24c228df7c2e025c2db64ebdc6d5824425f3179f228145866bd55700cf7e05ac

General

Target

24c228df7c2e025c2db64ebdc6d5824425f3179f228145866bd55700cf7e05ac.xls
Size

392KB
MD5

1cd369286752c3d016b8ce3d59f43e66
SHA1

ee6222b823a92cae26f04351509a1254556508c0
SHA256

24c228df7c2e025c2db64ebdc6d5824425f3179f228145866bd55700cf7e05ac
SHA512

9e875bf7a628faa32846a68d0f699601c31ac8fd66d906d8ba72b70d56ef4d376cb569c0afca1e5ba7eb8972df318d17cbb6393105a4e0c965d356350862b7b2
SSDEEP

6144:un1m9kdb/Gt8b++UXaBkMOQGeg20HYacK4vPLJJhZrRIh1EBb:uOeLlS5aave4HtcK8A/EB

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEWINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEWINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid process

5012 EXCEL.EXE
1724 WINWORD.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WINWORD.EXE

description pid process

Token: SeAuditPrivilege 1724 WINWORD.EXE

description	pid	process
Token: SeAuditPrivilege	1724	WINWORD.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid	process
5012	EXCEL.EXE
5012	EXCEL.EXE
5012	EXCEL.EXE
5012	EXCEL.EXE
5012	EXCEL.EXE
5012	EXCEL.EXE
5012	EXCEL.EXE
5012	EXCEL.EXE
5012	EXCEL.EXE
5012	EXCEL.EXE
5012	EXCEL.EXE
5012	EXCEL.EXE
1724	WINWORD.EXE
1724	WINWORD.EXE
1724	WINWORD.EXE
1724	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 1724 wrote to memory of 3468	1724	WINWORD.EXE	splwow64.exe
PID 1724 wrote to memory of 3468	1724	WINWORD.EXE	splwow64.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\24c228df7c2e025c2db64ebdc6d5824425f3179f228145866bd55700cf7e05ac.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5012

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1724

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:3468

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:4040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\64DD98B2-EDA7-451C-B703-9435A240CBB1

Filesize
157KB

MD5
ff7b144a76ee15878a12ac23ed4774e5

SHA1
3ff27a0d0797154bd997e60391681f2cdd99900a

SHA256
a4b3f150037831e6c4146ead478825ed148602dee78702ea22b703943eaee0eb

SHA512
1bbba934c898f4df80a095d9f45af9e55b3c39427e26cab1ee531305168748df79e415305464269101de90bae57e5141e33b8a64f8e616d6ca16c0587db5e1c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
ced77e13ff03523e8de461b15e79a249

SHA1
0cba77b99f63b1a75ab4b38631d1fb2648808437

SHA256
8420359337d94b1193ec6d8da9998e3e2a3264dfd08f67f8f1b535e44c310591

SHA512
4477f1cc053461b69c6677dc43451cae0283309f9b8c68945f906144408b4572d1e89032d88bbecc49b0310d6800fd3823d7b7c6e7b5075cdf9210ef0a732bbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
065a44d018d9f40e10070d338df56d3f

SHA1
947839bc4248cfd1f358c286f4c3db0b73f7cc2b

SHA256
6b9e9280054170fb399d8a4a92eb6aa54e4cbcbf2150e31fed14e473c9a4353f

SHA512
07b7bf48af7c1bd42e9f62dc07334c1db3fb534b0cd3c3f68cfbe9de8fcf0777226347bf1f1d8f6f2d3ebb7cd0aa955209e8f22987d17b9bb9e01ecd78932261

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\R3HM9TG4\microsofdecidedtodeleteentirehistorycookiecachefrommypc[1].doc

Filesize
50KB

MD5
5451b82c9d7e98c077b8dc1f667f5b19

SHA1
5788704528823c1988964a8af9c2056dd42f787b

SHA256
1e4cba11fed2e6d17ef029301ae806af502cf79109dd9e70ec220d2d4b497a75

SHA512
5e5d5ee9eeaccf07cd2d4662fc1ede32231c04f27bbb66ece835b4c3c5fa18a022a636f6d290ebe613453c6388f53b17ce319b6757288148257c85ad161daeed

Download Submit
memory/1724-35-0x00007FF936DD0000-0x00007FF936FC5000-memory.dmp

Filesize
2.0MB

Download
memory/1724-67-0x00007FF936DD0000-0x00007FF936FC5000-memory.dmp

Filesize
2.0MB

Download
memory/1724-31-0x00007FF936DD0000-0x00007FF936FC5000-memory.dmp

Filesize
2.0MB

Download
memory/1724-40-0x00007FF936DD0000-0x00007FF936FC5000-memory.dmp

Filesize
2.0MB

Download
memory/1724-41-0x00007FF936DD0000-0x00007FF936FC5000-memory.dmp

Filesize
2.0MB

Download
memory/1724-43-0x00007FF936DD0000-0x00007FF936FC5000-memory.dmp

Filesize
2.0MB

Download
memory/1724-42-0x00007FF936DD0000-0x00007FF936FC5000-memory.dmp

Filesize
2.0MB

Download
memory/1724-38-0x00007FF936DD0000-0x00007FF936FC5000-memory.dmp

Filesize
2.0MB

Download
memory/1724-36-0x00007FF936DD0000-0x00007FF936FC5000-memory.dmp

Filesize
2.0MB

Download
memory/1724-32-0x00007FF936DD0000-0x00007FF936FC5000-memory.dmp

Filesize
2.0MB

Download
memory/5012-6-0x00007FF8F6E50000-0x00007FF8F6E60000-memory.dmp

Filesize
64KB

Download
memory/5012-11-0x00007FF8F4BE0000-0x00007FF8F4BF0000-memory.dmp

Filesize
64KB

Download
memory/5012-17-0x00007FF8F4BE0000-0x00007FF8F4BF0000-memory.dmp

Filesize
64KB

Download
memory/5012-18-0x00007FF936DD0000-0x00007FF936FC5000-memory.dmp

Filesize
2.0MB

Download
memory/5012-19-0x00007FF936DD0000-0x00007FF936FC5000-memory.dmp

Filesize
2.0MB

Download
memory/5012-20-0x00007FF936DD0000-0x00007FF936FC5000-memory.dmp

Filesize
2.0MB

Download
memory/5012-21-0x00007FF936DD0000-0x00007FF936FC5000-memory.dmp

Filesize
2.0MB

Download
memory/5012-22-0x00007FF936DD0000-0x00007FF936FC5000-memory.dmp

Filesize
2.0MB

Download
memory/5012-16-0x00007FF936DD0000-0x00007FF936FC5000-memory.dmp

Filesize
2.0MB

Download
memory/5012-10-0x00007FF936DD0000-0x00007FF936FC5000-memory.dmp

Filesize
2.0MB

Download
memory/5012-14-0x00007FF936DD0000-0x00007FF936FC5000-memory.dmp

Filesize
2.0MB

Download
memory/5012-13-0x00007FF936DD0000-0x00007FF936FC5000-memory.dmp

Filesize
2.0MB

Download
memory/5012-12-0x00007FF936DD0000-0x00007FF936FC5000-memory.dmp

Filesize
2.0MB

Download
memory/5012-15-0x00007FF936DD0000-0x00007FF936FC5000-memory.dmp

Filesize
2.0MB

Download
memory/5012-0-0x00007FF8F6E50000-0x00007FF8F6E60000-memory.dmp

Filesize
64KB

Download
memory/5012-8-0x00007FF936DD0000-0x00007FF936FC5000-memory.dmp

Filesize
2.0MB

Download
memory/5012-9-0x00007FF8F6E50000-0x00007FF8F6E60000-memory.dmp

Filesize
64KB

Download
memory/5012-7-0x00007FF936DD0000-0x00007FF936FC5000-memory.dmp

Filesize
2.0MB

Download
memory/5012-5-0x00007FF936DD0000-0x00007FF936FC5000-memory.dmp

Filesize
2.0MB

Download
memory/5012-4-0x00007FF8F6E50000-0x00007FF8F6E60000-memory.dmp

Filesize
64KB

Download
memory/5012-2-0x00007FF8F6E50000-0x00007FF8F6E60000-memory.dmp

Filesize
64KB

Download
memory/5012-3-0x00007FF936DD0000-0x00007FF936FC5000-memory.dmp

Filesize
2.0MB

Download
memory/5012-65-0x00007FF936DD0000-0x00007FF936FC5000-memory.dmp

Filesize
2.0MB

Download
memory/5012-66-0x00007FF936DD0000-0x00007FF936FC5000-memory.dmp

Filesize
2.0MB

Download
memory/5012-1-0x00007FF936DD0000-0x00007FF936FC5000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads