Analysis
-
max time kernel
144s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
05-12-2023 16:58
Static task
static1
Behavioral task
behavioral1
Sample
ORDERN.F1676.23.xls
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
ORDERN.F1676.23.xls
Resource
win10v2004-20231127-en
General
-
Target
ORDERN.F1676.23.xls
-
Size
392KB
-
MD5
3408974acb99e7eb86e75d116d3cbe08
-
SHA1
1d4e5df1f326f6239038b4631d3041f8c8bce8b0
-
SHA256
ba24230fc982ae4d2ef597abf179e4cdebce6cbed76ea929a636821309d1e29f
-
SHA512
40c04a8e8c0232fefb623bd845597f30f0cca6ba34fe041a22d14234efe55a25b1d1ad4b9ef753fe641ff293477ff943443256bee2c00b8c2a51062dab6db2d6
-
SSDEEP
6144:Gn1m9kdbvPpeZkVl3S4qQygZpuUXyRcVlgTf+0W8r8NR/+zTlsvsgYtZlTTDyrh:GOeLtni5XgZTyqVGruU5lTSrh
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEEXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
WINWORD.EXEEXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
EXCEL.EXEWINWORD.EXEpid process 976 EXCEL.EXE 1440 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WINWORD.EXEdescription pid process Token: SeAuditPrivilege 1440 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 16 IoCs
Processes:
EXCEL.EXEWINWORD.EXEpid process 976 EXCEL.EXE 976 EXCEL.EXE 976 EXCEL.EXE 976 EXCEL.EXE 976 EXCEL.EXE 976 EXCEL.EXE 976 EXCEL.EXE 976 EXCEL.EXE 976 EXCEL.EXE 976 EXCEL.EXE 976 EXCEL.EXE 976 EXCEL.EXE 1440 WINWORD.EXE 1440 WINWORD.EXE 1440 WINWORD.EXE 1440 WINWORD.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 1440 wrote to memory of 2316 1440 WINWORD.EXE splwow64.exe PID 1440 wrote to memory of 2316 1440 WINWORD.EXE splwow64.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\ORDERN.F1676.23.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:976
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:2316
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:2112
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187
Filesize471B
MD53ac24270f8f096f6e943600737a5d387
SHA1c7700e1e0b01fb39c39a082d5a09efded11a0921
SHA256f786f1a9c5dbf830c36a6892bcddea4b6fe4af9c593ca2ac9ee5734451be6fee
SHA51286d6d80d4803b16b7a0993515ee211c4567e899ad4bb14f3c4e97deae4bd614e47cc406c081ba02a76e9f3d9e1d1e1bd39ebde91a63bbbfd55384f0bbc4a3dbb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187
Filesize412B
MD59b9131f40fb1f586057e46b897cfec0d
SHA1ca494666b4dc3561df709c7cb12e7231180ee2dc
SHA256efd0832c2caac8a3b3967b405ef2f56d27ff934df631c71dcb0ff1bd79f4458d
SHA5127e7ae21d16cf724eae70a09de34a7ec4ff31d3775a626cccf3d8d99cefab76b08cdc75d163a80e53f8e72dbae2ba913eb20524c18614b0e49a8ec41daae5f4e3
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\614C2993-8EF4-427B-B88B-7D3FA0C3E5C0
Filesize157KB
MD5fef54dec047797b19b7f2ff883320a7d
SHA1d1594f914672acf775410b1005c9e417a022cc5b
SHA256b1513edf0fedc0c9ef645e400d601d73d065ea44a542f4469365ffc58acb18a8
SHA51234edcd0fe9c03cb40c64938358eb5226ce1ff9bd9766dd95ba46d8a242c8d3ad7ea977c56c4fbc95e294f2035e27c10345968c8d9c8f860283d8a0dbb92845b5
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize2KB
MD5078360fcd2269c1fd589a414bac3b7b6
SHA1712a909b143d9eac6d774347edb16d73fb6ca5ab
SHA256cb68b76f200b1c46c103f1c3df457becc76ce0c841c2d1cd36b08c3a6cc6fb39
SHA5122c771eca62a2dda6d2935321281a616706a7725d86fbeb4aa84963fbcd27fc4c9e85a116c64b98ca678c8a5a2e73acd3a5c87825890f442b8571bf563dac868e
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize2KB
MD5e1366f0da6e719f65273d3feef24d23b
SHA15b1de3d7993c7931b9aae8fd48321764d46e08ba
SHA2569af513cb8981c30d5d904a1247a414fe4b33fcaa32c2e3bd363c110e6f30f929
SHA5120258d02eb2b6a66921bd7ca4d21d73ba8b35d0d0ddeb4c4f1b9ccfde86943e39a036f4e559e76356849b18b28bd486c64f0623e4a265f56a60ea823fd5926561
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\EF4ZIAKK\microsoftwantedtodeletentirehistorycookiecatchfromthepc[1].doc
Filesize59KB
MD543d5050828367e6acd6e91d427a3d6b0
SHA1cafde44228fc2405f86ab6f74c95d3a646a39794
SHA256dfc414c8615ead5e2c41955aeeaad2369074c489f96a7b45becc668d647ea592
SHA512e2beb21694b8c4999c059cd74af4c05096fd94aae936acbad1aab78d22d569797bd9fac173a9cf59e509d39fb38fb392a67f14dfd63addcc0c44d68861b8b3a4