3151eeb337bdc0be093f392e879cb8eaf3a44d10d012f3296cd029a35d763d45

Analysis

max time kernel
6s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
14/11/2023, 00:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

HYUNDAI INVITATION LETTER.xls
Size

282KB
MD5

8ebd7658975d158beeb4587ac66d2628
SHA1

b83a388737ab385163ef9ddb715a45d04550f138
SHA256

1f9447b936dfc7d9b4ed44796367ade3baa9dec8776e18154b3e45b4cb08bebc
SHA512

99fa927495f1604b4a876f85953ff6d5718096705481c5fce7dedc5cffbb5f62b7f5a7228339522876ae34aa3539753b48bf250c2ca6b3e02abe65b321d22ecc
SSDEEP

6144:EXRC/eu3YDp7LLFY35qAOJl/YrLYz+WrNhZF+E+fgL+0dD8ivSbVsnMI0zBRBmSg:EX4mw3bVsnMIOfm

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4028	EXCEL.EXE
3916	WINWORD.EXE

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
4028	EXCEL.EXE
4028	EXCEL.EXE
4028	EXCEL.EXE
4028	EXCEL.EXE
4028	EXCEL.EXE
4028	EXCEL.EXE
4028	EXCEL.EXE
4028	EXCEL.EXE
3916	WINWORD.EXE

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\HYUNDAI INVITATION LETTER.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4028

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3916
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:4400

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\5BC1A7B0-E415-4EAF-A107-26A8AFDD7C88

Filesize
157KB

MD5
5271616617ffc1a3b926387e26e42066

SHA1
a476741cef2e24cd6c006751b1d751c37a894447

SHA256
6aabc3b483b4418b43fce5dfc4f9941925f3ad5519c67ab151090481d7795b23

SHA512
063d577c6d2104ecb3b4ed4ec6d99145a018e09e91e8626de7ba7e044dcb225e4a75f94dcf63a23d0450085f9038e25aaf676c36765c71f1feb6309b8dc4a4e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
710d71d553bcfc098cb564e0f0fdf981

SHA1
f27b362655d8ac42174e6d7bffc8518cdf6dede6

SHA256
f0ef17db012516438ee1b5a2b0d2b046c93c528d61bd0c10863e0262a4785170

SHA512
7e8489b2760bd1835308a817f84e011076de64e118e970bd85a7b86989424d326fc22960b1f63f785d870aefac1442697f6262a26307d1ea4d26689f4e3ef7a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\f3df91c436730d7a37c58d5f25d9bf4a56fa3a34.tbres

Filesize
4KB

MD5
f7ef55ee2604a84e25bb546c806d252c

SHA1
08cd4ca823a52ccda3cc5d4c79d1d66deed31bac

SHA256
c663aef5b12ede37ace5b448eb54cc3784a640ac030186dea42ea211fba840c7

SHA512
e4b28314c1123dc7d6f799555cb4a7ec6f25a0429e1c91177d0c6efed8b9d8a82b3fc3d641ed31c7737cbc21631c01f303a3c957db05523fbb3e562e3ab130ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\X7JAO703\BrowserHistoryofChromeCleanupallCache[1].doc

Filesize
54KB

MD5
38568025b92f7ae0c0ee7747c8495f97

SHA1
52917ea86d627d77388ea6e874d80faf37720d1d

SHA256
54a662cae6dc5445bfaf070e62fe1aa571d537e59e74aa189313c111c074a7a2

SHA512
277d309b2e4ae52eae45c7d56243a38677b80517fd88ad00037efdca166a7982bf661674f7397d0317cc9a3a44e90d068362e5d5ad4265bbe2e17b17ad8e5db8

Download Submit
memory/3916-112-0x00007FFFCA5D0000-0x00007FFFCA7C5000-memory.dmp

Filesize
2.0MB

Download
memory/3916-104-0x00007FFF8A650000-0x00007FFF8A660000-memory.dmp

Filesize
64KB

Download
memory/3916-113-0x00007FFFCA5D0000-0x00007FFFCA7C5000-memory.dmp

Filesize
2.0MB

Download
memory/3916-106-0x00007FFF8A650000-0x00007FFF8A660000-memory.dmp

Filesize
64KB

Download
memory/3916-68-0x00007FFFCA5D0000-0x00007FFFCA7C5000-memory.dmp

Filesize
2.0MB

Download
memory/3916-67-0x00007FFFCA5D0000-0x00007FFFCA7C5000-memory.dmp

Filesize
2.0MB

Download
memory/3916-107-0x00007FFF8A650000-0x00007FFF8A660000-memory.dmp

Filesize
64KB

Download
memory/3916-108-0x00007FFFCA5D0000-0x00007FFFCA7C5000-memory.dmp

Filesize
2.0MB

Download
memory/3916-105-0x00007FFF8A650000-0x00007FFF8A660000-memory.dmp

Filesize
64KB

Download
memory/3916-33-0x00007FFFCA5D0000-0x00007FFFCA7C5000-memory.dmp

Filesize
2.0MB

Download
memory/3916-43-0x00007FFFCA5D0000-0x00007FFFCA7C5000-memory.dmp

Filesize
2.0MB

Download
memory/3916-44-0x00007FFFCA5D0000-0x00007FFFCA7C5000-memory.dmp

Filesize
2.0MB

Download
memory/3916-42-0x00007FFFCA5D0000-0x00007FFFCA7C5000-memory.dmp

Filesize
2.0MB

Download
memory/3916-36-0x00007FFFCA5D0000-0x00007FFFCA7C5000-memory.dmp

Filesize
2.0MB

Download
memory/3916-40-0x00007FFFCA5D0000-0x00007FFFCA7C5000-memory.dmp

Filesize
2.0MB

Download
memory/3916-38-0x00007FFFCA5D0000-0x00007FFFCA7C5000-memory.dmp

Filesize
2.0MB

Download
memory/3916-34-0x00007FFFCA5D0000-0x00007FFFCA7C5000-memory.dmp

Filesize
2.0MB

Download
memory/4028-8-0x00007FFFCA5D0000-0x00007FFFCA7C5000-memory.dmp

Filesize
2.0MB

Download
memory/4028-12-0x00007FFF87ED0000-0x00007FFF87EE0000-memory.dmp

Filesize
64KB

Download
memory/4028-22-0x00007FFFCA5D0000-0x00007FFFCA7C5000-memory.dmp

Filesize
2.0MB

Download
memory/4028-21-0x00007FFFCA5D0000-0x00007FFFCA7C5000-memory.dmp

Filesize
2.0MB

Download
memory/4028-18-0x00007FFF87ED0000-0x00007FFF87EE0000-memory.dmp

Filesize
64KB

Download
memory/4028-19-0x00007FFFCA5D0000-0x00007FFFCA7C5000-memory.dmp

Filesize
2.0MB

Download
memory/4028-20-0x00007FFFCA5D0000-0x00007FFFCA7C5000-memory.dmp

Filesize
2.0MB

Download
memory/4028-16-0x00007FFFCA5D0000-0x00007FFFCA7C5000-memory.dmp

Filesize
2.0MB

Download
memory/4028-15-0x00007FFFCA5D0000-0x00007FFFCA7C5000-memory.dmp

Filesize
2.0MB

Download
memory/4028-5-0x00007FFF8A650000-0x00007FFF8A660000-memory.dmp

Filesize
64KB

Download
memory/4028-14-0x00007FFFCA5D0000-0x00007FFFCA7C5000-memory.dmp

Filesize
2.0MB

Download
memory/4028-0-0x00007FFF8A650000-0x00007FFF8A660000-memory.dmp

Filesize
64KB

Download
memory/4028-7-0x00007FFF8A650000-0x00007FFF8A660000-memory.dmp

Filesize
64KB

Download
memory/4028-17-0x00007FFFCA5D0000-0x00007FFFCA7C5000-memory.dmp

Filesize
2.0MB

Download
memory/4028-60-0x00007FFFCA5D0000-0x00007FFFCA7C5000-memory.dmp

Filesize
2.0MB

Download
memory/4028-65-0x00007FFFCA5D0000-0x00007FFFCA7C5000-memory.dmp

Filesize
2.0MB

Download
memory/4028-66-0x00007FFFCA5D0000-0x00007FFFCA7C5000-memory.dmp

Filesize
2.0MB

Download
memory/4028-13-0x00007FFFCA5D0000-0x00007FFFCA7C5000-memory.dmp

Filesize
2.0MB

Download
memory/4028-11-0x00007FFFCA5D0000-0x00007FFFCA7C5000-memory.dmp

Filesize
2.0MB

Download
memory/4028-10-0x00007FFFCA5D0000-0x00007FFFCA7C5000-memory.dmp

Filesize
2.0MB

Download
memory/4028-9-0x00007FFFCA5D0000-0x00007FFFCA7C5000-memory.dmp

Filesize
2.0MB

Download
memory/4028-6-0x00007FFFCA5D0000-0x00007FFFCA7C5000-memory.dmp

Filesize
2.0MB

Download
memory/4028-3-0x00007FFF8A650000-0x00007FFF8A660000-memory.dmp

Filesize
64KB

Download
memory/4028-4-0x00007FFFCA5D0000-0x00007FFFCA7C5000-memory.dmp

Filesize
2.0MB

Download
memory/4028-118-0x00007FFFCA5D0000-0x00007FFFCA7C5000-memory.dmp

Filesize
2.0MB

Download
memory/4028-2-0x00007FFF8A650000-0x00007FFF8A660000-memory.dmp

Filesize
64KB

Download
memory/4028-1-0x00007FFFCA5D0000-0x00007FFFCA7C5000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads