4fe755c27dc035254521204ace429e7d2229d51a503bba1678c035d0138cd406

Analysis

max time kernel
142s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231130-en
resource tags

arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system
submitted
07-12-2023 19:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4fe755c27dc035254521204ace429e7d2229d51a503bba1678c035d0138cd406xlsx.xls
Size

391KB
MD5

5ea33b2a54dd29dc6d5a3b049dc8a2d1
SHA1

5bc312ad946e5fe8258d6c4669b3fad66ae4fa3b
SHA256

4fe755c27dc035254521204ace429e7d2229d51a503bba1678c035d0138cd406
SHA512

2ca5a6b3792c9a70e8fc025c10a451a2972a9edc2869145d4a0a508fb4c8251c130d2f54fef11acf5c6f94de344782989055301b3c8dcbeaa43b9cd9e24cc32e
SSDEEP

12288:+OeGxSqKjij4a3DjM/In2zyojn1v3UICbk:+OeGxBEezj8In5oD1v12

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2564	EXCEL.EXE
3744	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeAuditPrivilege	3744	WINWORD.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2564	EXCEL.EXE
2564	EXCEL.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2564	EXCEL.EXE
2564	EXCEL.EXE
2564	EXCEL.EXE
2564	EXCEL.EXE
2564	EXCEL.EXE
2564	EXCEL.EXE
2564	EXCEL.EXE
2564	EXCEL.EXE
3744	WINWORD.EXE
3744	WINWORD.EXE
3744	WINWORD.EXE
3744	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3744 wrote to memory of 4184	3744	WINWORD.EXE	92
PID 3744 wrote to memory of 4184	3744	WINWORD.EXE	92

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\4fe755c27dc035254521204ace429e7d2229d51a503bba1678c035d0138cd406xlsx.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2564

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3744
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:4184

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:1640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\AE105275-88E9-4CF9-BBF8-9BA7809A0CCC

Filesize
158KB

MD5
2b335cafe444f2c20394badb09be0b6e

SHA1
42e5dd9ebaf65b72915f921d0dd8c0e2122d6d99

SHA256
f63d80388e99516dd43a655d1d193224528951d1e10d8cf6875a0b104421ca04

SHA512
57e632b11185f8766101d036f37b2ddc0303849df96e1a734181ad83e93b00a6d2fd78a34ecac612dbd627b17f96f8158d26b05598d9c64c64ef0bda9b24bade

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
32a572a0a2366f2fa1a5fc35abbe4c6f

SHA1
1a8b1757dd26cf63d83ba2a57e07aa0a6bd9025d

SHA256
7acec08ebe309cd9341343a4de754cbf41689763c70a587b1d0c399ad002292e

SHA512
84d9ba49e135480d9ca36a07d388ff4873bb405ae55a361ab376e42a0fefd2a6054dd6b9fc4fa33787d4c51ca18442f9a1955058ee2c528165c05b7f91d33644

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
a46541d2ce9163bb257f90d3bcbfc55a

SHA1
078d9e66c93a3a10b09438496289533c8a738da0

SHA256
c4b45970be4671f73cea5233ba1ae0fea160a19188e41e8a912e77f4f0c2779c

SHA512
327cb24d4ef53db235e42756c119a21cc6c9fa274988959a064fbdaf17adecb73f4ff617b1b28753824df644463d7bf26738ce27d1451f6af24f2a0edee27dd1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\76N9AOO7\microsoftdecidedtodeleteentirehistorycookiecacheeverthingfrmthepc[1].doc

Filesize
60KB

MD5
7ecba32d658443197384b69d872d0bfb

SHA1
173c9b6d2ca1ab6bc5986d2d6b6fe574966e70e8

SHA256
3b73c78e78bd1c6ac43e6f7f4934353bf6c4c23b0b534ddd228d2fcc5b562f6d

SHA512
49b7cc43b047f339c345e68904aa8a89e7bbc20fd17a8e7d7d81db9ba116bc905fc1ecc3c4c767fe8c014d04deec491130c4eb840af70e1d4c900fb9f9a9ad5a

Download Submit
memory/2564-21-0x00007FF9F1350000-0x00007FF9F1545000-memory.dmp

Filesize
2.0MB

Download
memory/2564-102-0x00007FF9B13D0000-0x00007FF9B13E0000-memory.dmp

Filesize
64KB

Download
memory/2564-11-0x00007FF9F1350000-0x00007FF9F1545000-memory.dmp

Filesize
2.0MB

Download
memory/2564-12-0x00007FF9AED90000-0x00007FF9AEDA0000-memory.dmp

Filesize
64KB

Download
memory/2564-10-0x00007FF9F1350000-0x00007FF9F1545000-memory.dmp

Filesize
2.0MB

Download
memory/2564-9-0x00007FF9F1350000-0x00007FF9F1545000-memory.dmp

Filesize
2.0MB

Download
memory/2564-14-0x00007FF9F1350000-0x00007FF9F1545000-memory.dmp

Filesize
2.0MB

Download
memory/2564-13-0x00007FF9F1350000-0x00007FF9F1545000-memory.dmp

Filesize
2.0MB

Download
memory/2564-6-0x00007FF9F1350000-0x00007FF9F1545000-memory.dmp

Filesize
2.0MB

Download
memory/2564-1-0x00007FF9B13D0000-0x00007FF9B13E0000-memory.dmp

Filesize
64KB

Download
memory/2564-0-0x00007FF9B13D0000-0x00007FF9B13E0000-memory.dmp

Filesize
64KB

Download
memory/2564-15-0x00007FF9F1350000-0x00007FF9F1545000-memory.dmp

Filesize
2.0MB

Download
memory/2564-16-0x00007FF9F1350000-0x00007FF9F1545000-memory.dmp

Filesize
2.0MB

Download
memory/2564-22-0x00007FF9F1350000-0x00007FF9F1545000-memory.dmp

Filesize
2.0MB

Download
memory/2564-18-0x00007FF9F1350000-0x00007FF9F1545000-memory.dmp

Filesize
2.0MB

Download
memory/2564-19-0x00007FF9F1350000-0x00007FF9F1545000-memory.dmp

Filesize
2.0MB

Download
memory/2564-4-0x00007FF9B13D0000-0x00007FF9B13E0000-memory.dmp

Filesize
64KB

Download
memory/2564-20-0x00007FF9F1350000-0x00007FF9F1545000-memory.dmp

Filesize
2.0MB

Download
memory/2564-106-0x00007FF9F1350000-0x00007FF9F1545000-memory.dmp

Filesize
2.0MB

Download
memory/2564-8-0x00007FF9AED90000-0x00007FF9AEDA0000-memory.dmp

Filesize
64KB

Download
memory/2564-17-0x00007FF9F1350000-0x00007FF9F1545000-memory.dmp

Filesize
2.0MB

Download
memory/2564-105-0x00007FF9B13D0000-0x00007FF9B13E0000-memory.dmp

Filesize
64KB

Download
memory/2564-104-0x00007FF9B13D0000-0x00007FF9B13E0000-memory.dmp

Filesize
64KB

Download
memory/2564-103-0x00007FF9B13D0000-0x00007FF9B13E0000-memory.dmp

Filesize
64KB

Download
memory/2564-23-0x00007FF9F1350000-0x00007FF9F1545000-memory.dmp

Filesize
2.0MB

Download
memory/2564-63-0x00007FF9F1350000-0x00007FF9F1545000-memory.dmp

Filesize
2.0MB

Download
memory/2564-3-0x00007FF9B13D0000-0x00007FF9B13E0000-memory.dmp

Filesize
64KB

Download
memory/2564-7-0x00007FF9F1350000-0x00007FF9F1545000-memory.dmp

Filesize
2.0MB

Download
memory/2564-5-0x00007FF9F1350000-0x00007FF9F1545000-memory.dmp

Filesize
2.0MB

Download
memory/2564-2-0x00007FF9B13D0000-0x00007FF9B13E0000-memory.dmp

Filesize
64KB

Download
memory/3744-39-0x00007FF9F1350000-0x00007FF9F1545000-memory.dmp

Filesize
2.0MB

Download
memory/3744-37-0x00007FF9F1350000-0x00007FF9F1545000-memory.dmp

Filesize
2.0MB

Download
memory/3744-64-0x00007FF9F1350000-0x00007FF9F1545000-memory.dmp

Filesize
2.0MB

Download
memory/3744-38-0x00007FF9F1350000-0x00007FF9F1545000-memory.dmp

Filesize
2.0MB

Download
memory/3744-35-0x00007FF9F1350000-0x00007FF9F1545000-memory.dmp

Filesize
2.0MB

Download
memory/3744-33-0x00007FF9F1350000-0x00007FF9F1545000-memory.dmp

Filesize
2.0MB

Download
memory/3744-32-0x00007FF9F1350000-0x00007FF9F1545000-memory.dmp

Filesize
2.0MB

Download
memory/3744-29-0x00007FF9F1350000-0x00007FF9F1545000-memory.dmp

Filesize
2.0MB

Download
memory/3744-117-0x00007FF9F1350000-0x00007FF9F1545000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads