Analysis
-
max time kernel
147s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
07-12-2023 19:21
Static task
static1
Behavioral task
behavioral1
Sample
3eb49f3cd7bdc676ac5b8f46c9ff956717275b7dd7ab90fbea3e3fe3fbaae576xlsx.xls
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
3eb49f3cd7bdc676ac5b8f46c9ff956717275b7dd7ab90fbea3e3fe3fbaae576xlsx.xls
Resource
win10v2004-20231127-en
General
-
Target
3eb49f3cd7bdc676ac5b8f46c9ff956717275b7dd7ab90fbea3e3fe3fbaae576xlsx.xls
-
Size
391KB
-
MD5
84129445f6446d089445dbe993224dcd
-
SHA1
7e8ccd59f7484ca6e2701404ff8c77182cba2dce
-
SHA256
3eb49f3cd7bdc676ac5b8f46c9ff956717275b7dd7ab90fbea3e3fe3fbaae576
-
SHA512
47ebc4e589bc797896727857c91d6e6f6c3ee99b5e41cae7f4336e1fe643f6da3d436bc5edba234af31e419b82d337e03904b293b36fa3a245b1bd3cf6caadce
-
SSDEEP
6144:YDn1m9kdbaG3mU+ZKy4ij4a3DjKcUX1edr1aqizRBfqGudZFAW6ffPPXC53EE:YDOeuiqKjij4a3DjM1ehMvmFC3Xq3EE
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 1432 EXCEL.EXE 1140 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeAuditPrivilege 1140 WINWORD.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1432 EXCEL.EXE 1432 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 1432 EXCEL.EXE 1432 EXCEL.EXE 1432 EXCEL.EXE 1432 EXCEL.EXE 1432 EXCEL.EXE 1432 EXCEL.EXE 1432 EXCEL.EXE 1432 EXCEL.EXE 1140 WINWORD.EXE 1140 WINWORD.EXE 1140 WINWORD.EXE 1140 WINWORD.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 1140 wrote to memory of 3528 1140 WINWORD.EXE 99 PID 1140 wrote to memory of 3528 1140 WINWORD.EXE 99 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\3eb49f3cd7bdc676ac5b8f46c9ff956717275b7dd7ab90fbea3e3fe3fbaae576xlsx.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1432
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:3528
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:1600
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\B256577B-84B0-4596-BCC1-7CA56834EFB7
Filesize158KB
MD5c108d21fe7487494aaf06c14818f2da9
SHA1736d726515bfe506985e0fe257f5fda5b4b78f37
SHA2568d21cf948d10f1c4621274b17d7b4e128439f7c219e8331a1ce01ead47ca799a
SHA512c567b0dbc3f71df39da3e840850e7846f47e0ce0f511f844f7028cf7b59ea4d0216a8f771d7b78cbf633702ef0b89c0f91866a10d7393ba43d1e268b90b30edc
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize2KB
MD539d293715d6f8c593e643fe352ee784a
SHA1ce22aa8976a157fdb59faa018d9ac7354253e174
SHA256f77d2416e3429cde1c8b1ab28892c703828550b56d19ea1f56de62d635ce14c1
SHA512825743cb50d90263f9a45ffd4c7adee7e61f22f21f64febb49f47b33d3b569d3fe2f15ffc12ed53d8b6e52e25685dccb920cbbd17dfc9c3c77f55a021620163e
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize2KB
MD5e3bf08048ad64606dc69bafae4acf003
SHA16d3f06ec82e24789b2ce374ef3f1fa15ba3036db
SHA25674683ab4d35a2984191fa530ffe7fffec727c0fb17ca57e69c4affc9c9792a5e
SHA512dac3d86ee762e89d5432fa13ca799f599c04aa77789c54fbcc564975c53691398d5284f3b71837d1dbca84468178a3f69e5b8d2fef4721659cc10a41b21258c3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VKI5XVIY\microsoftdetecthistorycachecookieentirethingsfromthepcfordelete[1].doc
Filesize66KB
MD53257e76f6fd7ccf389feb54fd83653a3
SHA10f567d839141d2e9b0ed8c7be435ca8eb50c3727
SHA2565d14534b002980d390f30c6b970b17a3b4b6855c817b5703cd9a87291448144d
SHA512226c6eae6d86b07d1bfbaf482c52267b63f423c5fb8474dd3b60978b116ffd90d5f6d5b38291a01afeee1d392c71d79103efd58d8d2e1870dd9c3cdd94d4664c