7712b3d4b61189ccbafdbcc285b7a761d517bb68295626e30c33c24c38fb95cd

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231201-en
resource tags

arch:x64arch:x86image:win10v2004-20231201-enlocale:en-usos:windows10-2004-x64system
submitted
07-12-2023 20:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Package.xls
Size

391KB
MD5

3e33c8cf5b3ce2fa86f1b0ab22d2d3c2
SHA1

de4c28fc5c4eab8c71b09830ff295b901be6a844
SHA256

7712b3d4b61189ccbafdbcc285b7a761d517bb68295626e30c33c24c38fb95cd
SHA512

0ef6016a7e6d0a45d9358ee21ddacea1b0aa393f276dadc32f3218c89f41fbea9ac765b5127c60cc8c069eb26ee52ffb740d0a7eb2af6ccf20a68e7740852354
SSDEEP

6144:ln1m9kdbQS6vsB3qfLWnNnBkbE9UX3yhnpC3quvmb6SrnV3LYpMMAI:lOeuvsB351Bkr3yh9b9hr

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEWINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEEXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid process

3204 EXCEL.EXE
2672 WINWORD.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WINWORD.EXE

description pid process

Token: SeAuditPrivilege 2672 WINWORD.EXE

description	pid	process
Token: SeAuditPrivilege	2672	WINWORD.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid	process
3204	EXCEL.EXE
3204	EXCEL.EXE
3204	EXCEL.EXE
3204	EXCEL.EXE
3204	EXCEL.EXE
3204	EXCEL.EXE
3204	EXCEL.EXE
3204	EXCEL.EXE
3204	EXCEL.EXE
3204	EXCEL.EXE
3204	EXCEL.EXE
3204	EXCEL.EXE
2672	WINWORD.EXE
2672	WINWORD.EXE
2672	WINWORD.EXE
2672	WINWORD.EXE

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Package.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3204

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\19B853F0-26E4-416E-9C1F-E71943C18238

Filesize
158KB

MD5
564ceda8c92e919031aba47204515824

SHA1
c6bc8ab90e55a86b22cf3207b9dda3df1d14a0ab

SHA256
4059fde57c718b41483e7ad54c8224a96351bfc96d2022757f3d49dee8aea4e0

SHA512
6a782b89342c154f4a2f57636e720d969a062e6539ce0ffabb5502d3fda78f8ae8c071db7ff962b56020e2926ee364e3706006db3a8144309b0bca6435110615

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
c4648593dcefcf2c21b5d90044bcc57f

SHA1
49361406837a42387d31f87647832c7f45352e6c

SHA256
90b2d642feec1e6f8dda066384bef6498a5255055d1ae8a295abee69f391f29b

SHA512
146035a5d2d5301ca08d33cd5c64cd31c4c2e98055d12c0fdbba04a6581cbf84380442e99c236288166062021aff4be0d0510542f8bc80d3964e7ef204ff3d87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
5001a859a5247d0b5c14ad3d5c5d4ae6

SHA1
25e2cbfbd1ac82c95ffdc5fd6a6d8c871bfeb5db

SHA256
0d34310e985ceab9eb1b24c0df205ad3536200b76db048a7594c113e499e1b0c

SHA512
edad192352a5d190626f6119895a18fc87641ec22ff227b1dac3b16e0d4252016d755c0598b1812f308093892f8e66e5ca53f4dd84f21b640bfcd7417cffc80c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\2ZP04V7W\microsofttoldemetheywanttodeletehistorycatchcookiefrommypc[1].doc

Filesize
48KB

MD5
08568b90661f80313579e0c16c2737f0

SHA1
859aa8a945a3585bf777ef29bbfeaeba8bc22526

SHA256
0bad6a3f47fd9b9063f5c71609e68bd2de6f9d6e4cf1a183351ee8f2f7ebf32b

SHA512
f46cf40ef8199cfe58ebd0bc63a09aa70c4c6d6bda1a55bd0d3ef63e26ea3580c63d963d8d4c9af28981ce369edd62a88779dad1bd0f4192115e6f534cb625d8

Download Submit
memory/2672-44-0x00007FF81EEB0000-0x00007FF81F0A5000-memory.dmp

Filesize
2.0MB

Download
memory/2672-28-0x00007FF81EEB0000-0x00007FF81F0A5000-memory.dmp

Filesize
2.0MB

Download
memory/2672-71-0x00007FF81EEB0000-0x00007FF81F0A5000-memory.dmp

Filesize
2.0MB

Download
memory/2672-30-0x00007FF81EEB0000-0x00007FF81F0A5000-memory.dmp

Filesize
2.0MB

Download
memory/2672-49-0x00007FF81EEB0000-0x00007FF81F0A5000-memory.dmp

Filesize
2.0MB

Download
memory/2672-35-0x00007FF81EEB0000-0x00007FF81F0A5000-memory.dmp

Filesize
2.0MB

Download
memory/2672-48-0x00007FF81EEB0000-0x00007FF81F0A5000-memory.dmp

Filesize
2.0MB

Download
memory/2672-33-0x00007FF81EEB0000-0x00007FF81F0A5000-memory.dmp

Filesize
2.0MB

Download
memory/2672-47-0x00007FF81EEB0000-0x00007FF81F0A5000-memory.dmp

Filesize
2.0MB

Download
memory/2672-45-0x00007FF81EEB0000-0x00007FF81F0A5000-memory.dmp

Filesize
2.0MB

Download
memory/2672-42-0x00007FF81EEB0000-0x00007FF81F0A5000-memory.dmp

Filesize
2.0MB

Download
memory/2672-41-0x00007FF81EEB0000-0x00007FF81F0A5000-memory.dmp

Filesize
2.0MB

Download
memory/2672-40-0x00007FF81EEB0000-0x00007FF81F0A5000-memory.dmp

Filesize
2.0MB

Download
memory/2672-38-0x00007FF81EEB0000-0x00007FF81F0A5000-memory.dmp

Filesize
2.0MB

Download
memory/2672-37-0x00007FF81EEB0000-0x00007FF81F0A5000-memory.dmp

Filesize
2.0MB

Download
memory/2672-36-0x00007FF81EEB0000-0x00007FF81F0A5000-memory.dmp

Filesize
2.0MB

Download
memory/2672-31-0x00007FF81EEB0000-0x00007FF81F0A5000-memory.dmp

Filesize
2.0MB

Download
memory/2672-26-0x00007FF81EEB0000-0x00007FF81F0A5000-memory.dmp

Filesize
2.0MB

Download
memory/3204-12-0x00007FF81EEB0000-0x00007FF81F0A5000-memory.dmp

Filesize
2.0MB

Download
memory/3204-0-0x00007FF7DEF30000-0x00007FF7DEF40000-memory.dmp

Filesize
64KB

Download
memory/3204-7-0x00007FF7DEF30000-0x00007FF7DEF40000-memory.dmp

Filesize
64KB

Download
memory/3204-5-0x00007FF81EEB0000-0x00007FF81F0A5000-memory.dmp

Filesize
2.0MB

Download
memory/3204-9-0x00007FF81EEB0000-0x00007FF81F0A5000-memory.dmp

Filesize
2.0MB

Download
memory/3204-19-0x00007FF81EEB0000-0x00007FF81F0A5000-memory.dmp

Filesize
2.0MB

Download
memory/3204-17-0x00007FF81EEB0000-0x00007FF81F0A5000-memory.dmp

Filesize
2.0MB

Download
memory/3204-18-0x00007FF81EEB0000-0x00007FF81F0A5000-memory.dmp

Filesize
2.0MB

Download
memory/3204-16-0x00007FF81EEB0000-0x00007FF81F0A5000-memory.dmp

Filesize
2.0MB

Download
memory/3204-14-0x00007FF81EEB0000-0x00007FF81F0A5000-memory.dmp

Filesize
2.0MB

Download
memory/3204-15-0x00007FF7DC6D0000-0x00007FF7DC6E0000-memory.dmp

Filesize
64KB

Download
memory/3204-20-0x00007FF81EEB0000-0x00007FF81F0A5000-memory.dmp

Filesize
2.0MB

Download
memory/3204-13-0x00007FF81EEB0000-0x00007FF81F0A5000-memory.dmp

Filesize
2.0MB

Download
memory/3204-4-0x00007FF7DEF30000-0x00007FF7DEF40000-memory.dmp

Filesize
64KB

Download
memory/3204-11-0x00007FF7DC6D0000-0x00007FF7DC6E0000-memory.dmp

Filesize
64KB

Download
memory/3204-10-0x00007FF81EEB0000-0x00007FF81F0A5000-memory.dmp

Filesize
2.0MB

Download
memory/3204-8-0x00007FF81EEB0000-0x00007FF81F0A5000-memory.dmp

Filesize
2.0MB

Download
memory/3204-2-0x00007FF7DEF30000-0x00007FF7DEF40000-memory.dmp

Filesize
64KB

Download
memory/3204-1-0x00007FF7DEF30000-0x00007FF7DEF40000-memory.dmp

Filesize
64KB

Download
memory/3204-3-0x00007FF81EEB0000-0x00007FF81F0A5000-memory.dmp

Filesize
2.0MB

Download
memory/3204-69-0x00007FF81EEB0000-0x00007FF81F0A5000-memory.dmp

Filesize
2.0MB

Download
memory/3204-70-0x00007FF81EEB0000-0x00007FF81F0A5000-memory.dmp

Filesize
2.0MB

Download
memory/3204-6-0x00007FF81EEB0000-0x00007FF81F0A5000-memory.dmp

Filesize
2.0MB

Download