Analysis
-
max time kernel
145s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
28/11/2023, 07:05
Static task
static1
Behavioral task
behavioral1
Sample
gunzipped.xls
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
gunzipped.xls
Resource
win10v2004-20231127-en
General
-
Target
gunzipped.xls
-
Size
391KB
-
MD5
2ac8a298c47d91f127ff8951e5e00fd4
-
SHA1
bf41a1fb5658b33d886ddc20b7d424c6dbd91d15
-
SHA256
49cbd743a040465d6757e0e5d408d674624053368967940cd8c51ac97925bfc8
-
SHA512
856988af820bd0a102b4b917e2c66840d6c8f41f5adc45f21df11ccf95061ff8476fbc98a1a069a8d514f2ad903b1ace95d74e8781149c994df772b1b3a7494c
-
SSDEEP
6144:Zn1m9kdbk71u+FZetJs0hdMJUXWDYWBXVH11IyqyLuJvsEKEY6Uvo:ZOee1CtqSdLWDYMZ1SFPsETYPvo
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 468 EXCEL.EXE 2716 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeAuditPrivilege 2716 WINWORD.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 468 EXCEL.EXE 468 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 16 IoCs
pid Process 468 EXCEL.EXE 468 EXCEL.EXE 468 EXCEL.EXE 468 EXCEL.EXE 468 EXCEL.EXE 468 EXCEL.EXE 468 EXCEL.EXE 468 EXCEL.EXE 468 EXCEL.EXE 468 EXCEL.EXE 468 EXCEL.EXE 468 EXCEL.EXE 2716 WINWORD.EXE 2716 WINWORD.EXE 2716 WINWORD.EXE 2716 WINWORD.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 2716 wrote to memory of 2608 2716 WINWORD.EXE 93 PID 2716 wrote to memory of 2608 2716 WINWORD.EXE 93 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\gunzipped.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:468
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:2608
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:2172
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize2KB
MD536654abeb5ff9f498deac2d9a37bf46b
SHA1274f119f459fecf373adccf9c0d3341b946c7574
SHA256490a72a1863a800c61678c49b59cb99928ceb5b5a51913f8637e7133bf31e96b
SHA5128429e1df9cb23e66705231ab3856ab2b8f4ec62a402f39eb3d45b55f8b6c9f02dc212157d9d29343b37d1146e19ab0076dd25d56bff14c333a49abc7bcd8bf97
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\f3df91c436730d7a37c58d5f25d9bf4a56fa3a34.tbres
Filesize4KB
MD5f712fb25d2d9ea57d6dd0254a6154307
SHA1b74c6e321719b75bc65be5e9cb537328cab6d2b7
SHA2563ebbd6b5e5051c3f2910c169c1f8a94a37401f8c9b62d3cf1a8d0b6514b004ce
SHA512b5b13e474a05b61b190e87c14d5145d7d984917e3b8fe6fdcde1ff4a5ed9580dbeb72af10414fee6d1c6b7bf1dd3903ef6436eb9fa33861914e5a3d6c534e798
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\CN9R9439\microsoftEdgedeletedentirehistorycachefromthepctoclean[1].doc
Filesize58KB
MD5ad19c30e8fc0f89004a1f960b477707f
SHA10bb59500525d0b45c506c7b4fab6c1d905ee3280
SHA256395694b99ce0310e2aa9e6b96f479c36956af254b047c959a022c2b1fef2d6c6
SHA5122914142721a10abcd44ce05ba2c2e385555cd40e158e7a57315c3a2a0d61606f4ea1ace7c7b95cb7665fbfe1ff4ab399d68d431ae49271dff70889e8e7b30bd3