ba24230fc982ae4d2ef597abf179e4cdebce6cbed76ea929a636821309d1e29f

General

Target

ORDERN.F1676.23.xls
Size

392KB
MD5

3408974acb99e7eb86e75d116d3cbe08
SHA1

1d4e5df1f326f6239038b4631d3041f8c8bce8b0
SHA256

ba24230fc982ae4d2ef597abf179e4cdebce6cbed76ea929a636821309d1e29f
SHA512

40c04a8e8c0232fefb623bd845597f30f0cca6ba34fe041a22d14234efe55a25b1d1ad4b9ef753fe641ff293477ff943443256bee2c00b8c2a51062dab6db2d6
SSDEEP

6144:Gn1m9kdbvPpeZkVl3S4qQygZpuUXyRcVlgTf+0W8r8NR/+zTlsvsgYtZlTTDyrh:GOeLtni5XgZTyqVGruU5lTSrh

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEEXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEEXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid process

976 EXCEL.EXE
1440 WINWORD.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WINWORD.EXE

description pid process

Token: SeAuditPrivilege 1440 WINWORD.EXE

description	pid	process
Token: SeAuditPrivilege	1440	WINWORD.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid	process
976	EXCEL.EXE
976	EXCEL.EXE
976	EXCEL.EXE
976	EXCEL.EXE
976	EXCEL.EXE
976	EXCEL.EXE
976	EXCEL.EXE
976	EXCEL.EXE
976	EXCEL.EXE
976	EXCEL.EXE
976	EXCEL.EXE
976	EXCEL.EXE
1440	WINWORD.EXE
1440	WINWORD.EXE
1440	WINWORD.EXE
1440	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 1440 wrote to memory of 2316	1440	WINWORD.EXE	splwow64.exe
PID 1440 wrote to memory of 2316	1440	WINWORD.EXE	splwow64.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\ORDERN.F1676.23.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:976

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1440

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:2316

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:2112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187

Filesize
471B

MD5
3ac24270f8f096f6e943600737a5d387

SHA1
c7700e1e0b01fb39c39a082d5a09efded11a0921

SHA256
f786f1a9c5dbf830c36a6892bcddea4b6fe4af9c593ca2ac9ee5734451be6fee

SHA512
86d6d80d4803b16b7a0993515ee211c4567e899ad4bb14f3c4e97deae4bd614e47cc406c081ba02a76e9f3d9e1d1e1bd39ebde91a63bbbfd55384f0bbc4a3dbb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187

Filesize
412B

MD5
9b9131f40fb1f586057e46b897cfec0d

SHA1
ca494666b4dc3561df709c7cb12e7231180ee2dc

SHA256
efd0832c2caac8a3b3967b405ef2f56d27ff934df631c71dcb0ff1bd79f4458d

SHA512
7e7ae21d16cf724eae70a09de34a7ec4ff31d3775a626cccf3d8d99cefab76b08cdc75d163a80e53f8e72dbae2ba913eb20524c18614b0e49a8ec41daae5f4e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\614C2993-8EF4-427B-B88B-7D3FA0C3E5C0

Filesize
157KB

MD5
fef54dec047797b19b7f2ff883320a7d

SHA1
d1594f914672acf775410b1005c9e417a022cc5b

SHA256
b1513edf0fedc0c9ef645e400d601d73d065ea44a542f4469365ffc58acb18a8

SHA512
34edcd0fe9c03cb40c64938358eb5226ce1ff9bd9766dd95ba46d8a242c8d3ad7ea977c56c4fbc95e294f2035e27c10345968c8d9c8f860283d8a0dbb92845b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
078360fcd2269c1fd589a414bac3b7b6

SHA1
712a909b143d9eac6d774347edb16d73fb6ca5ab

SHA256
cb68b76f200b1c46c103f1c3df457becc76ce0c841c2d1cd36b08c3a6cc6fb39

SHA512
2c771eca62a2dda6d2935321281a616706a7725d86fbeb4aa84963fbcd27fc4c9e85a116c64b98ca678c8a5a2e73acd3a5c87825890f442b8571bf563dac868e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
e1366f0da6e719f65273d3feef24d23b

SHA1
5b1de3d7993c7931b9aae8fd48321764d46e08ba

SHA256
9af513cb8981c30d5d904a1247a414fe4b33fcaa32c2e3bd363c110e6f30f929

SHA512
0258d02eb2b6a66921bd7ca4d21d73ba8b35d0d0ddeb4c4f1b9ccfde86943e39a036f4e559e76356849b18b28bd486c64f0623e4a265f56a60ea823fd5926561

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\EF4ZIAKK\microsoftwantedtodeletentirehistorycookiecatchfromthepc[1].doc

Filesize
59KB

MD5
43d5050828367e6acd6e91d427a3d6b0

SHA1
cafde44228fc2405f86ab6f74c95d3a646a39794

SHA256
dfc414c8615ead5e2c41955aeeaad2369074c489f96a7b45becc668d647ea592

SHA512
e2beb21694b8c4999c059cd74af4c05096fd94aae936acbad1aab78d22d569797bd9fac173a9cf59e509d39fb38fb392a67f14dfd63addcc0c44d68861b8b3a4

Download Submit
memory/976-20-0x00007FFFA0C90000-0x00007FFFA0E85000-memory.dmp

Filesize
2.0MB

Download
memory/976-17-0x00007FFFA0C90000-0x00007FFFA0E85000-memory.dmp

Filesize
2.0MB

Download
memory/976-8-0x00007FFFA0C90000-0x00007FFFA0E85000-memory.dmp

Filesize
2.0MB

Download
memory/976-11-0x00007FFFA0C90000-0x00007FFFA0E85000-memory.dmp

Filesize
2.0MB

Download
memory/976-10-0x00007FFF5E540000-0x00007FFF5E550000-memory.dmp

Filesize
64KB

Download
memory/976-9-0x00007FFFA0C90000-0x00007FFFA0E85000-memory.dmp

Filesize
2.0MB

Download
memory/976-12-0x00007FFFA0C90000-0x00007FFFA0E85000-memory.dmp

Filesize
2.0MB

Download
memory/976-13-0x00007FFFA0C90000-0x00007FFFA0E85000-memory.dmp

Filesize
2.0MB

Download
memory/976-14-0x00007FFF5E540000-0x00007FFF5E550000-memory.dmp

Filesize
64KB

Download
memory/976-15-0x00007FFFA0C90000-0x00007FFFA0E85000-memory.dmp

Filesize
2.0MB

Download
memory/976-16-0x00007FFFA0C90000-0x00007FFFA0E85000-memory.dmp

Filesize
2.0MB

Download
memory/976-7-0x00007FFF60D10000-0x00007FFF60D20000-memory.dmp

Filesize
64KB

Download
memory/976-18-0x00007FFFA0C90000-0x00007FFFA0E85000-memory.dmp

Filesize
2.0MB

Download
memory/976-19-0x00007FFFA0C90000-0x00007FFFA0E85000-memory.dmp

Filesize
2.0MB

Download
memory/976-0-0x00007FFF60D10000-0x00007FFF60D20000-memory.dmp

Filesize
64KB

Download
memory/976-68-0x00007FFFA0C90000-0x00007FFFA0E85000-memory.dmp

Filesize
2.0MB

Download
memory/976-65-0x00007FFFA0C90000-0x00007FFFA0E85000-memory.dmp

Filesize
2.0MB

Download
memory/976-6-0x00007FFF60D10000-0x00007FFF60D20000-memory.dmp

Filesize
64KB

Download
memory/976-1-0x00007FFFA0C90000-0x00007FFFA0E85000-memory.dmp

Filesize
2.0MB

Download
memory/976-2-0x00007FFF60D10000-0x00007FFF60D20000-memory.dmp

Filesize
64KB

Download
memory/976-4-0x00007FFFA0C90000-0x00007FFFA0E85000-memory.dmp

Filesize
2.0MB

Download
memory/976-5-0x00007FFFA0C90000-0x00007FFFA0E85000-memory.dmp

Filesize
2.0MB

Download
memory/976-3-0x00007FFF60D10000-0x00007FFF60D20000-memory.dmp

Filesize
64KB

Download
memory/1440-32-0x00007FFFA0C90000-0x00007FFFA0E85000-memory.dmp

Filesize
2.0MB

Download
memory/1440-43-0x00007FFFA0C90000-0x00007FFFA0E85000-memory.dmp

Filesize
2.0MB

Download
memory/1440-44-0x00007FFFA0C90000-0x00007FFFA0E85000-memory.dmp

Filesize
2.0MB

Download
memory/1440-41-0x00007FFFA0C90000-0x00007FFFA0E85000-memory.dmp

Filesize
2.0MB

Download
memory/1440-40-0x00007FFFA0C90000-0x00007FFFA0E85000-memory.dmp

Filesize
2.0MB

Download
memory/1440-38-0x00007FFFA0C90000-0x00007FFFA0E85000-memory.dmp

Filesize
2.0MB

Download
memory/1440-39-0x00007FFFA0C90000-0x00007FFFA0E85000-memory.dmp

Filesize
2.0MB

Download
memory/1440-36-0x00007FFFA0C90000-0x00007FFFA0E85000-memory.dmp

Filesize
2.0MB

Download
memory/1440-34-0x00007FFFA0C90000-0x00007FFFA0E85000-memory.dmp

Filesize
2.0MB

Download
memory/1440-30-0x00007FFFA0C90000-0x00007FFFA0E85000-memory.dmp

Filesize
2.0MB

Download
memory/1440-29-0x00007FFFA0C90000-0x00007FFFA0E85000-memory.dmp

Filesize
2.0MB

Download
memory/1440-69-0x00007FFFA0C90000-0x00007FFFA0E85000-memory.dmp

Filesize
2.0MB

Download
memory/1440-70-0x00007FFFA0C90000-0x00007FFFA0E85000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads