Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
05-12-2023 14:51
Static task
static1
Behavioral task
behavioral1
Sample
ORDER N. F-1676.23.xls
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
ORDER N. F-1676.23.xls
Resource
win10v2004-20231127-en
General
-
Target
ORDER N. F-1676.23.xls
-
Size
392KB
-
MD5
3408974acb99e7eb86e75d116d3cbe08
-
SHA1
1d4e5df1f326f6239038b4631d3041f8c8bce8b0
-
SHA256
ba24230fc982ae4d2ef597abf179e4cdebce6cbed76ea929a636821309d1e29f
-
SHA512
40c04a8e8c0232fefb623bd845597f30f0cca6ba34fe041a22d14234efe55a25b1d1ad4b9ef753fe641ff293477ff943443256bee2c00b8c2a51062dab6db2d6
-
SSDEEP
6144:Gn1m9kdbvPpeZkVl3S4qQygZpuUXyRcVlgTf+0W8r8NR/+zTlsvsgYtZlTTDyrh:GOeLtni5XgZTyqVGruU5lTSrh
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEEXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
EXCEL.EXEWINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
EXCEL.EXEWINWORD.EXEpid process 2396 EXCEL.EXE 4280 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WINWORD.EXEdescription pid process Token: SeAuditPrivilege 4280 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 16 IoCs
Processes:
EXCEL.EXEWINWORD.EXEpid process 2396 EXCEL.EXE 2396 EXCEL.EXE 2396 EXCEL.EXE 2396 EXCEL.EXE 2396 EXCEL.EXE 2396 EXCEL.EXE 2396 EXCEL.EXE 2396 EXCEL.EXE 2396 EXCEL.EXE 2396 EXCEL.EXE 2396 EXCEL.EXE 2396 EXCEL.EXE 4280 WINWORD.EXE 4280 WINWORD.EXE 4280 WINWORD.EXE 4280 WINWORD.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 4280 wrote to memory of 1536 4280 WINWORD.EXE splwow64.exe PID 4280 wrote to memory of 1536 4280 WINWORD.EXE splwow64.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\ORDER N. F-1676.23.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2396
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4280 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:1536
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:4352
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\189F7D14-AC9C-48BB-9CD6-AFD1D53681BE
Filesize157KB
MD547177b3b510345bb2522ce6d65d76b33
SHA1cff7034cb663074620e1affa4c765d56805f99ff
SHA256ea96d272be172df71bc9a0face208912993c5c84248a4aaa803f8322ab2e9902
SHA5126a4624b2c658e73aaab174d0b96a72523ee665e2ba6a7b295378b80679a755b34fa3ea54877d3c1fac7764d4fbda43ae869a0bebd31686cccfea633f2dbc9eed
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize2KB
MD5084821a8d681f0f7652eca9321659972
SHA1a64b0d10fbd83b1a66891ccbf3237ee61138e1a2
SHA25682ca6eae8ef25ba8f1923cac23c16260ed8f69850550ff175e466a2833123377
SHA51245988d0932c231d044f571fb244bdf91ed0c5f1a966ce4be862cc015e3596779e21cc302f15564a27d61e9c85be2acc3b2c1cb658ecb0270390ee50aaa878c42
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize2KB
MD5cd60c9ae0c23246e901d046ff4c91a1c
SHA1db85c54d25631cabb7371e557b739ba15f795bfc
SHA2566bdef82d7356a140c30931237cbf3d12050eb6a151decf188daa9c9739ccb878
SHA512a76b2a84a4eb1a8d1d0cd566a21ca2c7b4a0006264fc1e36289b48ade1822efa18224894886e73b1f0736c8d66e83e45a8911ec532b2b17e2d95d24b9f011110
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\JRPRPPGG\microsoftwantedtodeletentirehistorycookiecatchfromthepc[1].doc
Filesize59KB
MD543d5050828367e6acd6e91d427a3d6b0
SHA1cafde44228fc2405f86ab6f74c95d3a646a39794
SHA256dfc414c8615ead5e2c41955aeeaad2369074c489f96a7b45becc668d647ea592
SHA512e2beb21694b8c4999c059cd74af4c05096fd94aae936acbad1aab78d22d569797bd9fac173a9cf59e509d39fb38fb392a67f14dfd63addcc0c44d68861b8b3a4