3c756278503cd67e4ca18fa2acbba31c308153b5801f24b222a42b4b3331c780

General

Target

TT Copy.xls
Size

381KB
MD5

26beb641321ce859d389a80ccd1416d9
SHA1

8a47f46ab9f3ed5fd132cd8f30ece15e6c47cf21
SHA256

3c756278503cd67e4ca18fa2acbba31c308153b5801f24b222a42b4b3331c780
SHA512

02c1f0b615d33f941d6a8a227fb9845bedbd01eee4a587368b95fb83bcf0ff16b4f9738aa7caaf65a9c7373bb9711e4f504bfc50a7dabf97b54fe1cf26239f5b
SSDEEP

6144:hn1m9kdb41yFtrP+9LFRLLckUXWnNFFtx/4pvbS3SF18XpzeHfOSWZJOOeRs5mOG:hOecoFt+LFRSWznxwdQBpKHfIeRKmOr6

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEWINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEEXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid process

4604 EXCEL.EXE
2020 WINWORD.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WINWORD.EXE

description pid process

Token: SeAuditPrivilege 2020 WINWORD.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

EXCEL.EXE

pid process

4604 EXCEL.EXE
4604 EXCEL.EXE

description	pid	process
Token: SeAuditPrivilege	2020	WINWORD.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid	process
4604	EXCEL.EXE
4604	EXCEL.EXE
4604	EXCEL.EXE
4604	EXCEL.EXE
4604	EXCEL.EXE
4604	EXCEL.EXE
4604	EXCEL.EXE
4604	EXCEL.EXE
4604	EXCEL.EXE
4604	EXCEL.EXE
4604	EXCEL.EXE
4604	EXCEL.EXE
2020	WINWORD.EXE
2020	WINWORD.EXE
2020	WINWORD.EXE
2020	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 2020 wrote to memory of 2244	2020	WINWORD.EXE	splwow64.exe
PID 2020 wrote to memory of 2244	2020	WINWORD.EXE	splwow64.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\TT Copy.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4604

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:2244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\75E34208-B5E8-4692-BF02-D6071D0E0CB8

Filesize
157KB

MD5
1172a93be98a10708e283533fa120661

SHA1
2a5c44dedc0356deabb2b1b06e51e4d4aded974b

SHA256
a0eef32f7ff090f5874ab358ecfaa0445c75088cab9c36127bb2a253ebd9a94e

SHA512
5f7c87e85a81e1005e83f9972263787764c5f57b54e1f6c782d26f5c5ac471c0cea2a3f78a26fa757149ab47f8c90cf3a2c36d4d7bf044665ce71f3c443e92c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
cd0acf2cffb897de228c5caa0ccd2add

SHA1
ef947b92fa9f8fdfeb10e11fef909963bb34a8f5

SHA256
4fb07a37176fd013b27bf5c9a0430106829d25c0c44f67f38787a9ec99f48602

SHA512
1eedacf8f561a821b2cc8faf51f60c8fa03e598b7f85d997eb83080c43e0886ce75fa348690f56594f13d6ac903671d46685ea3560edc7788f310e54ddda95fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
984644761513c3fd40d84ad42632a2c4

SHA1
81f91166ad88924c74d928290a4e3dbc1ca028e8

SHA256
7706fa7846224f1430baf3562c17ec999496fc08eb7b5dcd8d79b635a0f4b4f0

SHA512
d0dbbd9fabd8826368ae474bf616500846e8a5b310bd0b0f9194ddbe48f46bdf096a6de5f3c5b9438d77b13815574248322dfb3a92c30aa2f877a6aa5ec33306

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\R6Q8DX6S\microsoftEdgedeletedentirehistorycachehistoryfromthepc[1].doc

Filesize
61KB

MD5
9e0226adf02222bbee9aa7e2f6f1c07a

SHA1
64e031bda28509528f26a64ac5d7935cf5afe426

SHA256
632f7e212cc149d81b322def328534953b979d1f1885140e2645e4ac41d0f56c

SHA512
687e89fd04f39817432dec1f43754f18f77bda0f96e6fff1a24e00df3fdd0ab6831f39fb1c90240ce128c2dad34c5e43a7f7efcfb34052b02c634a0204595c90

Download Submit
memory/2020-39-0x00007FF8B8870000-0x00007FF8B8A65000-memory.dmp

Filesize
2.0MB

Download
memory/2020-41-0x00007FF8B8870000-0x00007FF8B8A65000-memory.dmp

Filesize
2.0MB

Download
memory/2020-52-0x00007FF8B8870000-0x00007FF8B8A65000-memory.dmp

Filesize
2.0MB

Download
memory/2020-50-0x00007FF8B8870000-0x00007FF8B8A65000-memory.dmp

Filesize
2.0MB

Download
memory/2020-49-0x00007FF8B8870000-0x00007FF8B8A65000-memory.dmp

Filesize
2.0MB

Download
memory/2020-44-0x00007FF8B8870000-0x00007FF8B8A65000-memory.dmp

Filesize
2.0MB

Download
memory/2020-43-0x00007FF8B8870000-0x00007FF8B8A65000-memory.dmp

Filesize
2.0MB

Download
memory/2020-42-0x00007FF8B8870000-0x00007FF8B8A65000-memory.dmp

Filesize
2.0MB

Download
memory/2020-38-0x00007FF8B8870000-0x00007FF8B8A65000-memory.dmp

Filesize
2.0MB

Download
memory/2020-37-0x00007FF8B8870000-0x00007FF8B8A65000-memory.dmp

Filesize
2.0MB

Download
memory/2020-36-0x00007FF8B8870000-0x00007FF8B8A65000-memory.dmp

Filesize
2.0MB

Download
memory/2020-35-0x00007FF8B8870000-0x00007FF8B8A65000-memory.dmp

Filesize
2.0MB

Download
memory/2020-25-0x00007FF8B8870000-0x00007FF8B8A65000-memory.dmp

Filesize
2.0MB

Download
memory/2020-26-0x00007FF8B8870000-0x00007FF8B8A65000-memory.dmp

Filesize
2.0MB

Download
memory/2020-28-0x00007FF8B8870000-0x00007FF8B8A65000-memory.dmp

Filesize
2.0MB

Download
memory/2020-30-0x00007FF8B8870000-0x00007FF8B8A65000-memory.dmp

Filesize
2.0MB

Download
memory/2020-32-0x00007FF8B8870000-0x00007FF8B8A65000-memory.dmp

Filesize
2.0MB

Download
memory/2020-33-0x00007FF8B8870000-0x00007FF8B8A65000-memory.dmp

Filesize
2.0MB

Download
memory/2020-34-0x00007FF8B8870000-0x00007FF8B8A65000-memory.dmp

Filesize
2.0MB

Download
memory/4604-10-0x00007FF8B8870000-0x00007FF8B8A65000-memory.dmp

Filesize
2.0MB

Download
memory/4604-6-0x00007FF8788F0000-0x00007FF878900000-memory.dmp

Filesize
64KB

Download
memory/4604-14-0x00007FF8B8870000-0x00007FF8B8A65000-memory.dmp

Filesize
2.0MB

Download
memory/4604-12-0x00007FF876890000-0x00007FF8768A0000-memory.dmp

Filesize
64KB

Download
memory/4604-18-0x00007FF876890000-0x00007FF8768A0000-memory.dmp

Filesize
64KB

Download
memory/4604-11-0x00007FF8B8870000-0x00007FF8B8A65000-memory.dmp

Filesize
2.0MB

Download
memory/4604-17-0x00007FF8B8870000-0x00007FF8B8A65000-memory.dmp

Filesize
2.0MB

Download
memory/4604-8-0x00007FF8B8870000-0x00007FF8B8A65000-memory.dmp

Filesize
2.0MB

Download
memory/4604-0-0x00007FF8788F0000-0x00007FF878900000-memory.dmp

Filesize
64KB

Download
memory/4604-4-0x00007FF8B8870000-0x00007FF8B8A65000-memory.dmp

Filesize
2.0MB

Download
memory/4604-1-0x00007FF8788F0000-0x00007FF878900000-memory.dmp

Filesize
64KB

Download
memory/4604-3-0x00007FF8788F0000-0x00007FF878900000-memory.dmp

Filesize
64KB

Download
memory/4604-9-0x00007FF8788F0000-0x00007FF878900000-memory.dmp

Filesize
64KB

Download
memory/4604-7-0x00007FF8B8870000-0x00007FF8B8A65000-memory.dmp

Filesize
2.0MB

Download
memory/4604-5-0x00007FF8B8870000-0x00007FF8B8A65000-memory.dmp

Filesize
2.0MB

Download
memory/4604-2-0x00007FF8B8870000-0x00007FF8B8A65000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads