Analysis
-
max time kernel
100s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231130-en -
resource tags
arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system -
submitted
06-12-2023 17:09
Static task
static1
Behavioral task
behavioral1
Sample
24c228df7c2e025c2db64ebdc6d5824425f3179f228145866bd55700cf7e05ac.xls
Resource
win7-20231130-en
Behavioral task
behavioral2
Sample
24c228df7c2e025c2db64ebdc6d5824425f3179f228145866bd55700cf7e05ac.xls
Resource
win10v2004-20231130-en
General
-
Target
24c228df7c2e025c2db64ebdc6d5824425f3179f228145866bd55700cf7e05ac.xls
-
Size
392KB
-
MD5
1cd369286752c3d016b8ce3d59f43e66
-
SHA1
ee6222b823a92cae26f04351509a1254556508c0
-
SHA256
24c228df7c2e025c2db64ebdc6d5824425f3179f228145866bd55700cf7e05ac
-
SHA512
9e875bf7a628faa32846a68d0f699601c31ac8fd66d906d8ba72b70d56ef4d376cb569c0afca1e5ba7eb8972df318d17cbb6393105a4e0c965d356350862b7b2
-
SSDEEP
6144:un1m9kdb/Gt8b++UXaBkMOQGeg20HYacK4vPLJJhZrRIh1EBb:uOeLlS5aave4HtcK8A/EB
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEWINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
EXCEL.EXEWINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
EXCEL.EXEWINWORD.EXEpid process 5012 EXCEL.EXE 1724 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WINWORD.EXEdescription pid process Token: SeAuditPrivilege 1724 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 16 IoCs
Processes:
EXCEL.EXEWINWORD.EXEpid process 5012 EXCEL.EXE 5012 EXCEL.EXE 5012 EXCEL.EXE 5012 EXCEL.EXE 5012 EXCEL.EXE 5012 EXCEL.EXE 5012 EXCEL.EXE 5012 EXCEL.EXE 5012 EXCEL.EXE 5012 EXCEL.EXE 5012 EXCEL.EXE 5012 EXCEL.EXE 1724 WINWORD.EXE 1724 WINWORD.EXE 1724 WINWORD.EXE 1724 WINWORD.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 1724 wrote to memory of 3468 1724 WINWORD.EXE splwow64.exe PID 1724 wrote to memory of 3468 1724 WINWORD.EXE splwow64.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\24c228df7c2e025c2db64ebdc6d5824425f3179f228145866bd55700cf7e05ac.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5012
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:3468
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:4040
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\64DD98B2-EDA7-451C-B703-9435A240CBB1
Filesize157KB
MD5ff7b144a76ee15878a12ac23ed4774e5
SHA13ff27a0d0797154bd997e60391681f2cdd99900a
SHA256a4b3f150037831e6c4146ead478825ed148602dee78702ea22b703943eaee0eb
SHA5121bbba934c898f4df80a095d9f45af9e55b3c39427e26cab1ee531305168748df79e415305464269101de90bae57e5141e33b8a64f8e616d6ca16c0587db5e1c5
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize2KB
MD5ced77e13ff03523e8de461b15e79a249
SHA10cba77b99f63b1a75ab4b38631d1fb2648808437
SHA2568420359337d94b1193ec6d8da9998e3e2a3264dfd08f67f8f1b535e44c310591
SHA5124477f1cc053461b69c6677dc43451cae0283309f9b8c68945f906144408b4572d1e89032d88bbecc49b0310d6800fd3823d7b7c6e7b5075cdf9210ef0a732bbc
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize2KB
MD5065a44d018d9f40e10070d338df56d3f
SHA1947839bc4248cfd1f358c286f4c3db0b73f7cc2b
SHA2566b9e9280054170fb399d8a4a92eb6aa54e4cbcbf2150e31fed14e473c9a4353f
SHA51207b7bf48af7c1bd42e9f62dc07334c1db3fb534b0cd3c3f68cfbe9de8fcf0777226347bf1f1d8f6f2d3ebb7cd0aa955209e8f22987d17b9bb9e01ecd78932261
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\R3HM9TG4\microsofdecidedtodeleteentirehistorycookiecachefrommypc[1].doc
Filesize50KB
MD55451b82c9d7e98c077b8dc1f667f5b19
SHA15788704528823c1988964a8af9c2056dd42f787b
SHA2561e4cba11fed2e6d17ef029301ae806af502cf79109dd9e70ec220d2d4b497a75
SHA5125e5d5ee9eeaccf07cd2d4662fc1ede32231c04f27bbb66ece835b4c3c5fa18a022a636f6d290ebe613453c6388f53b17ce319b6757288148257c85ad161daeed