14b2a0a27bc9c98e606495cf2d612db931d125983262b780e30d6f48e4d59b50

Analysis

max time kernel
123s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20231127-en
resource tags

arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
submitted
02-12-2023 01:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

14b2a0a27bc9c98e606495cf2d612db931d125983262b780e30d6f48e4d59b50.xls
Size

391KB
MD5

c198b379975c143eefceef1d79a20e17
SHA1

779ec72a2e929c5ba0f1b6db8922453c76177e38
SHA256

14b2a0a27bc9c98e606495cf2d612db931d125983262b780e30d6f48e4d59b50
SHA512

20224151e72415d17e47507a417fb8898d9b5e70a6749ce7e5fbe72e3f6b5cea6caee0eb1125ad327c8028fea7cf8722306171c376c53ca4bdd23f6fbab14ef8
SSDEEP

6144:Fn1m9kdbzPpeZl8b++UXKefrBCPP9UeybHvwsJxHMMj2GGuNla20kUVLR/:FOevhS5KSoPmeyTIsJxHlbCV

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEWINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEWINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid process

4812 EXCEL.EXE
3904 WINWORD.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WINWORD.EXE

description pid process

Token: SeAuditPrivilege 3904 WINWORD.EXE

description	pid	process
Token: SeAuditPrivilege	3904	WINWORD.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid	process
4812	EXCEL.EXE
4812	EXCEL.EXE
4812	EXCEL.EXE
4812	EXCEL.EXE
4812	EXCEL.EXE
4812	EXCEL.EXE
4812	EXCEL.EXE
4812	EXCEL.EXE
3904	WINWORD.EXE
3904	WINWORD.EXE
3904	WINWORD.EXE
3904	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 3904 wrote to memory of 2644	3904	WINWORD.EXE	splwow64.exe
PID 3904 wrote to memory of 2644	3904	WINWORD.EXE	splwow64.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\14b2a0a27bc9c98e606495cf2d612db931d125983262b780e30d6f48e4d59b50.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4812

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3904

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:2644

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:5096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\318F0BC7-A9D8-406F-96E1-BEA03442EE3C

Filesize
157KB

MD5
649bb3c3869153b3f983b759f9f9315e

SHA1
b6c59417adc99680de0ce21a330f72cc8411a94c

SHA256
0ebbda39be06a74df5c5b7f4f7c6bf9c273528af168656478d82ef697ff803eb

SHA512
98b7bea4abae8650a9df21cd6c9d2b6521766993a977c504fa801197de8bbf89108172dc98f82d342450989cd536069ce207c4509020a1e3c9faf2a8f7cabb96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
dd9787bde72aae486edc413875bc8fb9

SHA1
4f52bc822dd54287f90db47d2f6ddb79de6b0546

SHA256
3e85e58ef1a6f10b8550b12978eac8f849c139e93f64fd8ed6a3338d25e9cd29

SHA512
7954da10229e13db53ec347bad19213ef36bca1ca45ae820e85f61a21e762d70b104f1f3e6fa0c1984863f606cad6db447604319e1a6f64e5d82d5bcea7ff62e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
2b752764db0cc2df363af550c7dd3482

SHA1
176ce98f17c7a148038b4c2dc58d7669c93f73b3

SHA256
8fbe0f1f4f57e0ef8a5379370c925a3890555ad25b067660ceb3f330842fd055

SHA512
257b6f7c7d674a1329ee1b31c76bfabe8bbb328420c22b31c228f77e851b64233e150b74c407f29a861e1269b048d5cf8c0b59e81a41625ab6e43a7d946a09e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\T67XWC80\Microsoftdeletedentirehistoryfromthepcalsocookiecachetoo[1].doc

Filesize
58KB

MD5
6ee6e6e58e88fbb222f7b1c8e37973d7

SHA1
fad289b5872a39a24d151ba59102c8d7c2e73e35

SHA256
f7925b0edcb383f181bbb45b29acaad0b837f0ea742a755e47aed688bcd170cf

SHA512
439dd171e5fcb4d30928b2fa19f17f709ca5056ae097a03decd7b9df6da5726eaf3b93499958660cecf75eef0d25d575216e5b6009f3ff68756c949ff272abc8

Download Submit
memory/3904-37-0x00007FFEBD190000-0x00007FFEBD385000-memory.dmp

Filesize
2.0MB

Download
memory/3904-114-0x00007FFEBD190000-0x00007FFEBD385000-memory.dmp

Filesize
2.0MB

Download
memory/3904-115-0x00007FFE7D210000-0x00007FFE7D220000-memory.dmp

Filesize
64KB

Download
memory/3904-116-0x00007FFEBD190000-0x00007FFEBD385000-memory.dmp

Filesize
2.0MB

Download
memory/3904-118-0x00007FFEBD190000-0x00007FFEBD385000-memory.dmp

Filesize
2.0MB

Download
memory/3904-120-0x00007FFEBD190000-0x00007FFEBD385000-memory.dmp

Filesize
2.0MB

Download
memory/3904-39-0x00007FFEBD190000-0x00007FFEBD385000-memory.dmp

Filesize
2.0MB

Download
memory/3904-111-0x00007FFE7D210000-0x00007FFE7D220000-memory.dmp

Filesize
64KB

Download
memory/3904-109-0x00007FFE7D210000-0x00007FFE7D220000-memory.dmp

Filesize
64KB

Download
memory/3904-108-0x00007FFE7D210000-0x00007FFE7D220000-memory.dmp

Filesize
64KB

Download
memory/3904-67-0x00007FFEBD190000-0x00007FFEBD385000-memory.dmp

Filesize
2.0MB

Download
memory/3904-66-0x00007FFEBD190000-0x00007FFEBD385000-memory.dmp

Filesize
2.0MB

Download
memory/3904-40-0x00007FFEBD190000-0x00007FFEBD385000-memory.dmp

Filesize
2.0MB

Download
memory/3904-48-0x00007FFEBD190000-0x00007FFEBD385000-memory.dmp

Filesize
2.0MB

Download
memory/3904-47-0x00007FFEBD190000-0x00007FFEBD385000-memory.dmp

Filesize
2.0MB

Download
memory/3904-46-0x00007FFEBD190000-0x00007FFEBD385000-memory.dmp

Filesize
2.0MB

Download
memory/3904-45-0x00007FFEBD190000-0x00007FFEBD385000-memory.dmp

Filesize
2.0MB

Download
memory/3904-43-0x00007FFEBD190000-0x00007FFEBD385000-memory.dmp

Filesize
2.0MB

Download
memory/3904-42-0x00007FFEBD190000-0x00007FFEBD385000-memory.dmp

Filesize
2.0MB

Download
memory/3904-31-0x00007FFEBD190000-0x00007FFEBD385000-memory.dmp

Filesize
2.0MB

Download
memory/3904-33-0x00007FFEBD190000-0x00007FFEBD385000-memory.dmp

Filesize
2.0MB

Download
memory/3904-35-0x00007FFEBD190000-0x00007FFEBD385000-memory.dmp

Filesize
2.0MB

Download
memory/3904-41-0x00007FFEBD190000-0x00007FFEBD385000-memory.dmp

Filesize
2.0MB

Download
memory/4812-16-0x00007FFEBD190000-0x00007FFEBD385000-memory.dmp

Filesize
2.0MB

Download
memory/4812-65-0x00007FFEBD190000-0x00007FFEBD385000-memory.dmp

Filesize
2.0MB

Download
memory/4812-19-0x00007FFEBD190000-0x00007FFEBD385000-memory.dmp

Filesize
2.0MB

Download
memory/4812-18-0x00007FFEBD190000-0x00007FFEBD385000-memory.dmp

Filesize
2.0MB

Download
memory/4812-22-0x00007FFEBD190000-0x00007FFEBD385000-memory.dmp

Filesize
2.0MB

Download
memory/4812-21-0x00007FFEBD190000-0x00007FFEBD385000-memory.dmp

Filesize
2.0MB

Download
memory/4812-20-0x00007FFEBD190000-0x00007FFEBD385000-memory.dmp

Filesize
2.0MB

Download
memory/4812-0-0x00007FFE7D210000-0x00007FFE7D220000-memory.dmp

Filesize
64KB

Download
memory/4812-17-0x00007FFEBD190000-0x00007FFEBD385000-memory.dmp

Filesize
2.0MB

Download
memory/4812-6-0x00007FFEBD190000-0x00007FFEBD385000-memory.dmp

Filesize
2.0MB

Download
memory/4812-4-0x00007FFEBD190000-0x00007FFEBD385000-memory.dmp

Filesize
2.0MB

Download
memory/4812-2-0x00007FFE7D210000-0x00007FFE7D220000-memory.dmp

Filesize
64KB

Download
memory/4812-1-0x00007FFE7D210000-0x00007FFE7D220000-memory.dmp

Filesize
64KB

Download
memory/4812-3-0x00007FFE7D210000-0x00007FFE7D220000-memory.dmp

Filesize
64KB

Download
memory/4812-15-0x00007FFEBD190000-0x00007FFEBD385000-memory.dmp

Filesize
2.0MB

Download
memory/4812-14-0x00007FFE7AB60000-0x00007FFE7AB70000-memory.dmp

Filesize
64KB

Download
memory/4812-13-0x00007FFE7AB60000-0x00007FFE7AB70000-memory.dmp

Filesize
64KB

Download
memory/4812-12-0x00007FFEBD190000-0x00007FFEBD385000-memory.dmp

Filesize
2.0MB

Download
memory/4812-11-0x00007FFEBD190000-0x00007FFEBD385000-memory.dmp

Filesize
2.0MB

Download
memory/4812-10-0x00007FFEBD190000-0x00007FFEBD385000-memory.dmp

Filesize
2.0MB

Download
memory/4812-119-0x00007FFEBD190000-0x00007FFEBD385000-memory.dmp

Filesize
2.0MB

Download
memory/4812-9-0x00007FFEBD190000-0x00007FFEBD385000-memory.dmp

Filesize
2.0MB

Download
memory/4812-8-0x00007FFEBD190000-0x00007FFEBD385000-memory.dmp

Filesize
2.0MB

Download
memory/4812-7-0x00007FFEBD190000-0x00007FFEBD385000-memory.dmp

Filesize
2.0MB

Download
memory/4812-5-0x00007FFE7D210000-0x00007FFE7D220000-memory.dmp

Filesize
64KB

Download