Analysis
-
max time kernel
149s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
05-12-2023 02:10
Static task
static1
Behavioral task
behavioral1
Sample
dd94c4c0dd46a40cb71f1b59b079577c8a4f6e4a1df88533d7edfea19099729c.xls
Resource
win7-20231025-en
Behavioral task
behavioral2
Sample
dd94c4c0dd46a40cb71f1b59b079577c8a4f6e4a1df88533d7edfea19099729c.xls
Resource
win10v2004-20231127-en
General
-
Target
dd94c4c0dd46a40cb71f1b59b079577c8a4f6e4a1df88533d7edfea19099729c.xls
-
Size
391KB
-
MD5
2d6edf232ef2f4e9ac72de52b4b4efa5
-
SHA1
2bbfb909e4e3bb1a1518e973afec5b587b59e426
-
SHA256
dd94c4c0dd46a40cb71f1b59b079577c8a4f6e4a1df88533d7edfea19099729c
-
SHA512
90cbe6288b682f688accd8a7493202d26f8a8614bc5a5bdc19743a4b8570bf7dfc47a1496f6fea759ba2319f2744e8bf17cdd6d859723cfee7ae3a4a2488c32e
-
SSDEEP
6144:/n1m9kdbQS6vsB3qfLWnNnBkbE9UX3rhnpC3quvmb6SrnV3LYpMMAI:/OeuvsB351Bkr3rh9b9hr
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEEXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
WINWORD.EXEEXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
EXCEL.EXEWINWORD.EXEpid process 3440 EXCEL.EXE 880 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WINWORD.EXEdescription pid process Token: SeAuditPrivilege 880 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 16 IoCs
Processes:
EXCEL.EXEWINWORD.EXEpid process 3440 EXCEL.EXE 3440 EXCEL.EXE 3440 EXCEL.EXE 3440 EXCEL.EXE 3440 EXCEL.EXE 3440 EXCEL.EXE 3440 EXCEL.EXE 3440 EXCEL.EXE 3440 EXCEL.EXE 3440 EXCEL.EXE 3440 EXCEL.EXE 3440 EXCEL.EXE 880 WINWORD.EXE 880 WINWORD.EXE 880 WINWORD.EXE 880 WINWORD.EXE -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\dd94c4c0dd46a40cb71f1b59b079577c8a4f6e4a1df88533d7edfea19099729c.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3440
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:880
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\548E3629-327F-4602-BDD0-5DE363A841BB
Filesize157KB
MD539513a27364c7cb8c60da62c599cd553
SHA169d4777bfc8e545f54bbf5077d7536dbbb7323a2
SHA25608bd401ce4642a8005f7206e7f0c4c45560f3c7f339b67beeaed84e0e8dc3618
SHA5129d8cddec92ecc9e2f5d3c50b774acf420afc143598308167bab66637a8fe472419b67854f96f549b5b0216ac9f63e887110cfb8d0d501800c07f0dbfc7929228
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize2KB
MD5f080a0dc066fbe60004f8eacd5c632a5
SHA105f61be69afd82dfb53a2e1272f2440e8b8a1de8
SHA256b785307adadaf7f1daf2978b57d3a36544744957fcbe6e591426c24e05169a3b
SHA5124654e0bfb75eccec134b9bb0d5d58c754405328bb23435ad493ddc2384fec94b86a9c27fd7d8ad54e2c8dd980b0a254491ad5fd791f71d598f61cc129ed164af
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize2KB
MD589d70cb1b23be4940a5c5ac2c2d1d937
SHA109afee6cd0a66c3244124c5caf70e5d79c7ed276
SHA25672f15d1646ea56ef8dbf80ccce16069b8a452b775b6c2d3448ec57abdd3db6ca
SHA512f61c58e0285043bb6e9bba61218c28d4840951fae4d1a909968f619fa20c5e188723a7da996e13d03090f2e16bf6c5a2f22d8d907a69eec1e648e39f1c3bf794
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\CA8NPROD\microsofttoldemetheywanttodeletehistorycatchcookiefrommypc[1].doc
Filesize48KB
MD508568b90661f80313579e0c16c2737f0
SHA1859aa8a945a3585bf777ef29bbfeaeba8bc22526
SHA2560bad6a3f47fd9b9063f5c71609e68bd2de6f9d6e4cf1a183351ee8f2f7ebf32b
SHA512f46cf40ef8199cfe58ebd0bc63a09aa70c4c6d6bda1a55bd0d3ef63e26ea3580c63d963d8d4c9af28981ce369edd62a88779dad1bd0f4192115e6f534cb625d8