02e273a2f40b1a10f15b08d4dee9356f778a82ee48dc9bad878fb4d789d01431

General

Target

PO_Copy.xls
Size

392KB
MD5

c53132c26ed5a87968bd23ff41c485ba
SHA1

01b1a3c676dbc370fb1916ef17f9bb0309d5b966
SHA256

02e273a2f40b1a10f15b08d4dee9356f778a82ee48dc9bad878fb4d789d01431
SHA512

5a09beb5a19c3be45f22e3e7e5e88fbabca1790ede5f38867d1976ce9017ca670797ae8c180666b0e4332803f01e3219f70727915f71507b5bf350f66d17d304
SSDEEP

6144:Cn1m9kdb/PpeZHVl3S4qQygZpuUXI+FzkEM3Kajs5yiIIrjj5vQDwMm4EHnO:COeDuni5XgZTI+eEuKGiIIryDLm42

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEWINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEWINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid process

3080 EXCEL.EXE
4688 WINWORD.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WINWORD.EXE

description pid process

Token: SeAuditPrivilege 4688 WINWORD.EXE

description	pid	process
Token: SeAuditPrivilege	4688	WINWORD.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid	process
3080	EXCEL.EXE
3080	EXCEL.EXE
3080	EXCEL.EXE
3080	EXCEL.EXE
3080	EXCEL.EXE
3080	EXCEL.EXE
3080	EXCEL.EXE
3080	EXCEL.EXE
3080	EXCEL.EXE
3080	EXCEL.EXE
3080	EXCEL.EXE
3080	EXCEL.EXE
4688	WINWORD.EXE
4688	WINWORD.EXE
4688	WINWORD.EXE
4688	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 4688 wrote to memory of 4412	4688	WINWORD.EXE	splwow64.exe
PID 4688 wrote to memory of 4412	4688	WINWORD.EXE	splwow64.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\PO_Copy.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3080

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4688

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:4412

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Filesize
471B

MD5
1722115a3207420da6785a46a4885269

SHA1
4be4d8775f4dddbcd2c1942dbaaf2da49dec2423

SHA256
15c5c5558cd147c9ee340094878f891ccc7a9daca8a76d05ea8c08fd4332495c

SHA512
60fbca97535eef247fed78e818fafb3ef32b6beeb0334eb4f9639f4b0dd0c1e14a827ca0a2d378ca671a3daca49ba27aa18c14fbff18fb490f9c18f3e3429f01

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Filesize
412B

MD5
b89979a3a74ca0d523e5b5ff0b6edf92

SHA1
2181cc54a96055e2503185e96ee3d960f5d2c0ae

SHA256
6b4573560580624aec6800e8d2ecf2fb42301bf5a14df43df2b125a0eca33a65

SHA512
072625785ceea03cf6ae98644632ff97fae7a2c0ec4eea6197acc9746dcc15edc2a8a282bb95d14e8bbbcd625c496c29537c744b5682b05858d89e4775b772d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\645A8930-D79F-4614-A109-FAF8BD17131F

Filesize
158KB

MD5
39fef738d777863ec38b7cefcff7452e

SHA1
cf4596b03bd7f4b3fd964c90e6a3f7c2fee76528

SHA256
9925b4adf4d018592394bb3c1cde2b188d69ae829d5db4864fa0b418e1e39207

SHA512
c78495b5d694f1061ea54f5e9ca35c122aafe479f3e30ecc76494c7f59131671f29aaf936d4048f1b731778c44d94276195e37b272eb5efba4b48f0b43c9e9a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
1d53d486456a61c39fa8a2fd8363412d

SHA1
81e72f6e7f389205746b362320a82c68d9e68f76

SHA256
74862a9df45b1a8188c48972d641859ff2ca562476bc80f18c0a81be0f138ad5

SHA512
a3fb969cf413756dd3a3c8b82d97cc001e1348309844e81dae36f248cc54c4750c5c74eca687ce564ae82f765500d34ea71526365ce4cc59db0b12736baf3b5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
474dfb286d6e2d12ee1e2002b1f86265

SHA1
3617fa87e004eb90e549b0a6fbc01b4315df1910

SHA256
51a3d1e49ef1a754cd2e5ae720cd2d511eb0aa49a9b620f4ad6505ca032fb014

SHA512
5fa76c8d32ebf21b796cfb3b79f8b986f79887b6e846b20fb559a76812035185bf1a1a5e17bb64813d7681e9b0a541080fa217fad7eb96339a93f135ec0020da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\T67XWC80\Microsoftdecidedtodeleteentirehistorycachecookieeverythingfromthepc[1].doc

Filesize
68KB

MD5
2163e4abe634b604518567a27c2b57cd

SHA1
5ce02ec2b65a3771777e58879d30dd8d6fc92a79

SHA256
f997d796da5616a7f6b3c4affbe516c5995de5e24a13c3fad56e51f1e554c78e

SHA512
44e2d44d41be24f93c9a828330ac83de4cab387ae916fa4cc91313dfbf2906dd0a375580d4c5e3bb0b02720e0b2920a0cbcf0d7e21516ce5f62b80cb24af7370

Download Submit
memory/3080-20-0x00007FFD02A90000-0x00007FFD02C85000-memory.dmp

Filesize
2.0MB

Download
memory/3080-23-0x00007FFD02A90000-0x00007FFD02C85000-memory.dmp

Filesize
2.0MB

Download
memory/3080-3-0x00007FFCC2B10000-0x00007FFCC2B20000-memory.dmp

Filesize
64KB

Download
memory/3080-9-0x00007FFCC0540000-0x00007FFCC0550000-memory.dmp

Filesize
64KB

Download
memory/3080-10-0x00007FFD02A90000-0x00007FFD02C85000-memory.dmp

Filesize
2.0MB

Download
memory/3080-11-0x00007FFD02A90000-0x00007FFD02C85000-memory.dmp

Filesize
2.0MB

Download
memory/3080-12-0x00007FFD02A90000-0x00007FFD02C85000-memory.dmp

Filesize
2.0MB

Download
memory/3080-13-0x00007FFD02A90000-0x00007FFD02C85000-memory.dmp

Filesize
2.0MB

Download
memory/3080-14-0x00007FFD02A90000-0x00007FFD02C85000-memory.dmp

Filesize
2.0MB

Download
memory/3080-15-0x00007FFCC0540000-0x00007FFCC0550000-memory.dmp

Filesize
64KB

Download
memory/3080-16-0x00007FFD02A90000-0x00007FFD02C85000-memory.dmp

Filesize
2.0MB

Download
memory/3080-17-0x00007FFD02A90000-0x00007FFD02C85000-memory.dmp

Filesize
2.0MB

Download
memory/3080-18-0x00007FFD02A90000-0x00007FFD02C85000-memory.dmp

Filesize
2.0MB

Download
memory/3080-19-0x00007FFD02A90000-0x00007FFD02C85000-memory.dmp

Filesize
2.0MB

Download
memory/3080-0-0x00007FFCC2B10000-0x00007FFCC2B20000-memory.dmp

Filesize
64KB

Download
memory/3080-21-0x00007FFD02A90000-0x00007FFD02C85000-memory.dmp

Filesize
2.0MB

Download
memory/3080-22-0x00007FFD02A90000-0x00007FFD02C85000-memory.dmp

Filesize
2.0MB

Download
memory/3080-8-0x00007FFD02A90000-0x00007FFD02C85000-memory.dmp

Filesize
2.0MB

Download
memory/3080-69-0x00007FFD02A90000-0x00007FFD02C85000-memory.dmp

Filesize
2.0MB

Download
memory/3080-68-0x00007FFD02A90000-0x00007FFD02C85000-memory.dmp

Filesize
2.0MB

Download
memory/3080-1-0x00007FFD02A90000-0x00007FFD02C85000-memory.dmp

Filesize
2.0MB

Download
memory/3080-2-0x00007FFCC2B10000-0x00007FFCC2B20000-memory.dmp

Filesize
64KB

Download
memory/3080-4-0x00007FFD02A90000-0x00007FFD02C85000-memory.dmp

Filesize
2.0MB

Download
memory/3080-7-0x00007FFCC2B10000-0x00007FFCC2B20000-memory.dmp

Filesize
64KB

Download
memory/3080-6-0x00007FFD02A90000-0x00007FFD02C85000-memory.dmp

Filesize
2.0MB

Download
memory/3080-5-0x00007FFCC2B10000-0x00007FFCC2B20000-memory.dmp

Filesize
64KB

Download
memory/4688-45-0x00007FFD02A90000-0x00007FFD02C85000-memory.dmp

Filesize
2.0MB

Download
memory/4688-44-0x00007FFD02A90000-0x00007FFD02C85000-memory.dmp

Filesize
2.0MB

Download
memory/4688-42-0x00007FFD02A90000-0x00007FFD02C85000-memory.dmp

Filesize
2.0MB

Download
memory/4688-41-0x00007FFD02A90000-0x00007FFD02C85000-memory.dmp

Filesize
2.0MB

Download
memory/4688-40-0x00007FFD02A90000-0x00007FFD02C85000-memory.dmp

Filesize
2.0MB

Download
memory/4688-39-0x00007FFD02A90000-0x00007FFD02C85000-memory.dmp

Filesize
2.0MB

Download
memory/4688-38-0x00007FFD02A90000-0x00007FFD02C85000-memory.dmp

Filesize
2.0MB

Download
memory/4688-36-0x00007FFD02A90000-0x00007FFD02C85000-memory.dmp

Filesize
2.0MB

Download
memory/4688-34-0x00007FFD02A90000-0x00007FFD02C85000-memory.dmp

Filesize
2.0MB

Download
memory/4688-70-0x00007FFD02A90000-0x00007FFD02C85000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads