Analysis
-
max time kernel
202s -
max time network
220s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
01-12-2023 14:03
Static task
static1
Behavioral task
behavioral1
Sample
TT Copy.xls
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
TT Copy.xls
Resource
win10-20231020-en
Behavioral task
behavioral3
Sample
TT Copy.xls
Resource
win10v2004-20231127-en
General
-
Target
TT Copy.xls
-
Size
381KB
-
MD5
26beb641321ce859d389a80ccd1416d9
-
SHA1
8a47f46ab9f3ed5fd132cd8f30ece15e6c47cf21
-
SHA256
3c756278503cd67e4ca18fa2acbba31c308153b5801f24b222a42b4b3331c780
-
SHA512
02c1f0b615d33f941d6a8a227fb9845bedbd01eee4a587368b95fb83bcf0ff16b4f9738aa7caaf65a9c7373bb9711e4f504bfc50a7dabf97b54fe1cf26239f5b
-
SSDEEP
6144:hn1m9kdb41yFtrP+9LFRLLckUXWnNFFtx/4pvbS3SF18XpzeHfOSWZJOOeRs5mOG:hOecoFt+LFRSWznxwdQBpKHfIeRKmOr6
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEWINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
WINWORD.EXEEXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
EXCEL.EXEWINWORD.EXEpid process 4604 EXCEL.EXE 2020 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WINWORD.EXEdescription pid process Token: SeAuditPrivilege 2020 WINWORD.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
EXCEL.EXEpid process 4604 EXCEL.EXE 4604 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 16 IoCs
Processes:
EXCEL.EXEWINWORD.EXEpid process 4604 EXCEL.EXE 4604 EXCEL.EXE 4604 EXCEL.EXE 4604 EXCEL.EXE 4604 EXCEL.EXE 4604 EXCEL.EXE 4604 EXCEL.EXE 4604 EXCEL.EXE 4604 EXCEL.EXE 4604 EXCEL.EXE 4604 EXCEL.EXE 4604 EXCEL.EXE 2020 WINWORD.EXE 2020 WINWORD.EXE 2020 WINWORD.EXE 2020 WINWORD.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 2020 wrote to memory of 2244 2020 WINWORD.EXE splwow64.exe PID 2020 wrote to memory of 2244 2020 WINWORD.EXE splwow64.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\TT Copy.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4604
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:2244
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\75E34208-B5E8-4692-BF02-D6071D0E0CB8
Filesize157KB
MD51172a93be98a10708e283533fa120661
SHA12a5c44dedc0356deabb2b1b06e51e4d4aded974b
SHA256a0eef32f7ff090f5874ab358ecfaa0445c75088cab9c36127bb2a253ebd9a94e
SHA5125f7c87e85a81e1005e83f9972263787764c5f57b54e1f6c782d26f5c5ac471c0cea2a3f78a26fa757149ab47f8c90cf3a2c36d4d7bf044665ce71f3c443e92c6
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize2KB
MD5cd0acf2cffb897de228c5caa0ccd2add
SHA1ef947b92fa9f8fdfeb10e11fef909963bb34a8f5
SHA2564fb07a37176fd013b27bf5c9a0430106829d25c0c44f67f38787a9ec99f48602
SHA5121eedacf8f561a821b2cc8faf51f60c8fa03e598b7f85d997eb83080c43e0886ce75fa348690f56594f13d6ac903671d46685ea3560edc7788f310e54ddda95fc
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize2KB
MD5984644761513c3fd40d84ad42632a2c4
SHA181f91166ad88924c74d928290a4e3dbc1ca028e8
SHA2567706fa7846224f1430baf3562c17ec999496fc08eb7b5dcd8d79b635a0f4b4f0
SHA512d0dbbd9fabd8826368ae474bf616500846e8a5b310bd0b0f9194ddbe48f46bdf096a6de5f3c5b9438d77b13815574248322dfb3a92c30aa2f877a6aa5ec33306
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\R6Q8DX6S\microsoftEdgedeletedentirehistorycachehistoryfromthepc[1].doc
Filesize61KB
MD59e0226adf02222bbee9aa7e2f6f1c07a
SHA164e031bda28509528f26a64ac5d7935cf5afe426
SHA256632f7e212cc149d81b322def328534953b979d1f1885140e2645e4ac41d0f56c
SHA512687e89fd04f39817432dec1f43754f18f77bda0f96e6fff1a24e00df3fdd0ab6831f39fb1c90240ce128c2dad34c5e43a7f7efcfb34052b02c634a0204595c90