02e273a2f40b1a10f15b08d4dee9356f778a82ee48dc9bad878fb4d789d01431

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231130-en
resource tags

arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system
submitted
08-12-2023 10:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PO_Copy.xls
Size

392KB
MD5

c53132c26ed5a87968bd23ff41c485ba
SHA1

01b1a3c676dbc370fb1916ef17f9bb0309d5b966
SHA256

02e273a2f40b1a10f15b08d4dee9356f778a82ee48dc9bad878fb4d789d01431
SHA512

5a09beb5a19c3be45f22e3e7e5e88fbabca1790ede5f38867d1976ce9017ca670797ae8c180666b0e4332803f01e3219f70727915f71507b5bf350f66d17d304
SSDEEP

6144:Cn1m9kdb/PpeZHVl3S4qQygZpuUXI+FzkEM3Kajs5yiIIrjj5vQDwMm4EHnO:COeDuni5XgZTI+eEuKGiIIryDLm42

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEWINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEWINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid process

2852 EXCEL.EXE
764 WINWORD.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WINWORD.EXE

description pid process

Token: SeAuditPrivilege 764 WINWORD.EXE

description	pid	process
Token: SeAuditPrivilege	764	WINWORD.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid	process
2852	EXCEL.EXE
2852	EXCEL.EXE
2852	EXCEL.EXE
2852	EXCEL.EXE
2852	EXCEL.EXE
2852	EXCEL.EXE
2852	EXCEL.EXE
2852	EXCEL.EXE
2852	EXCEL.EXE
2852	EXCEL.EXE
2852	EXCEL.EXE
2852	EXCEL.EXE
764	WINWORD.EXE
764	WINWORD.EXE
764	WINWORD.EXE
764	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 764 wrote to memory of 4412	764	WINWORD.EXE	splwow64.exe
PID 764 wrote to memory of 4412	764	WINWORD.EXE	splwow64.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\PO_Copy.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2852

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:764

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:4412

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:2168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\5B0E6BD0-DB19-4979-B3E9-543A82D41165

Filesize
158KB

MD5
ab7ba46112c8cdfff0bbac10ae21cf41

SHA1
b81ac2ab5a8c085f0d19d6f04b5c0c083d2d4d34

SHA256
0447ee44211d5fd045210fac27eefa14319b9fc3849b9867c09b8e2f8f1177c9

SHA512
97e5f73745cc8d4b37b2f9098a88f96a778b389acda4a771c2b0173bdde31d3d9a3e2e8c7d96c141cd4bc35660abbe2b68ec0cbac340f3f6be2e053ea270331c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
48ab5d281fa78b29b5d334c91e331636

SHA1
78e89528a99ed273bcf26271771fa078209ab4c0

SHA256
87e767517c2e15c0e615bf772ad492dc9948f40d2e84b48a2cb615c76287688e

SHA512
310e3bf00a0c61c8065188f8bacf268ee35f7a795f50b74e41cb1e0b61f707b234f990845dc8056f7dca882032cce533d227777c5cc4da769991e976d399d987

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
7a3478cbbcab1d67ea0a4315d98568d2

SHA1
ae0d22c84d731664373a14198aa724e35c34e576

SHA256
7ec5d67acbae184a227288e4715986070c2bbacbb80e720379858e935d27cc13

SHA512
bfc52231976786b7a253edd61a74a1dc188fafb5fbfeada8dc5a868b5d34ad0b31404b33ac504d6ad5a5fc48743ad2326c8ff4af20f3eae38cbd5dd8a0daa864

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\R3HM9TG4\Microsoftdecidedtodeleteentirehistorycachecookieeverythingfromthepc[1].doc

Filesize
68KB

MD5
2163e4abe634b604518567a27c2b57cd

SHA1
5ce02ec2b65a3771777e58879d30dd8d6fc92a79

SHA256
f997d796da5616a7f6b3c4affbe516c5995de5e24a13c3fad56e51f1e554c78e

SHA512
44e2d44d41be24f93c9a828330ac83de4cab387ae916fa4cc91313dfbf2906dd0a375580d4c5e3bb0b02720e0b2920a0cbcf0d7e21516ce5f62b80cb24af7370

Download Submit
memory/764-46-0x00007FF93DD50000-0x00007FF93DF45000-memory.dmp

Filesize
2.0MB

Download
memory/764-39-0x00007FF93DD50000-0x00007FF93DF45000-memory.dmp

Filesize
2.0MB

Download
memory/764-48-0x00007FF93DD50000-0x00007FF93DF45000-memory.dmp

Filesize
2.0MB

Download
memory/764-47-0x00007FF93DD50000-0x00007FF93DF45000-memory.dmp

Filesize
2.0MB

Download
memory/764-28-0x00007FF93DD50000-0x00007FF93DF45000-memory.dmp

Filesize
2.0MB

Download
memory/764-41-0x00007FF93DD50000-0x00007FF93DF45000-memory.dmp

Filesize
2.0MB

Download
memory/764-40-0x00007FF93DD50000-0x00007FF93DF45000-memory.dmp

Filesize
2.0MB

Download
memory/764-71-0x00007FF93DD50000-0x00007FF93DF45000-memory.dmp

Filesize
2.0MB

Download
memory/764-38-0x00007FF93DD50000-0x00007FF93DF45000-memory.dmp

Filesize
2.0MB

Download
memory/764-37-0x00007FF93DD50000-0x00007FF93DF45000-memory.dmp

Filesize
2.0MB

Download
memory/764-35-0x00007FF93DD50000-0x00007FF93DF45000-memory.dmp

Filesize
2.0MB

Download
memory/764-33-0x00007FF93DD50000-0x00007FF93DF45000-memory.dmp

Filesize
2.0MB

Download
memory/764-31-0x00007FF93DD50000-0x00007FF93DF45000-memory.dmp

Filesize
2.0MB

Download
memory/764-29-0x00007FF93DD50000-0x00007FF93DF45000-memory.dmp

Filesize
2.0MB

Download
memory/2852-11-0x00007FF93DD50000-0x00007FF93DF45000-memory.dmp

Filesize
2.0MB

Download
memory/2852-0-0x00007FF8FDDD0000-0x00007FF8FDDE0000-memory.dmp

Filesize
64KB

Download
memory/2852-21-0x00007FF93DD50000-0x00007FF93DF45000-memory.dmp

Filesize
2.0MB

Download
memory/2852-18-0x00007FF93DD50000-0x00007FF93DF45000-memory.dmp

Filesize
2.0MB

Download
memory/2852-22-0x00007FF93DD50000-0x00007FF93DF45000-memory.dmp

Filesize
2.0MB

Download
memory/2852-19-0x00007FF93DD50000-0x00007FF93DF45000-memory.dmp

Filesize
2.0MB

Download
memory/2852-17-0x00007FF93DD50000-0x00007FF93DF45000-memory.dmp

Filesize
2.0MB

Download
memory/2852-16-0x00007FF93DD50000-0x00007FF93DF45000-memory.dmp

Filesize
2.0MB

Download
memory/2852-15-0x00007FF93DD50000-0x00007FF93DF45000-memory.dmp

Filesize
2.0MB

Download
memory/2852-14-0x00007FF93DD50000-0x00007FF93DF45000-memory.dmp

Filesize
2.0MB

Download
memory/2852-13-0x00007FF8FB650000-0x00007FF8FB660000-memory.dmp

Filesize
64KB

Download
memory/2852-12-0x00007FF93DD50000-0x00007FF93DF45000-memory.dmp

Filesize
2.0MB

Download
memory/2852-10-0x00007FF8FB650000-0x00007FF8FB660000-memory.dmp

Filesize
64KB

Download
memory/2852-20-0x00007FF93DD50000-0x00007FF93DF45000-memory.dmp

Filesize
2.0MB

Download
memory/2852-9-0x00007FF93DD50000-0x00007FF93DF45000-memory.dmp

Filesize
2.0MB

Download
memory/2852-8-0x00007FF93DD50000-0x00007FF93DF45000-memory.dmp

Filesize
2.0MB

Download
memory/2852-7-0x00007FF93DD50000-0x00007FF93DF45000-memory.dmp

Filesize
2.0MB

Download
memory/2852-6-0x00007FF8FDDD0000-0x00007FF8FDDE0000-memory.dmp

Filesize
64KB

Download
memory/2852-3-0x00007FF8FDDD0000-0x00007FF8FDDE0000-memory.dmp

Filesize
64KB

Download
memory/2852-5-0x00007FF8FDDD0000-0x00007FF8FDDE0000-memory.dmp

Filesize
64KB

Download
memory/2852-4-0x00007FF93DD50000-0x00007FF93DF45000-memory.dmp

Filesize
2.0MB

Download
memory/2852-2-0x00007FF93DD50000-0x00007FF93DF45000-memory.dmp

Filesize
2.0MB

Download
memory/2852-69-0x00007FF93DD50000-0x00007FF93DF45000-memory.dmp

Filesize
2.0MB

Download
memory/2852-70-0x00007FF93DD50000-0x00007FF93DF45000-memory.dmp

Filesize
2.0MB

Download
memory/2852-1-0x00007FF8FDDD0000-0x00007FF8FDDE0000-memory.dmp

Filesize
64KB

Download