b83d596b156b980bd7da467c6241d964ac842d08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\X7JAO703\HTMLcvdesiii[1].doc

Filesize
22KB

MD5
427a881f48c7c470b824e62dc28a0170

SHA1
0bc7e5db7310e39253a0604c6d68503a0c52414c

SHA256
72d2aa1f7763c44de09930674529ba17915bdb1fa04205957c62137cf1411a92

SHA512
780250dcb16ee684d0281dfeac4cc02e0f4d47d4e87d919b31efa9bb519704cf4ee4d7b85906a667111251d2a0eecf9975537f739e3893e58482e74e33418ef6

Download Submit
memory/3160-66-0x00007FFDDFE50000-0x00007FFDE0045000-memory.dmp

Filesize
2.0MB

Download
memory/3160-13-0x00007FFDDFE50000-0x00007FFDE0045000-memory.dmp

Filesize
2.0MB

Download
memory/3160-7-0x00007FFD9FED0000-0x00007FFD9FEE0000-memory.dmp

Filesize
64KB

Download
memory/3160-8-0x00007FFD9FED0000-0x00007FFD9FEE0000-memory.dmp

Filesize
64KB

Download
memory/3160-6-0x00007FFDDFE50000-0x00007FFDE0045000-memory.dmp

Filesize
2.0MB

Download
memory/3160-9-0x00007FFDDFE50000-0x00007FFDE0045000-memory.dmp

Filesize
2.0MB

Download
memory/3160-10-0x00007FFDDFE50000-0x00007FFDE0045000-memory.dmp

Filesize
2.0MB

Download
memory/3160-11-0x00007FFD9DD80000-0x00007FFD9DD90000-memory.dmp

Filesize
64KB

Download
memory/3160-12-0x00007FFDDFE50000-0x00007FFDE0045000-memory.dmp

Filesize
2.0MB

Download
memory/3160-123-0x00007FFDDFE50000-0x00007FFDE0045000-memory.dmp

Filesize
2.0MB

Download
memory/3160-14-0x00007FFDDFE50000-0x00007FFDE0045000-memory.dmp

Filesize
2.0MB

Download
memory/3160-16-0x00007FFDDFE50000-0x00007FFDE0045000-memory.dmp

Filesize
2.0MB

Download
memory/3160-17-0x00007FFDDFE50000-0x00007FFDE0045000-memory.dmp

Filesize
2.0MB

Download
memory/3160-18-0x00007FFDDFE50000-0x00007FFDE0045000-memory.dmp

Filesize
2.0MB

Download
memory/3160-19-0x00007FFDDFE50000-0x00007FFDE0045000-memory.dmp

Filesize
2.0MB

Download
memory/3160-20-0x00007FFDDFE50000-0x00007FFDE0045000-memory.dmp

Filesize
2.0MB

Download
memory/3160-21-0x00007FFDDFE50000-0x00007FFDE0045000-memory.dmp

Filesize
2.0MB

Download
memory/3160-22-0x00007FFDDFE50000-0x00007FFDE0045000-memory.dmp

Filesize
2.0MB

Download
memory/3160-23-0x00007FFDDFE50000-0x00007FFDE0045000-memory.dmp

Filesize
2.0MB

Download
memory/3160-15-0x00007FFD9DD80000-0x00007FFD9DD90000-memory.dmp

Filesize
64KB

Download
memory/3160-122-0x00007FFDDFE50000-0x00007FFDE0045000-memory.dmp

Filesize
2.0MB

Download
memory/3160-120-0x00007FFDDFE50000-0x00007FFDE0045000-memory.dmp

Filesize
2.0MB

Download
memory/3160-1-0x00007FFDDFE50000-0x00007FFDE0045000-memory.dmp

Filesize
2.0MB

Download
memory/3160-65-0x00007FFDDFE50000-0x00007FFDE0045000-memory.dmp

Filesize
2.0MB

Download
memory/3160-0-0x00007FFD9FED0000-0x00007FFD9FEE0000-memory.dmp

Filesize
64KB

Download
memory/3160-2-0x00007FFD9FED0000-0x00007FFD9FEE0000-memory.dmp

Filesize
64KB

Download
memory/3160-5-0x00007FFDDFE50000-0x00007FFDE0045000-memory.dmp

Filesize
2.0MB

Download
memory/3160-3-0x00007FFDDFE50000-0x00007FFDE0045000-memory.dmp

Filesize
2.0MB

Download
memory/3160-4-0x00007FFD9FED0000-0x00007FFD9FEE0000-memory.dmp

Filesize
64KB

Download
memory/3564-113-0x00007FFDDFE50000-0x00007FFDE0045000-memory.dmp

Filesize
2.0MB

Download
memory/3564-69-0x00007FFDDFE50000-0x00007FFDE0045000-memory.dmp

Filesize
2.0MB

Download
memory/3564-43-0x00007FFDDFE50000-0x00007FFDE0045000-memory.dmp

Filesize
2.0MB

Download
memory/3564-44-0x00007FFDDFE50000-0x00007FFDE0045000-memory.dmp

Filesize
2.0MB

Download
memory/3564-38-0x00007FFDDFE50000-0x00007FFDE0045000-memory.dmp

Filesize
2.0MB

Download
memory/3564-112-0x00007FFDDFE50000-0x00007FFDE0045000-memory.dmp

Filesize
2.0MB

Download
memory/3564-37-0x00007FFDDFE50000-0x00007FFDE0045000-memory.dmp

Filesize
2.0MB

Download
memory/3564-35-0x00007FFDDFE50000-0x00007FFDE0045000-memory.dmp

Filesize
2.0MB

Download
memory/3564-33-0x00007FFDDFE50000-0x00007FFDE0045000-memory.dmp

Filesize
2.0MB

Download
memory/3564-31-0x00007FFDDFE50000-0x00007FFDE0045000-memory.dmp

Filesize
2.0MB

Download
memory/3564-67-0x00007FFDDFE50000-0x00007FFDE0045000-memory.dmp

Filesize
2.0MB

Download
memory/3564-41-0x00007FFDDFE50000-0x00007FFDE0045000-memory.dmp

Filesize
2.0MB

Download
memory/3564-42-0x00007FFDDFE50000-0x00007FFDE0045000-memory.dmp

Filesize
2.0MB

Download
memory/3564-106-0x00007FFD9FED0000-0x00007FFD9FEE0000-memory.dmp

Filesize
64KB

Download
memory/3564-68-0x00007FFDDFE50000-0x00007FFDE0045000-memory.dmp

Filesize
2.0MB

Download
memory/3564-107-0x00007FFD9FED0000-0x00007FFD9FEE0000-memory.dmp

Filesize
64KB

Download
memory/3564-108-0x00007FFDDFE50000-0x00007FFDE0045000-memory.dmp

Filesize
2.0MB

Download
memory/3564-105-0x00007FFD9FED0000-0x00007FFD9FEE0000-memory.dmp

Filesize
64KB

Download
memory/3564-110-0x00007FFDDFE50000-0x00007FFDE0045000-memory.dmp

Filesize
2.0MB

Download
memory/3564-39-0x00007FFDDFE50000-0x00007FFDE0045000-memory.dmp

Filesize
2.0MB

Download
memory/3564-111-0x00007FFDDFE50000-0x00007FFDE0045000-memory.dmp

Filesize
2.0MB

Download
memory/3564-109-0x00007FFD9FED0000-0x00007FFD9FEE0000-memory.dmp

Filesize
64KB

Download
memory/3564-29-0x00007FFDDFE50000-0x00007FFDE0045000-memory.dmp

Filesize
2.0MB

Download
memory/3564-28-0x00007FFDDFE50000-0x00007FFDE0045000-memory.dmp

Filesize
2.0MB

Download
memory/3564-40-0x00007FFDDFE50000-0x00007FFDE0045000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads