Analysis
-
max time kernel
154s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
25-10-2023 17:32
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.a58305d97b3f1b7ce25c2e4ddac54c44a1fc78736fde5d2417a2f391e476f6c7xls_JC.xls
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
NEAS.a58305d97b3f1b7ce25c2e4ddac54c44a1fc78736fde5d2417a2f391e476f6c7xls_JC.xls
Resource
win10v2004-20231020-en
General
-
Target
NEAS.a58305d97b3f1b7ce25c2e4ddac54c44a1fc78736fde5d2417a2f391e476f6c7xls_JC.xls
-
Size
576KB
-
MD5
905966194474a7fa0f010e1ec69a6b7c
-
SHA1
eab4c675cbe8ea1771e4a1d2a4fcbd7305551ce5
-
SHA256
a58305d97b3f1b7ce25c2e4ddac54c44a1fc78736fde5d2417a2f391e476f6c7
-
SHA512
08fbb39bff38d34ede9ff8e3ed47daeb34466322ae18161fccb8de870188c972df7c0b761c3f4e01219a9311a0fe33b83b12fee352af9e6755e8bb14a2686944
-
SSDEEP
12288:DGe0yktVBPgFgZx0T3+5T85IMelbYZsOkbP77uJGHxxdRUpW5O1ad9scFox:DGeojDv0TO5W1elbYZhC7uJSxdaaf7mx
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEEXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
EXCEL.EXEWINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
EXCEL.EXEWINWORD.EXEpid process 384 EXCEL.EXE 1284 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WINWORD.EXEdescription pid process Token: SeAuditPrivilege 1284 WINWORD.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
EXCEL.EXEpid process 384 EXCEL.EXE 384 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 16 IoCs
Processes:
EXCEL.EXEWINWORD.EXEpid process 384 EXCEL.EXE 384 EXCEL.EXE 384 EXCEL.EXE 384 EXCEL.EXE 384 EXCEL.EXE 384 EXCEL.EXE 384 EXCEL.EXE 384 EXCEL.EXE 384 EXCEL.EXE 384 EXCEL.EXE 384 EXCEL.EXE 384 EXCEL.EXE 1284 WINWORD.EXE 1284 WINWORD.EXE 1284 WINWORD.EXE 1284 WINWORD.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 1284 wrote to memory of 2664 1284 WINWORD.EXE splwow64.exe PID 1284 wrote to memory of 2664 1284 WINWORD.EXE splwow64.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\NEAS.a58305d97b3f1b7ce25c2e4ddac54c44a1fc78736fde5d2417a2f391e476f6c7xls_JC.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\1D139D31-6B03-4534-9DDA-A71D102D4F9CFilesize
156KB
MD51e74adb45785424734ddf582800c4c7a
SHA120180fbbad0a4d8f86639f9d5d22e41e69dd591c
SHA256282070a0e7554ed043ffd22e76ae9cd12d7689d587a165ad9aeb796996a58868
SHA5128ab55a62c17d69db63f6fb08c68dd7ff4a2dbf2f110920af41959906b0926ef01d7e3baeda7af3eb830a8daf5cea2e365378270693bab2cacfd8e5004dfccb11
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbresFilesize
2KB
MD5349a7fc0ba5c0435f7fdbbc3874c52b5
SHA1bcc3b5c464974be8745a6611f3ab5defa7770766
SHA2563fab35d7f1c5d73872f268c269cd64386b13e15b15edffc0c15b78bbc7a6d767
SHA512eb3c987bdcd07f609642d13b3c4fd7ab2c441531579165b384d8ab1ae70ebf9bd28dec56df1a8fa12a2c9fa785303035a84f700805b6fe9c8744cf51369ed5c3
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbresFilesize
2KB
MD5234318df094c06741e8132ded60ea3ce
SHA1ed5fb913f212b62260e171b93bcae4e9e0f51025
SHA2567b571235a4d643af09b47086846d1298d03ff5915b2de0a79927dde18405838e
SHA512f2702d6e202c1aa3bb5f5c4b8b2d76362685d386e6eaef0b3581df61fd5ceced2887ee4b421f24827e8f8a73cffd0d92c2d6b91edc89e70268deb4fc3d2f64c3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\UDS0USIU\HTMLprofile[1].docFilesize
28KB
MD55342b58b3951c40f8e5eb08f5d9824be
SHA149b08cba6efb7fdec9f0042d012efdf4da73b8c7
SHA2564f799501a3f411314a5a678c5c6e45b8ebcb16aa3b7e7d9a1996e0eda8bc6029
SHA5120c469b1278deda0cf00b24cdff2822ad22b57e56310e1e8c57111961d6843175ce7c755e77185dc6601be7a8dc46a326aef115d90554c640a8f5b35a556d72a5
-
memory/384-20-0x00007FFF84A50000-0x00007FFF84C45000-memory.dmpFilesize
2.0MB
-
memory/384-3-0x00007FFF44AD0000-0x00007FFF44AE0000-memory.dmpFilesize
64KB
-
memory/384-7-0x00007FFF84A50000-0x00007FFF84C45000-memory.dmpFilesize
2.0MB
-
memory/384-8-0x00007FFF44AD0000-0x00007FFF44AE0000-memory.dmpFilesize
64KB
-
memory/384-9-0x00007FFF84A50000-0x00007FFF84C45000-memory.dmpFilesize
2.0MB
-
memory/384-6-0x00007FFF44AD0000-0x00007FFF44AE0000-memory.dmpFilesize
64KB
-
memory/384-10-0x00007FFF84A50000-0x00007FFF84C45000-memory.dmpFilesize
2.0MB
-
memory/384-11-0x00007FFF42A10000-0x00007FFF42A20000-memory.dmpFilesize
64KB
-
memory/384-60-0x00007FFF84A50000-0x00007FFF84C45000-memory.dmpFilesize
2.0MB
-
memory/384-13-0x00007FFF84A50000-0x00007FFF84C45000-memory.dmpFilesize
2.0MB
-
memory/384-14-0x00007FFF84A50000-0x00007FFF84C45000-memory.dmpFilesize
2.0MB
-
memory/384-15-0x00007FFF84A50000-0x00007FFF84C45000-memory.dmpFilesize
2.0MB
-
memory/384-16-0x00007FFF42A10000-0x00007FFF42A20000-memory.dmpFilesize
64KB
-
memory/384-17-0x00007FFF84A50000-0x00007FFF84C45000-memory.dmpFilesize
2.0MB
-
memory/384-18-0x00007FFF84A50000-0x00007FFF84C45000-memory.dmpFilesize
2.0MB
-
memory/384-19-0x00007FFF84A50000-0x00007FFF84C45000-memory.dmpFilesize
2.0MB
-
memory/384-0-0x00007FFF44AD0000-0x00007FFF44AE0000-memory.dmpFilesize
64KB
-
memory/384-59-0x00007FFF84A50000-0x00007FFF84C45000-memory.dmpFilesize
2.0MB
-
memory/384-12-0x00007FFF84A50000-0x00007FFF84C45000-memory.dmpFilesize
2.0MB
-
memory/384-58-0x00007FFF84A50000-0x00007FFF84C45000-memory.dmpFilesize
2.0MB
-
memory/384-1-0x00007FFF84A50000-0x00007FFF84C45000-memory.dmpFilesize
2.0MB
-
memory/384-2-0x00007FFF44AD0000-0x00007FFF44AE0000-memory.dmpFilesize
64KB
-
memory/384-4-0x00007FFF84A50000-0x00007FFF84C45000-memory.dmpFilesize
2.0MB
-
memory/384-5-0x00007FFF84A50000-0x00007FFF84C45000-memory.dmpFilesize
2.0MB
-
memory/1284-43-0x00007FFF84A50000-0x00007FFF84C45000-memory.dmpFilesize
2.0MB
-
memory/1284-37-0x00007FFF84A50000-0x00007FFF84C45000-memory.dmpFilesize
2.0MB
-
memory/1284-42-0x00007FFF84A50000-0x00007FFF84C45000-memory.dmpFilesize
2.0MB
-
memory/1284-44-0x00007FFF84A50000-0x00007FFF84C45000-memory.dmpFilesize
2.0MB
-
memory/1284-40-0x00007FFF84A50000-0x00007FFF84C45000-memory.dmpFilesize
2.0MB
-
memory/1284-41-0x00007FFF84A50000-0x00007FFF84C45000-memory.dmpFilesize
2.0MB
-
memory/1284-35-0x00007FFF84A50000-0x00007FFF84C45000-memory.dmpFilesize
2.0MB
-
memory/1284-39-0x00007FFF84A50000-0x00007FFF84C45000-memory.dmpFilesize
2.0MB
-
memory/1284-31-0x00007FFF84A50000-0x00007FFF84C45000-memory.dmpFilesize
2.0MB
-
memory/1284-30-0x00007FFF84A50000-0x00007FFF84C45000-memory.dmpFilesize
2.0MB
-
memory/1284-66-0x00007FFF84A50000-0x00007FFF84C45000-memory.dmpFilesize
2.0MB
-
memory/1284-65-0x00007FFF84A50000-0x00007FFF84C45000-memory.dmpFilesize
2.0MB
-
memory/1284-33-0x00007FFF84A50000-0x00007FFF84C45000-memory.dmpFilesize
2.0MB
-
memory/1284-67-0x00007FFF84A50000-0x00007FFF84C45000-memory.dmpFilesize
2.0MB