02e273a2f40b1a10f15b08d4dee9356f778a82ee48dc9bad878fb4d789d01431

General

Target

PO_Copy.xls
Size

392KB
MD5

c53132c26ed5a87968bd23ff41c485ba
SHA1

01b1a3c676dbc370fb1916ef17f9bb0309d5b966
SHA256

02e273a2f40b1a10f15b08d4dee9356f778a82ee48dc9bad878fb4d789d01431
SHA512

5a09beb5a19c3be45f22e3e7e5e88fbabca1790ede5f38867d1976ce9017ca670797ae8c180666b0e4332803f01e3219f70727915f71507b5bf350f66d17d304
SSDEEP

6144:Cn1m9kdb/PpeZHVl3S4qQygZpuUXI+FzkEM3Kajs5yiIIrjj5vQDwMm4EHnO:COeDuni5XgZTI+eEuKGiIIryDLm42

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEEXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEWINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid process

3864 EXCEL.EXE
2020 WINWORD.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WINWORD.EXE

description pid process

Token: SeAuditPrivilege 2020 WINWORD.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

EXCEL.EXE

pid process

3864 EXCEL.EXE
3864 EXCEL.EXE

description	pid	process
Token: SeAuditPrivilege	2020	WINWORD.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid	process
3864	EXCEL.EXE
3864	EXCEL.EXE
3864	EXCEL.EXE
3864	EXCEL.EXE
3864	EXCEL.EXE
3864	EXCEL.EXE
3864	EXCEL.EXE
3864	EXCEL.EXE
3864	EXCEL.EXE
3864	EXCEL.EXE
3864	EXCEL.EXE
3864	EXCEL.EXE
2020	WINWORD.EXE
2020	WINWORD.EXE
2020	WINWORD.EXE
2020	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 2020 wrote to memory of 1048	2020	WINWORD.EXE	splwow64.exe
PID 2020 wrote to memory of 1048	2020	WINWORD.EXE	splwow64.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\PO_Copy.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3864

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1048

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:1836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\E7322CBB-95DB-4182-8E8B-8FF2245744F8

Filesize
158KB

MD5
513282cc4ab2c3d127324b39302e99e9

SHA1
d015c9760dde3ef874019e6e811b9b4842d2e574

SHA256
1b69f6edf2b9d21a0f5d380ebb17343b13cf3aeed12283dee043f7cdec6382ce

SHA512
10356d32c62b06e56a18b3e42864da09ac4ad8b82bc409579fdd74e346883939055d1a70b7c5ce2904266b8a45a81cf19b55f6f51a418843b3e5b0be001eaf66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
6a23273743a270e3a6033e7e5320614f

SHA1
f0e53cf9f6f2dae674f53760f088f7b6fdfbfdf5

SHA256
4aa3d67dca507a05d00d8b5e36f16425ce3110ee96ae8b5da3de6308821ff5db

SHA512
d9201a22adc2914bcd2af0d47dcd89583c2c5ace338f3de435e3c9f13cfc6d6ec2451e4a6bbe799e3739574fa8eb6aadcce2c546ef78a365822d742efdfc6a84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
eb85c2ae7da0044430d2387114348ebb

SHA1
40155d7a63ea1d1dd79ee56126fb5ae80350f815

SHA256
be3cf9bd383cc758acf2e44c07252eb6095826b5e6fcdf934a3d87c03745827c

SHA512
42bcef62ec48e8ced45769f2b5145119b7fee3ec3b62015456efa1e568d691a7bb68abd4c2e329832b01e98b20c1a3704d9618aefe924cc61b7f900b1ba8dd21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\EF4ZIAKK\Microsoftdecidedtodeleteentirehistorycachecookieeverythingfromthepc[1].doc

Filesize
68KB

MD5
2163e4abe634b604518567a27c2b57cd

SHA1
5ce02ec2b65a3771777e58879d30dd8d6fc92a79

SHA256
f997d796da5616a7f6b3c4affbe516c5995de5e24a13c3fad56e51f1e554c78e

SHA512
44e2d44d41be24f93c9a828330ac83de4cab387ae916fa4cc91313dfbf2906dd0a375580d4c5e3bb0b02720e0b2920a0cbcf0d7e21516ce5f62b80cb24af7370

Download Submit
memory/2020-54-0x00007FFBEE610000-0x00007FFBEE805000-memory.dmp

Filesize
2.0MB

Download
memory/2020-23-0x00007FFBEE610000-0x00007FFBEE805000-memory.dmp

Filesize
2.0MB

Download
memory/2020-55-0x00007FFBEE610000-0x00007FFBEE805000-memory.dmp

Filesize
2.0MB

Download
memory/2020-56-0x00007FFBEE610000-0x00007FFBEE805000-memory.dmp

Filesize
2.0MB

Download
memory/2020-33-0x00007FFBEE610000-0x00007FFBEE805000-memory.dmp

Filesize
2.0MB

Download
memory/2020-32-0x00007FFBEE610000-0x00007FFBEE805000-memory.dmp

Filesize
2.0MB

Download
memory/2020-30-0x00007FFBEE610000-0x00007FFBEE805000-memory.dmp

Filesize
2.0MB

Download
memory/2020-28-0x00007FFBEE610000-0x00007FFBEE805000-memory.dmp

Filesize
2.0MB

Download
memory/2020-26-0x00007FFBEE610000-0x00007FFBEE805000-memory.dmp

Filesize
2.0MB

Download
memory/2020-24-0x00007FFBEE610000-0x00007FFBEE805000-memory.dmp

Filesize
2.0MB

Download
memory/3864-3-0x00007FFBAE690000-0x00007FFBAE6A0000-memory.dmp

Filesize
64KB

Download
memory/3864-7-0x00007FFBEE610000-0x00007FFBEE805000-memory.dmp

Filesize
2.0MB

Download
memory/3864-13-0x00007FFBAC1D0000-0x00007FFBAC1E0000-memory.dmp

Filesize
64KB

Download
memory/3864-12-0x00007FFBEE610000-0x00007FFBEE805000-memory.dmp

Filesize
2.0MB

Download
memory/3864-11-0x00007FFBEE610000-0x00007FFBEE805000-memory.dmp

Filesize
2.0MB

Download
memory/3864-10-0x00007FFBEE610000-0x00007FFBEE805000-memory.dmp

Filesize
2.0MB

Download
memory/3864-9-0x00007FFBEE610000-0x00007FFBEE805000-memory.dmp

Filesize
2.0MB

Download
memory/3864-8-0x00007FFBAE690000-0x00007FFBAE6A0000-memory.dmp

Filesize
64KB

Download
memory/3864-0-0x00007FFBAE690000-0x00007FFBAE6A0000-memory.dmp

Filesize
64KB

Download
memory/3864-14-0x00007FFBAC1D0000-0x00007FFBAC1E0000-memory.dmp

Filesize
64KB

Download
memory/3864-5-0x00007FFBAE690000-0x00007FFBAE6A0000-memory.dmp

Filesize
64KB

Download
memory/3864-6-0x00007FFBEE610000-0x00007FFBEE805000-memory.dmp

Filesize
2.0MB

Download
memory/3864-50-0x00007FFBEE610000-0x00007FFBEE805000-memory.dmp

Filesize
2.0MB

Download
memory/3864-51-0x00007FFBEE610000-0x00007FFBEE805000-memory.dmp

Filesize
2.0MB

Download
memory/3864-4-0x00007FFBEE610000-0x00007FFBEE805000-memory.dmp

Filesize
2.0MB

Download
memory/3864-1-0x00007FFBAE690000-0x00007FFBAE6A0000-memory.dmp

Filesize
64KB

Download
memory/3864-2-0x00007FFBEE610000-0x00007FFBEE805000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads