Analysis
-
max time kernel
144s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
08-12-2023 10:02
Static task
static1
Behavioral task
behavioral1
Sample
PO_Copy.xls
Resource
win7-20231201-en
Behavioral task
behavioral2
Sample
PO_Copy.xls
Resource
win10v2004-20231127-en
General
-
Target
PO_Copy.xls
-
Size
392KB
-
MD5
c53132c26ed5a87968bd23ff41c485ba
-
SHA1
01b1a3c676dbc370fb1916ef17f9bb0309d5b966
-
SHA256
02e273a2f40b1a10f15b08d4dee9356f778a82ee48dc9bad878fb4d789d01431
-
SHA512
5a09beb5a19c3be45f22e3e7e5e88fbabca1790ede5f38867d1976ce9017ca670797ae8c180666b0e4332803f01e3219f70727915f71507b5bf350f66d17d304
-
SSDEEP
6144:Cn1m9kdb/PpeZHVl3S4qQygZpuUXI+FzkEM3Kajs5yiIIrjj5vQDwMm4EHnO:COeDuni5XgZTI+eEuKGiIIryDLm42
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 3864 EXCEL.EXE 2020 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeAuditPrivilege 2020 WINWORD.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3864 EXCEL.EXE 3864 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 16 IoCs
pid Process 3864 EXCEL.EXE 3864 EXCEL.EXE 3864 EXCEL.EXE 3864 EXCEL.EXE 3864 EXCEL.EXE 3864 EXCEL.EXE 3864 EXCEL.EXE 3864 EXCEL.EXE 3864 EXCEL.EXE 3864 EXCEL.EXE 3864 EXCEL.EXE 3864 EXCEL.EXE 2020 WINWORD.EXE 2020 WINWORD.EXE 2020 WINWORD.EXE 2020 WINWORD.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 2020 wrote to memory of 1048 2020 WINWORD.EXE 92 PID 2020 wrote to memory of 1048 2020 WINWORD.EXE 92 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\PO_Copy.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3864
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:1048
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:1836
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\E7322CBB-95DB-4182-8E8B-8FF2245744F8
Filesize158KB
MD5513282cc4ab2c3d127324b39302e99e9
SHA1d015c9760dde3ef874019e6e811b9b4842d2e574
SHA2561b69f6edf2b9d21a0f5d380ebb17343b13cf3aeed12283dee043f7cdec6382ce
SHA51210356d32c62b06e56a18b3e42864da09ac4ad8b82bc409579fdd74e346883939055d1a70b7c5ce2904266b8a45a81cf19b55f6f51a418843b3e5b0be001eaf66
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize2KB
MD56a23273743a270e3a6033e7e5320614f
SHA1f0e53cf9f6f2dae674f53760f088f7b6fdfbfdf5
SHA2564aa3d67dca507a05d00d8b5e36f16425ce3110ee96ae8b5da3de6308821ff5db
SHA512d9201a22adc2914bcd2af0d47dcd89583c2c5ace338f3de435e3c9f13cfc6d6ec2451e4a6bbe799e3739574fa8eb6aadcce2c546ef78a365822d742efdfc6a84
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize2KB
MD5eb85c2ae7da0044430d2387114348ebb
SHA140155d7a63ea1d1dd79ee56126fb5ae80350f815
SHA256be3cf9bd383cc758acf2e44c07252eb6095826b5e6fcdf934a3d87c03745827c
SHA51242bcef62ec48e8ced45769f2b5145119b7fee3ec3b62015456efa1e568d691a7bb68abd4c2e329832b01e98b20c1a3704d9618aefe924cc61b7f900b1ba8dd21
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\EF4ZIAKK\Microsoftdecidedtodeleteentirehistorycachecookieeverythingfromthepc[1].doc
Filesize68KB
MD52163e4abe634b604518567a27c2b57cd
SHA15ce02ec2b65a3771777e58879d30dd8d6fc92a79
SHA256f997d796da5616a7f6b3c4affbe516c5995de5e24a13c3fad56e51f1e554c78e
SHA51244e2d44d41be24f93c9a828330ac83de4cab387ae916fa4cc91313dfbf2906dd0a375580d4c5e3bb0b02720e0b2920a0cbcf0d7e21516ce5f62b80cb24af7370