14b2a0a27bc9c98e606495cf2d612db931d125983262b780e30d6f48e4d59b50

Analysis

max time kernel
143s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231127-en
resource tags

arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
submitted
02-12-2023 16:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Orden T7405.xla.xls
Size

391KB
MD5

c198b379975c143eefceef1d79a20e17
SHA1

779ec72a2e929c5ba0f1b6db8922453c76177e38
SHA256

14b2a0a27bc9c98e606495cf2d612db931d125983262b780e30d6f48e4d59b50
SHA512

20224151e72415d17e47507a417fb8898d9b5e70a6749ce7e5fbe72e3f6b5cea6caee0eb1125ad327c8028fea7cf8722306171c376c53ca4bdd23f6fbab14ef8
SSDEEP

6144:Fn1m9kdbzPpeZl8b++UXKefrBCPP9UeybHvwsJxHMMj2GGuNla20kUVLR/:FOevhS5KSoPmeyTIsJxHlbCV

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEWINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEEXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid process

1160 EXCEL.EXE
1032 WINWORD.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WINWORD.EXE

description pid process

Token: SeAuditPrivilege 1032 WINWORD.EXE

description	pid	process
Token: SeAuditPrivilege	1032	WINWORD.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid	process
1160	EXCEL.EXE
1160	EXCEL.EXE
1160	EXCEL.EXE
1160	EXCEL.EXE
1160	EXCEL.EXE
1160	EXCEL.EXE
1160	EXCEL.EXE
1160	EXCEL.EXE
1032	WINWORD.EXE
1032	WINWORD.EXE
1032	WINWORD.EXE
1032	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 1032 wrote to memory of 4764	1032	WINWORD.EXE	splwow64.exe
PID 1032 wrote to memory of 4764	1032	WINWORD.EXE	splwow64.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Orden T7405.xla.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1160

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1032

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:4764

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:3576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\7F626B7D-A2A0-4360-BF5E-819805F1240E

Filesize
157KB

MD5
fabfa1673c0f5f3b43a764f21977299a

SHA1
7f937895772c9dbb1966a5ac4c571230243373e0

SHA256
f86b022b24b0189dccfa34d3f79961c4ca0e98eca51ad34770eb108aab43c407

SHA512
1c9f9323cdba600964195aeee790b11e9e67219f3ec7d5131b6517990e41c0a648e0825dc7b808550c3c448f0cda169a7b66a550338b663ec9f9999cd67fd3b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
b9ebfdf19cc65573e2e7cba96cb44b7a

SHA1
fcc860c94178ffe49e8fa31c98a797db56ea380e

SHA256
a09dabbefb794fb7881f308228c774bde14e5d0a1c256943bcda0277c5f90610

SHA512
807985b19e6f86ddc2f6a4a0d79869994a71f2c61a0c2e3b0c80b01761aceb9f5bd13b03b0f7bedc9eca6ca4fd8e9d1725aaf339bf1752cafb5463c15c4c5866

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\f3df91c436730d7a37c58d5f25d9bf4a56fa3a34.tbres

Filesize
4KB

MD5
59178e6c00b6840933fd12c474c382de

SHA1
ff13d90c2e5b2ad2de8be3e79960e8868a7e00bc

SHA256
0191dcd8fb06614d5130fb4af7026bec8b7d62a46ed616468bc760da0a23d56d

SHA512
64aee8aafa63f4a6999679ea16986abff7064e800408d409d12042ea581faad0c9b9e537d9f6b27368ddff9751fd817db0d58da418e9ac2236a82ed43aa1a73a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\Z29MWU1J\Microsoftdeletedentirehistoryfromthepcalsocookiecachetoo[1].doc

Filesize
58KB

MD5
6ee6e6e58e88fbb222f7b1c8e37973d7

SHA1
fad289b5872a39a24d151ba59102c8d7c2e73e35

SHA256
f7925b0edcb383f181bbb45b29acaad0b837f0ea742a755e47aed688bcd170cf

SHA512
439dd171e5fcb4d30928b2fa19f17f709ca5056ae097a03decd7b9df6da5726eaf3b93499958660cecf75eef0d25d575216e5b6009f3ff68756c949ff272abc8

Download Submit
memory/1032-65-0x00007FFEDE5B0000-0x00007FFEDE7A5000-memory.dmp

Filesize
2.0MB

Download
memory/1032-29-0x00007FFEDE5B0000-0x00007FFEDE7A5000-memory.dmp

Filesize
2.0MB

Download
memory/1032-66-0x00007FFEDE5B0000-0x00007FFEDE7A5000-memory.dmp

Filesize
2.0MB

Download
memory/1032-110-0x00007FFEDE5B0000-0x00007FFEDE7A5000-memory.dmp

Filesize
2.0MB

Download
memory/1032-38-0x00007FFEDE5B0000-0x00007FFEDE7A5000-memory.dmp

Filesize
2.0MB

Download
memory/1032-39-0x00007FFEDE5B0000-0x00007FFEDE7A5000-memory.dmp

Filesize
2.0MB

Download
memory/1032-37-0x00007FFEDE5B0000-0x00007FFEDE7A5000-memory.dmp

Filesize
2.0MB

Download
memory/1032-35-0x00007FFEDE5B0000-0x00007FFEDE7A5000-memory.dmp

Filesize
2.0MB

Download
memory/1032-33-0x00007FFEDE5B0000-0x00007FFEDE7A5000-memory.dmp

Filesize
2.0MB

Download
memory/1032-30-0x00007FFEDE5B0000-0x00007FFEDE7A5000-memory.dmp

Filesize
2.0MB

Download
memory/1160-12-0x00007FFEDE5B0000-0x00007FFEDE7A5000-memory.dmp

Filesize
2.0MB

Download
memory/1160-8-0x00007FFE9E630000-0x00007FFE9E640000-memory.dmp

Filesize
64KB

Download
memory/1160-15-0x00007FFE9BD00000-0x00007FFE9BD10000-memory.dmp

Filesize
64KB

Download
memory/1160-17-0x00007FFEDE5B0000-0x00007FFEDE7A5000-memory.dmp

Filesize
2.0MB

Download
memory/1160-18-0x00007FFEDE5B0000-0x00007FFEDE7A5000-memory.dmp

Filesize
2.0MB

Download
memory/1160-19-0x00007FFEDE5B0000-0x00007FFEDE7A5000-memory.dmp

Filesize
2.0MB

Download
memory/1160-20-0x00007FFEDE5B0000-0x00007FFEDE7A5000-memory.dmp

Filesize
2.0MB

Download
memory/1160-21-0x00007FFEDE5B0000-0x00007FFEDE7A5000-memory.dmp

Filesize
2.0MB

Download
memory/1160-22-0x00007FFEDE5B0000-0x00007FFEDE7A5000-memory.dmp

Filesize
2.0MB

Download
memory/1160-23-0x00007FFEDE5B0000-0x00007FFEDE7A5000-memory.dmp

Filesize
2.0MB

Download
memory/1160-14-0x00007FFEDE5B0000-0x00007FFEDE7A5000-memory.dmp

Filesize
2.0MB

Download
memory/1160-13-0x00007FFEDE5B0000-0x00007FFEDE7A5000-memory.dmp

Filesize
2.0MB

Download
memory/1160-0-0x00007FFE9E630000-0x00007FFE9E640000-memory.dmp

Filesize
64KB

Download
memory/1160-11-0x00007FFEDE5B0000-0x00007FFEDE7A5000-memory.dmp

Filesize
2.0MB

Download
memory/1160-10-0x00007FFE9BD00000-0x00007FFE9BD10000-memory.dmp

Filesize
64KB

Download
memory/1160-9-0x00007FFEDE5B0000-0x00007FFEDE7A5000-memory.dmp

Filesize
2.0MB

Download
memory/1160-7-0x00007FFEDE5B0000-0x00007FFEDE7A5000-memory.dmp

Filesize
2.0MB

Download
memory/1160-16-0x00007FFEDE5B0000-0x00007FFEDE7A5000-memory.dmp

Filesize
2.0MB

Download
memory/1160-6-0x00007FFEDE5B0000-0x00007FFEDE7A5000-memory.dmp

Filesize
2.0MB

Download
memory/1160-5-0x00007FFEDE5B0000-0x00007FFEDE7A5000-memory.dmp

Filesize
2.0MB

Download
memory/1160-4-0x00007FFE9E630000-0x00007FFE9E640000-memory.dmp

Filesize
64KB

Download
memory/1160-58-0x00007FFEDE5B0000-0x00007FFEDE7A5000-memory.dmp

Filesize
2.0MB

Download
memory/1160-61-0x00007FFEDE5B0000-0x00007FFEDE7A5000-memory.dmp

Filesize
2.0MB

Download
memory/1160-62-0x00007FFEDE5B0000-0x00007FFEDE7A5000-memory.dmp

Filesize
2.0MB

Download
memory/1160-63-0x00007FFEDE5B0000-0x00007FFEDE7A5000-memory.dmp

Filesize
2.0MB

Download
memory/1160-64-0x00007FFEDE5B0000-0x00007FFEDE7A5000-memory.dmp

Filesize
2.0MB

Download
memory/1160-2-0x00007FFE9E630000-0x00007FFE9E640000-memory.dmp

Filesize
64KB

Download
memory/1160-3-0x00007FFEDE5B0000-0x00007FFEDE7A5000-memory.dmp

Filesize
2.0MB

Download
memory/1160-96-0x00007FFE9E630000-0x00007FFE9E640000-memory.dmp

Filesize
64KB

Download
memory/1160-97-0x00007FFE9E630000-0x00007FFE9E640000-memory.dmp

Filesize
64KB

Download
memory/1160-98-0x00007FFE9E630000-0x00007FFE9E640000-memory.dmp

Filesize
64KB

Download
memory/1160-100-0x00007FFEDE5B0000-0x00007FFEDE7A5000-memory.dmp

Filesize
2.0MB

Download
memory/1160-102-0x00007FFEDE5B0000-0x00007FFEDE7A5000-memory.dmp

Filesize
2.0MB

Download
memory/1160-101-0x00007FFEDE5B0000-0x00007FFEDE7A5000-memory.dmp

Filesize
2.0MB

Download
memory/1160-99-0x00007FFE9E630000-0x00007FFE9E640000-memory.dmp

Filesize
64KB

Download
memory/1160-1-0x00007FFE9E630000-0x00007FFE9E640000-memory.dmp

Filesize
64KB

Download