e0f39aafb9e7336243e6e7474a8dae1eaef0d47f18cf248647447de68025419d

Analysis

max time kernel
147s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20231127-en
resource tags

arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
submitted
13-12-2023 01:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e0f39aafb9e7336243e6e7474a8dae1eaef0d47f18cf248647447de68025419d.xls
Size

581KB
MD5

9a6023f380a3ca9497b58c03af489a46
SHA1

b0c3f4a422bdebb69ae2b23a02ede3d4963a2f1f
SHA256

e0f39aafb9e7336243e6e7474a8dae1eaef0d47f18cf248647447de68025419d
SHA512

0713716a398dc5633bfcf4dd5b48db1ffb226efb7fad594fc74e31cc6e84ba4ebdb158763ba3d874c2d9e5654c640a5e75a158257e09af043dbcdba970a7da12
SSDEEP

12288:OMe0yk97XV2bZ/HEIR01GF3CxBfL9DeHp/GilMD:OMeo9gdvR2GFupxCHv

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEEXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEEXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid process

3128 EXCEL.EXE
1800 WINWORD.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WINWORD.EXE

description pid process

Token: SeAuditPrivilege 1800 WINWORD.EXE

description	pid	process
Token: SeAuditPrivilege	1800	WINWORD.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid	process
3128	EXCEL.EXE
3128	EXCEL.EXE
3128	EXCEL.EXE
3128	EXCEL.EXE
3128	EXCEL.EXE
3128	EXCEL.EXE
3128	EXCEL.EXE
3128	EXCEL.EXE
3128	EXCEL.EXE
3128	EXCEL.EXE
3128	EXCEL.EXE
3128	EXCEL.EXE
1800	WINWORD.EXE
1800	WINWORD.EXE
1800	WINWORD.EXE
1800	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 1800 wrote to memory of 1664	1800	WINWORD.EXE	splwow64.exe
PID 1800 wrote to memory of 1664	1800	WINWORD.EXE	splwow64.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\e0f39aafb9e7336243e6e7474a8dae1eaef0d47f18cf248647447de68025419d.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3128

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1800

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:1320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187

Filesize
471B

MD5
6a748da766284717bd94513e98f9272a

SHA1
1b9da9a9295c2849e081d83c5acb314e6a74d0d8

SHA256
599784f4659e4407c682059e4ecb951d886ba20a96de039a02193a4c27dfad17

SHA512
ee9596d5309a6d2113b75c2c6cac66279b2ecd9066a0eb2dbde5d98a5f4b82fee5f6410c57d8910ee4117f121c4d59acf0c4bdc8d6dd982e479f56ff4037a30b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187

Filesize
412B

MD5
f7d42ddbe88e2fb8e23f3e7d55c785ac

SHA1
ff4624b97c7d45c256e290f5c73618848560f671

SHA256
b1d86125ed52031e68a038a821dbd38320e87f578c76d639b33a280046004b33

SHA512
06ed492c7c9c3a8cd40017429c38fa5c43bb1501ed4d4aad73d99e0f93564d7408494889d588bbc3a10fa11c6e72e524318e4c00b3ea65388a06c04d29914087

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\945292DF-EB68-4495-8608-B5F96DF0D15C

Filesize
158KB

MD5
55a78caee398df0a9a62e3186427f900

SHA1
33c391d8900df3ed2952ec116723def4ab302e4e

SHA256
540e879c2caef61b16d8ac47e3f9bff44d953047d74fc4453f9b83b3d04b0b66

SHA512
fb029f06b3c0ba7d5e05925ed992c4b4d9e9621eec7c99d27dc3243c80d3b189deacd1b5a81bdac7b7664b119400f7a8f0a71123effbf5c96194668aa9f35eb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
280b173651ccf2705460d0eebbc08a74

SHA1
c66b2451b7a71bb29e9e149b8cdbeb13ee675ac8

SHA256
264b5fd8d11b34e42d21f10d54d67a03e2ece44147aab9fe57f95aa874ef899e

SHA512
d29b9400ef712b11eaeec4f0f8861104d6ef42fa5404a63f3ebbf5d3d6cb1dfad762d5d53c6d833ceecfa6bdb2d95802679b2dabb60d20164f52fc8509102198

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\f3df91c436730d7a37c58d5f25d9bf4a56fa3a34.tbres

Filesize
4KB

MD5
104680b6c202fcd8d74045856061d0b2

SHA1
326a3542ddf3023449f5e2b52348131f3828ea57

SHA256
1a59b936439a5e78576ed116920a36329dba4a69d59c4e2049b375d6cd07fa41

SHA512
c3e1e2b27f8160be60ba8fef820c7f11b8043f1a1cf16a46990080268707fef62a12516aea217f7354efb725abdf2f9f56d80c89946ec3a50d0c9fe46e8d4829

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\CA8NPROD\microsfotunderstandhowimportantodeleteentirehistorycachecookieeverythigfromthepc[1].doc

Filesize
58KB

MD5
7d37e6af80e23aea8f852cd402856a16

SHA1
bc068302becb020a2e80e23a26f84d640beeaafd

SHA256
12c9ce523a6506f8b7de9be6e3ba2061bd7f0ece9b4ffbe0d66c3478f6d03381

SHA512
7cb46b04a6ba1299bf2c2942368fe0cdcc6abb01dae607e5fcddba344e4ee634c6d21bb6b93cbfe24e2022dfbeb5361904724bd18988320505a389f106aa28c0

Download Submit
memory/1800-42-0x00007FF952F70000-0x00007FF953165000-memory.dmp

Filesize
2.0MB

Download
memory/1800-50-0x00007FF952F70000-0x00007FF953165000-memory.dmp

Filesize
2.0MB

Download
memory/1800-79-0x00007FF952F70000-0x00007FF953165000-memory.dmp

Filesize
2.0MB

Download
memory/1800-78-0x00007FF952F70000-0x00007FF953165000-memory.dmp

Filesize
2.0MB

Download
memory/1800-49-0x00007FF952F70000-0x00007FF953165000-memory.dmp

Filesize
2.0MB

Download
memory/1800-48-0x00007FF952F70000-0x00007FF953165000-memory.dmp

Filesize
2.0MB

Download
memory/1800-47-0x00007FF952F70000-0x00007FF953165000-memory.dmp

Filesize
2.0MB

Download
memory/1800-45-0x00007FF952F70000-0x00007FF953165000-memory.dmp

Filesize
2.0MB

Download
memory/1800-44-0x00007FF952F70000-0x00007FF953165000-memory.dmp

Filesize
2.0MB

Download
memory/1800-43-0x00007FF952F70000-0x00007FF953165000-memory.dmp

Filesize
2.0MB

Download
memory/1800-41-0x00007FF952F70000-0x00007FF953165000-memory.dmp

Filesize
2.0MB

Download
memory/1800-39-0x00007FF952F70000-0x00007FF953165000-memory.dmp

Filesize
2.0MB

Download
memory/1800-37-0x00007FF952F70000-0x00007FF953165000-memory.dmp

Filesize
2.0MB

Download
memory/1800-35-0x00007FF952F70000-0x00007FF953165000-memory.dmp

Filesize
2.0MB

Download
memory/1800-33-0x00007FF952F70000-0x00007FF953165000-memory.dmp

Filesize
2.0MB

Download
memory/1800-32-0x00007FF952F70000-0x00007FF953165000-memory.dmp

Filesize
2.0MB

Download
memory/3128-14-0x00007FF952F70000-0x00007FF953165000-memory.dmp

Filesize
2.0MB

Download
memory/3128-8-0x00007FF952F70000-0x00007FF953165000-memory.dmp

Filesize
2.0MB

Download
memory/3128-18-0x00007FF952F70000-0x00007FF953165000-memory.dmp

Filesize
2.0MB

Download
memory/3128-23-0x00007FF952F70000-0x00007FF953165000-memory.dmp

Filesize
2.0MB

Download
memory/3128-21-0x00007FF952F70000-0x00007FF953165000-memory.dmp

Filesize
2.0MB

Download
memory/3128-20-0x00007FF952F70000-0x00007FF953165000-memory.dmp

Filesize
2.0MB

Download
memory/3128-19-0x00007FF952F70000-0x00007FF953165000-memory.dmp

Filesize
2.0MB

Download
memory/3128-17-0x00007FF952F70000-0x00007FF953165000-memory.dmp

Filesize
2.0MB

Download
memory/3128-11-0x00007FF952F70000-0x00007FF953165000-memory.dmp

Filesize
2.0MB

Download
memory/3128-16-0x00007FF9108C0000-0x00007FF9108D0000-memory.dmp

Filesize
64KB

Download
memory/3128-13-0x00007FF952F70000-0x00007FF953165000-memory.dmp

Filesize
2.0MB

Download
memory/3128-15-0x00007FF952F70000-0x00007FF953165000-memory.dmp

Filesize
2.0MB

Download
memory/3128-22-0x00007FF952F70000-0x00007FF953165000-memory.dmp

Filesize
2.0MB

Download
memory/3128-9-0x00007FF9108C0000-0x00007FF9108D0000-memory.dmp

Filesize
64KB

Download
memory/3128-1-0x00007FF952F70000-0x00007FF953165000-memory.dmp

Filesize
2.0MB

Download
memory/3128-5-0x00007FF912FF0000-0x00007FF913000000-memory.dmp

Filesize
64KB

Download
memory/3128-6-0x00007FF952F70000-0x00007FF953165000-memory.dmp

Filesize
2.0MB

Download
memory/3128-7-0x00007FF912FF0000-0x00007FF913000000-memory.dmp

Filesize
64KB

Download
memory/3128-4-0x00007FF912FF0000-0x00007FF913000000-memory.dmp

Filesize
64KB

Download
memory/3128-3-0x00007FF952F70000-0x00007FF953165000-memory.dmp

Filesize
2.0MB

Download
memory/3128-2-0x00007FF912FF0000-0x00007FF913000000-memory.dmp

Filesize
64KB

Download
memory/3128-0-0x00007FF912FF0000-0x00007FF913000000-memory.dmp

Filesize
64KB

Download
memory/3128-71-0x00007FF952F70000-0x00007FF953165000-memory.dmp

Filesize
2.0MB

Download
memory/3128-76-0x00007FF952F70000-0x00007FF953165000-memory.dmp

Filesize
2.0MB

Download
memory/3128-77-0x00007FF952F70000-0x00007FF953165000-memory.dmp

Filesize
2.0MB

Download
memory/3128-10-0x00007FF952F70000-0x00007FF953165000-memory.dmp

Filesize
2.0MB

Download
memory/3128-12-0x00007FF952F70000-0x00007FF953165000-memory.dmp

Filesize
2.0MB

Download