ba24230fc982ae4d2ef597abf179e4cdebce6cbed76ea929a636821309d1e29f

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231127-en
resource tags

arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
submitted
05-12-2023 14:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ORDER N. F-1676.23.xls
Size

392KB
MD5

3408974acb99e7eb86e75d116d3cbe08
SHA1

1d4e5df1f326f6239038b4631d3041f8c8bce8b0
SHA256

ba24230fc982ae4d2ef597abf179e4cdebce6cbed76ea929a636821309d1e29f
SHA512

40c04a8e8c0232fefb623bd845597f30f0cca6ba34fe041a22d14234efe55a25b1d1ad4b9ef753fe641ff293477ff943443256bee2c00b8c2a51062dab6db2d6
SSDEEP

6144:Gn1m9kdbvPpeZkVl3S4qQygZpuUXyRcVlgTf+0W8r8NR/+zTlsvsgYtZlTTDyrh:GOeLtni5XgZTyqVGruU5lTSrh

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEEXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEWINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid process

2396 EXCEL.EXE
4280 WINWORD.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WINWORD.EXE

description pid process

Token: SeAuditPrivilege 4280 WINWORD.EXE

description	pid	process
Token: SeAuditPrivilege	4280	WINWORD.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid	process
2396	EXCEL.EXE
2396	EXCEL.EXE
2396	EXCEL.EXE
2396	EXCEL.EXE
2396	EXCEL.EXE
2396	EXCEL.EXE
2396	EXCEL.EXE
2396	EXCEL.EXE
2396	EXCEL.EXE
2396	EXCEL.EXE
2396	EXCEL.EXE
2396	EXCEL.EXE
4280	WINWORD.EXE
4280	WINWORD.EXE
4280	WINWORD.EXE
4280	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 4280 wrote to memory of 1536	4280	WINWORD.EXE	splwow64.exe
PID 4280 wrote to memory of 1536	4280	WINWORD.EXE	splwow64.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\ORDER N. F-1676.23.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2396

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4280

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1536

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:4352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\189F7D14-AC9C-48BB-9CD6-AFD1D53681BE

Filesize
157KB

MD5
47177b3b510345bb2522ce6d65d76b33

SHA1
cff7034cb663074620e1affa4c765d56805f99ff

SHA256
ea96d272be172df71bc9a0face208912993c5c84248a4aaa803f8322ab2e9902

SHA512
6a4624b2c658e73aaab174d0b96a72523ee665e2ba6a7b295378b80679a755b34fa3ea54877d3c1fac7764d4fbda43ae869a0bebd31686cccfea633f2dbc9eed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
084821a8d681f0f7652eca9321659972

SHA1
a64b0d10fbd83b1a66891ccbf3237ee61138e1a2

SHA256
82ca6eae8ef25ba8f1923cac23c16260ed8f69850550ff175e466a2833123377

SHA512
45988d0932c231d044f571fb244bdf91ed0c5f1a966ce4be862cc015e3596779e21cc302f15564a27d61e9c85be2acc3b2c1cb658ecb0270390ee50aaa878c42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
cd60c9ae0c23246e901d046ff4c91a1c

SHA1
db85c54d25631cabb7371e557b739ba15f795bfc

SHA256
6bdef82d7356a140c30931237cbf3d12050eb6a151decf188daa9c9739ccb878

SHA512
a76b2a84a4eb1a8d1d0cd566a21ca2c7b4a0006264fc1e36289b48ade1822efa18224894886e73b1f0736c8d66e83e45a8911ec532b2b17e2d95d24b9f011110

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\JRPRPPGG\microsoftwantedtodeletentirehistorycookiecatchfromthepc[1].doc

Filesize
59KB

MD5
43d5050828367e6acd6e91d427a3d6b0

SHA1
cafde44228fc2405f86ab6f74c95d3a646a39794

SHA256
dfc414c8615ead5e2c41955aeeaad2369074c489f96a7b45becc668d647ea592

SHA512
e2beb21694b8c4999c059cd74af4c05096fd94aae936acbad1aab78d22d569797bd9fac173a9cf59e509d39fb38fb392a67f14dfd63addcc0c44d68861b8b3a4

Download Submit
memory/2396-22-0x00007FFCE8550000-0x00007FFCE8745000-memory.dmp

Filesize
2.0MB

Download
memory/2396-11-0x00007FFCA63C0000-0x00007FFCA63D0000-memory.dmp

Filesize
64KB

Download
memory/2396-7-0x00007FFCA85D0000-0x00007FFCA85E0000-memory.dmp

Filesize
64KB

Download
memory/2396-68-0x00007FFCE8550000-0x00007FFCE8745000-memory.dmp

Filesize
2.0MB

Download
memory/2396-9-0x00007FFCE8550000-0x00007FFCE8745000-memory.dmp

Filesize
2.0MB

Download
memory/2396-67-0x00007FFCE8550000-0x00007FFCE8745000-memory.dmp

Filesize
2.0MB

Download
memory/2396-10-0x00007FFCE8550000-0x00007FFCE8745000-memory.dmp

Filesize
2.0MB

Download
memory/2396-66-0x00007FFCE8550000-0x00007FFCE8745000-memory.dmp

Filesize
2.0MB

Download
memory/2396-12-0x00007FFCE8550000-0x00007FFCE8745000-memory.dmp

Filesize
2.0MB

Download
memory/2396-13-0x00007FFCA63C0000-0x00007FFCA63D0000-memory.dmp

Filesize
64KB

Download
memory/2396-14-0x00007FFCE8550000-0x00007FFCE8745000-memory.dmp

Filesize
2.0MB

Download
memory/2396-15-0x00007FFCE8550000-0x00007FFCE8745000-memory.dmp

Filesize
2.0MB

Download
memory/2396-17-0x00007FFCE8550000-0x00007FFCE8745000-memory.dmp

Filesize
2.0MB

Download
memory/2396-18-0x00007FFCE8550000-0x00007FFCE8745000-memory.dmp

Filesize
2.0MB

Download
memory/2396-16-0x00007FFCE8550000-0x00007FFCE8745000-memory.dmp

Filesize
2.0MB

Download
memory/2396-19-0x00007FFCE8550000-0x00007FFCE8745000-memory.dmp

Filesize
2.0MB

Download
memory/2396-20-0x00007FFCE8550000-0x00007FFCE8745000-memory.dmp

Filesize
2.0MB

Download
memory/2396-21-0x00007FFCE8550000-0x00007FFCE8745000-memory.dmp

Filesize
2.0MB

Download
memory/2396-0-0x00007FFCA85D0000-0x00007FFCA85E0000-memory.dmp

Filesize
64KB

Download
memory/2396-1-0x00007FFCE8550000-0x00007FFCE8745000-memory.dmp

Filesize
2.0MB

Download
memory/2396-8-0x00007FFCE8550000-0x00007FFCE8745000-memory.dmp

Filesize
2.0MB

Download
memory/2396-2-0x00007FFCA85D0000-0x00007FFCA85E0000-memory.dmp

Filesize
64KB

Download
memory/2396-6-0x00007FFCE8550000-0x00007FFCE8745000-memory.dmp

Filesize
2.0MB

Download
memory/2396-3-0x00007FFCA85D0000-0x00007FFCA85E0000-memory.dmp

Filesize
64KB

Download
memory/2396-4-0x00007FFCE8550000-0x00007FFCE8745000-memory.dmp

Filesize
2.0MB

Download
memory/2396-5-0x00007FFCA85D0000-0x00007FFCA85E0000-memory.dmp

Filesize
64KB

Download
memory/4280-48-0x00007FFCE8550000-0x00007FFCE8745000-memory.dmp

Filesize
2.0MB

Download
memory/4280-39-0x00007FFCE8550000-0x00007FFCE8745000-memory.dmp

Filesize
2.0MB

Download
memory/4280-45-0x00007FFCE8550000-0x00007FFCE8745000-memory.dmp

Filesize
2.0MB

Download
memory/4280-40-0x00007FFCE8550000-0x00007FFCE8745000-memory.dmp

Filesize
2.0MB

Download
memory/4280-47-0x00007FFCE8550000-0x00007FFCE8745000-memory.dmp

Filesize
2.0MB

Download
memory/4280-42-0x00007FFCE8550000-0x00007FFCE8745000-memory.dmp

Filesize
2.0MB

Download
memory/4280-43-0x00007FFCE8550000-0x00007FFCE8745000-memory.dmp

Filesize
2.0MB

Download
memory/4280-46-0x00007FFCE8550000-0x00007FFCE8745000-memory.dmp

Filesize
2.0MB

Download
memory/4280-41-0x00007FFCE8550000-0x00007FFCE8745000-memory.dmp

Filesize
2.0MB

Download
memory/4280-31-0x00007FFCE8550000-0x00007FFCE8745000-memory.dmp

Filesize
2.0MB

Download
memory/4280-34-0x00007FFCE8550000-0x00007FFCE8745000-memory.dmp

Filesize
2.0MB

Download
memory/4280-37-0x00007FFCE8550000-0x00007FFCE8745000-memory.dmp

Filesize
2.0MB

Download
memory/4280-32-0x00007FFCE8550000-0x00007FFCE8745000-memory.dmp

Filesize
2.0MB

Download
memory/4280-69-0x00007FFCE8550000-0x00007FFCE8745000-memory.dmp

Filesize
2.0MB

Download
memory/4280-70-0x00007FFCE8550000-0x00007FFCE8745000-memory.dmp

Filesize
2.0MB

Download