a58305d97b3f1b7ce25c2e4ddac54c44a1fc78736fde5d2417a2f391e476f6c7

General

Target

NEAS.a58305d97b3f1b7ce25c2e4ddac54c44a1fc78736fde5d2417a2f391e476f6c7xls_JC.xls
Size

576KB
MD5

905966194474a7fa0f010e1ec69a6b7c
SHA1

eab4c675cbe8ea1771e4a1d2a4fcbd7305551ce5
SHA256

a58305d97b3f1b7ce25c2e4ddac54c44a1fc78736fde5d2417a2f391e476f6c7
SHA512

08fbb39bff38d34ede9ff8e3ed47daeb34466322ae18161fccb8de870188c972df7c0b761c3f4e01219a9311a0fe33b83b12fee352af9e6755e8bb14a2686944
SSDEEP

12288:DGe0yktVBPgFgZx0T3+5T85IMelbYZsOkbP77uJGHxxdRUpW5O1ad9scFox:DGeojDv0TO5W1elbYZhC7uJSxdaaf7mx

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEEXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEWINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid process

384 EXCEL.EXE
1284 WINWORD.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WINWORD.EXE

description pid process

Token: SeAuditPrivilege 1284 WINWORD.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

EXCEL.EXE

pid process

384 EXCEL.EXE
384 EXCEL.EXE

description	pid	process
Token: SeAuditPrivilege	1284	WINWORD.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid	process
384	EXCEL.EXE
384	EXCEL.EXE
384	EXCEL.EXE
384	EXCEL.EXE
384	EXCEL.EXE
384	EXCEL.EXE
384	EXCEL.EXE
384	EXCEL.EXE
384	EXCEL.EXE
384	EXCEL.EXE
384	EXCEL.EXE
384	EXCEL.EXE
1284	WINWORD.EXE
1284	WINWORD.EXE
1284	WINWORD.EXE
1284	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 1284 wrote to memory of 2664	1284	WINWORD.EXE	splwow64.exe
PID 1284 wrote to memory of 2664	1284	WINWORD.EXE	splwow64.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\NEAS.a58305d97b3f1b7ce25c2e4ddac54c44a1fc78736fde5d2417a2f391e476f6c7xls_JC.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:384

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1284

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:2664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:1576

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\1D139D31-6B03-4534-9DDA-A71D102D4F9C
Filesize
156KB

MD5
1e74adb45785424734ddf582800c4c7a

SHA1
20180fbbad0a4d8f86639f9d5d22e41e69dd591c

SHA256
282070a0e7554ed043ffd22e76ae9cd12d7689d587a165ad9aeb796996a58868

SHA512
8ab55a62c17d69db63f6fb08c68dd7ff4a2dbf2f110920af41959906b0926ef01d7e3baeda7af3eb830a8daf5cea2e365378270693bab2cacfd8e5004dfccb11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize
2KB

MD5
349a7fc0ba5c0435f7fdbbc3874c52b5

SHA1
bcc3b5c464974be8745a6611f3ab5defa7770766

SHA256
3fab35d7f1c5d73872f268c269cd64386b13e15b15edffc0c15b78bbc7a6d767

SHA512
eb3c987bdcd07f609642d13b3c4fd7ab2c441531579165b384d8ab1ae70ebf9bd28dec56df1a8fa12a2c9fa785303035a84f700805b6fe9c8744cf51369ed5c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize
2KB

MD5
234318df094c06741e8132ded60ea3ce

SHA1
ed5fb913f212b62260e171b93bcae4e9e0f51025

SHA256
7b571235a4d643af09b47086846d1298d03ff5915b2de0a79927dde18405838e

SHA512
f2702d6e202c1aa3bb5f5c4b8b2d76362685d386e6eaef0b3581df61fd5ceced2887ee4b421f24827e8f8a73cffd0d92c2d6b91edc89e70268deb4fc3d2f64c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\UDS0USIU\HTMLprofile[1].doc
Filesize
28KB

MD5
5342b58b3951c40f8e5eb08f5d9824be

SHA1
49b08cba6efb7fdec9f0042d012efdf4da73b8c7

SHA256
4f799501a3f411314a5a678c5c6e45b8ebcb16aa3b7e7d9a1996e0eda8bc6029

SHA512
0c469b1278deda0cf00b24cdff2822ad22b57e56310e1e8c57111961d6843175ce7c755e77185dc6601be7a8dc46a326aef115d90554c640a8f5b35a556d72a5

Download Submit
memory/384-20-0x00007FFF84A50000-0x00007FFF84C45000-memory.dmp

Filesize
2.0MB

Download
memory/384-3-0x00007FFF44AD0000-0x00007FFF44AE0000-memory.dmp

Filesize
64KB

Download
memory/384-7-0x00007FFF84A50000-0x00007FFF84C45000-memory.dmp

Filesize
2.0MB

Download
memory/384-8-0x00007FFF44AD0000-0x00007FFF44AE0000-memory.dmp

Filesize
64KB

Download
memory/384-9-0x00007FFF84A50000-0x00007FFF84C45000-memory.dmp

Filesize
2.0MB

Download
memory/384-6-0x00007FFF44AD0000-0x00007FFF44AE0000-memory.dmp

Filesize
64KB

Download
memory/384-10-0x00007FFF84A50000-0x00007FFF84C45000-memory.dmp

Filesize
2.0MB

Download
memory/384-11-0x00007FFF42A10000-0x00007FFF42A20000-memory.dmp

Filesize
64KB

Download
memory/384-60-0x00007FFF84A50000-0x00007FFF84C45000-memory.dmp

Filesize
2.0MB

Download
memory/384-13-0x00007FFF84A50000-0x00007FFF84C45000-memory.dmp

Filesize
2.0MB

Download
memory/384-14-0x00007FFF84A50000-0x00007FFF84C45000-memory.dmp

Filesize
2.0MB

Download
memory/384-15-0x00007FFF84A50000-0x00007FFF84C45000-memory.dmp

Filesize
2.0MB

Download
memory/384-16-0x00007FFF42A10000-0x00007FFF42A20000-memory.dmp

Filesize
64KB

Download
memory/384-17-0x00007FFF84A50000-0x00007FFF84C45000-memory.dmp

Filesize
2.0MB

Download
memory/384-18-0x00007FFF84A50000-0x00007FFF84C45000-memory.dmp

Filesize
2.0MB

Download
memory/384-19-0x00007FFF84A50000-0x00007FFF84C45000-memory.dmp

Filesize
2.0MB

Download
memory/384-0-0x00007FFF44AD0000-0x00007FFF44AE0000-memory.dmp

Filesize
64KB

Download
memory/384-59-0x00007FFF84A50000-0x00007FFF84C45000-memory.dmp

Filesize
2.0MB

Download
memory/384-12-0x00007FFF84A50000-0x00007FFF84C45000-memory.dmp

Filesize
2.0MB

Download
memory/384-58-0x00007FFF84A50000-0x00007FFF84C45000-memory.dmp

Filesize
2.0MB

Download
memory/384-1-0x00007FFF84A50000-0x00007FFF84C45000-memory.dmp

Filesize
2.0MB

Download
memory/384-2-0x00007FFF44AD0000-0x00007FFF44AE0000-memory.dmp

Filesize
64KB

Download
memory/384-4-0x00007FFF84A50000-0x00007FFF84C45000-memory.dmp

Filesize
2.0MB

Download
memory/384-5-0x00007FFF84A50000-0x00007FFF84C45000-memory.dmp

Filesize
2.0MB

Download
memory/1284-43-0x00007FFF84A50000-0x00007FFF84C45000-memory.dmp

Filesize
2.0MB

Download
memory/1284-37-0x00007FFF84A50000-0x00007FFF84C45000-memory.dmp

Filesize
2.0MB

Download
memory/1284-42-0x00007FFF84A50000-0x00007FFF84C45000-memory.dmp

Filesize
2.0MB

Download
memory/1284-44-0x00007FFF84A50000-0x00007FFF84C45000-memory.dmp

Filesize
2.0MB

Download
memory/1284-40-0x00007FFF84A50000-0x00007FFF84C45000-memory.dmp

Filesize
2.0MB

Download
memory/1284-41-0x00007FFF84A50000-0x00007FFF84C45000-memory.dmp

Filesize
2.0MB

Download
memory/1284-35-0x00007FFF84A50000-0x00007FFF84C45000-memory.dmp

Filesize
2.0MB

Download
memory/1284-39-0x00007FFF84A50000-0x00007FFF84C45000-memory.dmp

Filesize
2.0MB

Download
memory/1284-31-0x00007FFF84A50000-0x00007FFF84C45000-memory.dmp

Filesize
2.0MB

Download
memory/1284-30-0x00007FFF84A50000-0x00007FFF84C45000-memory.dmp

Filesize
2.0MB

Download
memory/1284-66-0x00007FFF84A50000-0x00007FFF84C45000-memory.dmp

Filesize
2.0MB

Download
memory/1284-65-0x00007FFF84A50000-0x00007FFF84C45000-memory.dmp

Filesize
2.0MB

Download
memory/1284-33-0x00007FFF84A50000-0x00007FFF84C45000-memory.dmp

Filesize
2.0MB

Download
memory/1284-67-0x00007FFF84A50000-0x00007FFF84C45000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads