Analysis
-
max time kernel
123s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
02-12-2023 01:33
Static task
static1
Behavioral task
behavioral1
Sample
14b2a0a27bc9c98e606495cf2d612db931d125983262b780e30d6f48e4d59b50.xls
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
14b2a0a27bc9c98e606495cf2d612db931d125983262b780e30d6f48e4d59b50.xls
Resource
win10v2004-20231127-en
General
-
Target
14b2a0a27bc9c98e606495cf2d612db931d125983262b780e30d6f48e4d59b50.xls
-
Size
391KB
-
MD5
c198b379975c143eefceef1d79a20e17
-
SHA1
779ec72a2e929c5ba0f1b6db8922453c76177e38
-
SHA256
14b2a0a27bc9c98e606495cf2d612db931d125983262b780e30d6f48e4d59b50
-
SHA512
20224151e72415d17e47507a417fb8898d9b5e70a6749ce7e5fbe72e3f6b5cea6caee0eb1125ad327c8028fea7cf8722306171c376c53ca4bdd23f6fbab14ef8
-
SSDEEP
6144:Fn1m9kdbzPpeZl8b++UXKefrBCPP9UeybHvwsJxHMMj2GGuNla20kUVLR/:FOevhS5KSoPmeyTIsJxHlbCV
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEWINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
EXCEL.EXEWINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
EXCEL.EXEWINWORD.EXEpid process 4812 EXCEL.EXE 3904 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WINWORD.EXEdescription pid process Token: SeAuditPrivilege 3904 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEWINWORD.EXEpid process 4812 EXCEL.EXE 4812 EXCEL.EXE 4812 EXCEL.EXE 4812 EXCEL.EXE 4812 EXCEL.EXE 4812 EXCEL.EXE 4812 EXCEL.EXE 4812 EXCEL.EXE 3904 WINWORD.EXE 3904 WINWORD.EXE 3904 WINWORD.EXE 3904 WINWORD.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 3904 wrote to memory of 2644 3904 WINWORD.EXE splwow64.exe PID 3904 wrote to memory of 2644 3904 WINWORD.EXE splwow64.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\14b2a0a27bc9c98e606495cf2d612db931d125983262b780e30d6f48e4d59b50.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4812
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3904 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:2644
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:5096
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\318F0BC7-A9D8-406F-96E1-BEA03442EE3C
Filesize157KB
MD5649bb3c3869153b3f983b759f9f9315e
SHA1b6c59417adc99680de0ce21a330f72cc8411a94c
SHA2560ebbda39be06a74df5c5b7f4f7c6bf9c273528af168656478d82ef697ff803eb
SHA51298b7bea4abae8650a9df21cd6c9d2b6521766993a977c504fa801197de8bbf89108172dc98f82d342450989cd536069ce207c4509020a1e3c9faf2a8f7cabb96
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize2KB
MD5dd9787bde72aae486edc413875bc8fb9
SHA14f52bc822dd54287f90db47d2f6ddb79de6b0546
SHA2563e85e58ef1a6f10b8550b12978eac8f849c139e93f64fd8ed6a3338d25e9cd29
SHA5127954da10229e13db53ec347bad19213ef36bca1ca45ae820e85f61a21e762d70b104f1f3e6fa0c1984863f606cad6db447604319e1a6f64e5d82d5bcea7ff62e
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize2KB
MD52b752764db0cc2df363af550c7dd3482
SHA1176ce98f17c7a148038b4c2dc58d7669c93f73b3
SHA2568fbe0f1f4f57e0ef8a5379370c925a3890555ad25b067660ceb3f330842fd055
SHA512257b6f7c7d674a1329ee1b31c76bfabe8bbb328420c22b31c228f77e851b64233e150b74c407f29a861e1269b048d5cf8c0b59e81a41625ab6e43a7d946a09e7
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\T67XWC80\Microsoftdeletedentirehistoryfromthepcalsocookiecachetoo[1].doc
Filesize58KB
MD56ee6e6e58e88fbb222f7b1c8e37973d7
SHA1fad289b5872a39a24d151ba59102c8d7c2e73e35
SHA256f7925b0edcb383f181bbb45b29acaad0b837f0ea742a755e47aed688bcd170cf
SHA512439dd171e5fcb4d30928b2fa19f17f709ca5056ae097a03decd7b9df6da5726eaf3b93499958660cecf75eef0d25d575216e5b6009f3ff68756c949ff272abc8