dd94c4c0dd46a40cb71f1b59b079577c8a4f6e4a1df88533d7edfea19099729c

General

Target

dd94c4c0dd46a40cb71f1b59b079577c8a4f6e4a1df88533d7edfea19099729c.xls
Size

391KB
MD5

2d6edf232ef2f4e9ac72de52b4b4efa5
SHA1

2bbfb909e4e3bb1a1518e973afec5b587b59e426
SHA256

dd94c4c0dd46a40cb71f1b59b079577c8a4f6e4a1df88533d7edfea19099729c
SHA512

90cbe6288b682f688accd8a7493202d26f8a8614bc5a5bdc19743a4b8570bf7dfc47a1496f6fea759ba2319f2744e8bf17cdd6d859723cfee7ae3a4a2488c32e
SSDEEP

6144:/n1m9kdbQS6vsB3qfLWnNnBkbE9UX3rhnpC3quvmb6SrnV3LYpMMAI:/OeuvsB351Bkr3rh9b9hr

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEEXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEEXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid process

3440 EXCEL.EXE
880 WINWORD.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WINWORD.EXE

description pid process

Token: SeAuditPrivilege 880 WINWORD.EXE

description	pid	process
Token: SeAuditPrivilege	880	WINWORD.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid	process
3440	EXCEL.EXE
3440	EXCEL.EXE
3440	EXCEL.EXE
3440	EXCEL.EXE
3440	EXCEL.EXE
3440	EXCEL.EXE
3440	EXCEL.EXE
3440	EXCEL.EXE
3440	EXCEL.EXE
3440	EXCEL.EXE
3440	EXCEL.EXE
3440	EXCEL.EXE
880	WINWORD.EXE
880	WINWORD.EXE
880	WINWORD.EXE
880	WINWORD.EXE

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\dd94c4c0dd46a40cb71f1b59b079577c8a4f6e4a1df88533d7edfea19099729c.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3440

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\548E3629-327F-4602-BDD0-5DE363A841BB

Filesize
157KB

MD5
39513a27364c7cb8c60da62c599cd553

SHA1
69d4777bfc8e545f54bbf5077d7536dbbb7323a2

SHA256
08bd401ce4642a8005f7206e7f0c4c45560f3c7f339b67beeaed84e0e8dc3618

SHA512
9d8cddec92ecc9e2f5d3c50b774acf420afc143598308167bab66637a8fe472419b67854f96f549b5b0216ac9f63e887110cfb8d0d501800c07f0dbfc7929228

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
f080a0dc066fbe60004f8eacd5c632a5

SHA1
05f61be69afd82dfb53a2e1272f2440e8b8a1de8

SHA256
b785307adadaf7f1daf2978b57d3a36544744957fcbe6e591426c24e05169a3b

SHA512
4654e0bfb75eccec134b9bb0d5d58c754405328bb23435ad493ddc2384fec94b86a9c27fd7d8ad54e2c8dd980b0a254491ad5fd791f71d598f61cc129ed164af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
89d70cb1b23be4940a5c5ac2c2d1d937

SHA1
09afee6cd0a66c3244124c5caf70e5d79c7ed276

SHA256
72f15d1646ea56ef8dbf80ccce16069b8a452b775b6c2d3448ec57abdd3db6ca

SHA512
f61c58e0285043bb6e9bba61218c28d4840951fae4d1a909968f619fa20c5e188723a7da996e13d03090f2e16bf6c5a2f22d8d907a69eec1e648e39f1c3bf794

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\CA8NPROD\microsofttoldemetheywanttodeletehistorycatchcookiefrommypc[1].doc

Filesize
48KB

MD5
08568b90661f80313579e0c16c2737f0

SHA1
859aa8a945a3585bf777ef29bbfeaeba8bc22526

SHA256
0bad6a3f47fd9b9063f5c71609e68bd2de6f9d6e4cf1a183351ee8f2f7ebf32b

SHA512
f46cf40ef8199cfe58ebd0bc63a09aa70c4c6d6bda1a55bd0d3ef63e26ea3580c63d963d8d4c9af28981ce369edd62a88779dad1bd0f4192115e6f534cb625d8

Download Submit
memory/880-41-0x00007FFD74330000-0x00007FFD74525000-memory.dmp

Filesize
2.0MB

Download
memory/880-27-0x00007FFD74330000-0x00007FFD74525000-memory.dmp

Filesize
2.0MB

Download
memory/880-67-0x00007FFD74330000-0x00007FFD74525000-memory.dmp

Filesize
2.0MB

Download
memory/880-30-0x00007FFD74330000-0x00007FFD74525000-memory.dmp

Filesize
2.0MB

Download
memory/880-32-0x00007FFD74330000-0x00007FFD74525000-memory.dmp

Filesize
2.0MB

Download
memory/880-40-0x00007FFD74330000-0x00007FFD74525000-memory.dmp

Filesize
2.0MB

Download
memory/880-42-0x00007FFD74330000-0x00007FFD74525000-memory.dmp

Filesize
2.0MB

Download
memory/880-39-0x00007FFD74330000-0x00007FFD74525000-memory.dmp

Filesize
2.0MB

Download
memory/880-37-0x00007FFD74330000-0x00007FFD74525000-memory.dmp

Filesize
2.0MB

Download
memory/880-36-0x00007FFD74330000-0x00007FFD74525000-memory.dmp

Filesize
2.0MB

Download
memory/880-35-0x00007FFD74330000-0x00007FFD74525000-memory.dmp

Filesize
2.0MB

Download
memory/880-33-0x00007FFD74330000-0x00007FFD74525000-memory.dmp

Filesize
2.0MB

Download
memory/880-34-0x00007FFD74330000-0x00007FFD74525000-memory.dmp

Filesize
2.0MB

Download
memory/880-28-0x00007FFD74330000-0x00007FFD74525000-memory.dmp

Filesize
2.0MB

Download
memory/3440-15-0x00007FFD74330000-0x00007FFD74525000-memory.dmp

Filesize
2.0MB

Download
memory/3440-11-0x00007FFD74330000-0x00007FFD74525000-memory.dmp

Filesize
2.0MB

Download
memory/3440-18-0x00007FFD74330000-0x00007FFD74525000-memory.dmp

Filesize
2.0MB

Download
memory/3440-17-0x00007FFD31A50000-0x00007FFD31A60000-memory.dmp

Filesize
64KB

Download
memory/3440-5-0x00007FFD343B0000-0x00007FFD343C0000-memory.dmp

Filesize
64KB

Download
memory/3440-66-0x00007FFD74330000-0x00007FFD74525000-memory.dmp

Filesize
2.0MB

Download
memory/3440-16-0x00007FFD74330000-0x00007FFD74525000-memory.dmp

Filesize
2.0MB

Download
memory/3440-14-0x00007FFD31A50000-0x00007FFD31A60000-memory.dmp

Filesize
64KB

Download
memory/3440-7-0x00007FFD343B0000-0x00007FFD343C0000-memory.dmp

Filesize
64KB

Download
memory/3440-13-0x00007FFD74330000-0x00007FFD74525000-memory.dmp

Filesize
2.0MB

Download
memory/3440-12-0x00007FFD74330000-0x00007FFD74525000-memory.dmp

Filesize
2.0MB

Download
memory/3440-19-0x00007FFD74330000-0x00007FFD74525000-memory.dmp

Filesize
2.0MB

Download
memory/3440-0-0x00007FFD343B0000-0x00007FFD343C0000-memory.dmp

Filesize
64KB

Download
memory/3440-10-0x00007FFD74330000-0x00007FFD74525000-memory.dmp

Filesize
2.0MB

Download
memory/3440-9-0x00007FFD74330000-0x00007FFD74525000-memory.dmp

Filesize
2.0MB

Download
memory/3440-3-0x00007FFD343B0000-0x00007FFD343C0000-memory.dmp

Filesize
64KB

Download
memory/3440-4-0x00007FFD74330000-0x00007FFD74525000-memory.dmp

Filesize
2.0MB

Download
memory/3440-2-0x00007FFD343B0000-0x00007FFD343C0000-memory.dmp

Filesize
64KB

Download
memory/3440-1-0x00007FFD74330000-0x00007FFD74525000-memory.dmp

Filesize
2.0MB

Download
memory/3440-64-0x00007FFD74330000-0x00007FFD74525000-memory.dmp

Filesize
2.0MB

Download
memory/3440-65-0x00007FFD74330000-0x00007FFD74525000-memory.dmp

Filesize
2.0MB

Download
memory/3440-8-0x00007FFD74330000-0x00007FFD74525000-memory.dmp

Filesize
2.0MB

Download
memory/3440-6-0x00007FFD74330000-0x00007FFD74525000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads