Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231130-en -
resource tags
arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system -
submitted
08-12-2023 10:01
Static task
static1
Behavioral task
behavioral1
Sample
PO_Copy.xls
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
PO_Copy.xls
Resource
win10v2004-20231130-en
General
-
Target
PO_Copy.xls
-
Size
392KB
-
MD5
c53132c26ed5a87968bd23ff41c485ba
-
SHA1
01b1a3c676dbc370fb1916ef17f9bb0309d5b966
-
SHA256
02e273a2f40b1a10f15b08d4dee9356f778a82ee48dc9bad878fb4d789d01431
-
SHA512
5a09beb5a19c3be45f22e3e7e5e88fbabca1790ede5f38867d1976ce9017ca670797ae8c180666b0e4332803f01e3219f70727915f71507b5bf350f66d17d304
-
SSDEEP
6144:Cn1m9kdb/PpeZHVl3S4qQygZpuUXI+FzkEM3Kajs5yiIIrjj5vQDwMm4EHnO:COeDuni5XgZTI+eEuKGiIIryDLm42
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEWINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
EXCEL.EXEWINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
EXCEL.EXEWINWORD.EXEpid process 2852 EXCEL.EXE 764 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WINWORD.EXEdescription pid process Token: SeAuditPrivilege 764 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 16 IoCs
Processes:
EXCEL.EXEWINWORD.EXEpid process 2852 EXCEL.EXE 2852 EXCEL.EXE 2852 EXCEL.EXE 2852 EXCEL.EXE 2852 EXCEL.EXE 2852 EXCEL.EXE 2852 EXCEL.EXE 2852 EXCEL.EXE 2852 EXCEL.EXE 2852 EXCEL.EXE 2852 EXCEL.EXE 2852 EXCEL.EXE 764 WINWORD.EXE 764 WINWORD.EXE 764 WINWORD.EXE 764 WINWORD.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 764 wrote to memory of 4412 764 WINWORD.EXE splwow64.exe PID 764 wrote to memory of 4412 764 WINWORD.EXE splwow64.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\PO_Copy.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2852
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:4412
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:2168
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\5B0E6BD0-DB19-4979-B3E9-543A82D41165
Filesize158KB
MD5ab7ba46112c8cdfff0bbac10ae21cf41
SHA1b81ac2ab5a8c085f0d19d6f04b5c0c083d2d4d34
SHA2560447ee44211d5fd045210fac27eefa14319b9fc3849b9867c09b8e2f8f1177c9
SHA51297e5f73745cc8d4b37b2f9098a88f96a778b389acda4a771c2b0173bdde31d3d9a3e2e8c7d96c141cd4bc35660abbe2b68ec0cbac340f3f6be2e053ea270331c
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize2KB
MD548ab5d281fa78b29b5d334c91e331636
SHA178e89528a99ed273bcf26271771fa078209ab4c0
SHA25687e767517c2e15c0e615bf772ad492dc9948f40d2e84b48a2cb615c76287688e
SHA512310e3bf00a0c61c8065188f8bacf268ee35f7a795f50b74e41cb1e0b61f707b234f990845dc8056f7dca882032cce533d227777c5cc4da769991e976d399d987
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize2KB
MD57a3478cbbcab1d67ea0a4315d98568d2
SHA1ae0d22c84d731664373a14198aa724e35c34e576
SHA2567ec5d67acbae184a227288e4715986070c2bbacbb80e720379858e935d27cc13
SHA512bfc52231976786b7a253edd61a74a1dc188fafb5fbfeada8dc5a868b5d34ad0b31404b33ac504d6ad5a5fc48743ad2326c8ff4af20f3eae38cbd5dd8a0daa864
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\R3HM9TG4\Microsoftdecidedtodeleteentirehistorycachecookieeverythingfromthepc[1].doc
Filesize68KB
MD52163e4abe634b604518567a27c2b57cd
SHA15ce02ec2b65a3771777e58879d30dd8d6fc92a79
SHA256f997d796da5616a7f6b3c4affbe516c5995de5e24a13c3fad56e51f1e554c78e
SHA51244e2d44d41be24f93c9a828330ac83de4cab387ae916fa4cc91313dfbf2906dd0a375580d4c5e3bb0b02720e0b2920a0cbcf0d7e21516ce5f62b80cb24af7370