f8107dcd6388dddcd4133a3bd3bbfb6a12b5ce3b17b2b0b3ec59e23c9771ba5b

Analysis

max time kernel
150s
max time network
141s
platform
windows10-1703_x64
resource
win10-20231215-en
resource tags

arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
submitted
18-01-2024 05:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8549cb420ed5c1edf32b7e28d9d2010dac4867c0dba3650e1f8e7655278d4c5b.xls
Size

302KB
MD5

250841072f7bb27d6a75cd026249bb87
SHA1

190342d9c712d9af9a3dce9eb3f2ff32bf100e23
SHA256

8549cb420ed5c1edf32b7e28d9d2010dac4867c0dba3650e1f8e7655278d4c5b
SHA512

27435486bd6eec7c591ec5388aec063d0ceb6f7198bda22dcb5c01dab11aaf878fa5d4b8723fefcb1983387e011100effd1e39d9e38f5b5511e2b1c997b788f0
SSDEEP

6144:6vBNSHBMixiMK6G+ZFrTUvCp4sJgo0r6Rz4rN9RjymY7TaGv37Aodpz:6vBNQpozwjTqCfgo0ugNymWbvrf3

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2788	EXCEL.EXE
3960	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeAuditPrivilege	3960	WINWORD.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2788	EXCEL.EXE
2788	EXCEL.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
2788	EXCEL.EXE
2788	EXCEL.EXE
2788	EXCEL.EXE
2788	EXCEL.EXE
2788	EXCEL.EXE
2788	EXCEL.EXE
2788	EXCEL.EXE
2788	EXCEL.EXE
2788	EXCEL.EXE
2788	EXCEL.EXE
2788	EXCEL.EXE
2788	EXCEL.EXE
3960	WINWORD.EXE
3960	WINWORD.EXE
3960	WINWORD.EXE
3960	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3960 wrote to memory of 4256	3960	WINWORD.EXE	75
PID 3960 wrote to memory of 4256	3960	WINWORD.EXE	75

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\8549cb420ed5c1edf32b7e28d9d2010dac4867c0dba3650e1f8e7655278d4c5b.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2788

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3960
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:4256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\8F5D510A-31BF-4DBB-9D3D-538D0DCC7A64

Filesize
158KB

MD5
13daf4626e1e5d6d2f736627a51f8662

SHA1
982b48fd1c1f3b2e00c1186718cfe9cc7be1675f

SHA256
d1d2ec58c50a7dbd8c5a933e6625350678796dd5166ece51e9ddb2ae616570c7

SHA512
37a2c7430c56bcca837fed3a945aaac513215fdaf5892c455805c24e15ffb43849e53f0b23e2c8e1cf2910b18059f5dc2d6bb2956cd80da60c180b7249278d61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\74a0ad00a184813f0b8867eb2f8dfef7227a18a4.tbres

Filesize
2KB

MD5
c983498436042d3c6db5fa68cf986625

SHA1
dc10cb8176f065d22f0a4510a6c58f3ae6e766f7

SHA256
2ec828f8a76ccb8f1857f20a2fbacdf1e76247084e207bee80bf03ad9abd705b

SHA512
31b30b6a86cd71b99882d5f5bbf74360dc0d685592435205f9b87d37043a4146f333a74b8750a87cdf89778a0878eadddd026ea095bbea72e1581ee5a4b7aab9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\EMHIAF5P\microbiolagicalthingshappeneingaroundtheworldforentireprocesstostartfromthefirsttonowforev[1].doc

Filesize
57KB

MD5
87d895bf138934010dff583e24b8719b

SHA1
21bf4cb9f70b31285976bbd1ce438d61ca20c614

SHA256
ad024cbfdc10c8fa85cb7927a7739ed88e9d70af73997c24133124eb794361b7

SHA512
50b13afe914b4ca6f9a273764e39da927f7126807502870eeb7bce87d85b3fee68a64e39787e2daa3d87be7322ae60f9462b2065cf6b039fb6cd668b18591875

Download Submit
memory/2788-29-0x00007FFF04A20000-0x00007FFF04BFB000-memory.dmp

Filesize
1.9MB

Download
memory/2788-3-0x00007FFEC4AB0000-0x00007FFEC4AC0000-memory.dmp

Filesize
64KB

Download
memory/2788-2-0x00007FFEC4AB0000-0x00007FFEC4AC0000-memory.dmp

Filesize
64KB

Download
memory/2788-4-0x00007FFF04A20000-0x00007FFF04BFB000-memory.dmp

Filesize
1.9MB

Download
memory/2788-6-0x00007FFF04A20000-0x00007FFF04BFB000-memory.dmp

Filesize
1.9MB

Download
memory/2788-8-0x00007FFF04A20000-0x00007FFF04BFB000-memory.dmp

Filesize
1.9MB

Download
memory/2788-31-0x00007FFF04A20000-0x00007FFF04BFB000-memory.dmp

Filesize
1.9MB

Download
memory/2788-9-0x00007FFF04A20000-0x00007FFF04BFB000-memory.dmp

Filesize
1.9MB

Download
memory/2788-10-0x00007FFF04A20000-0x00007FFF04BFB000-memory.dmp

Filesize
1.9MB

Download
memory/2788-11-0x00007FFF04A20000-0x00007FFF04BFB000-memory.dmp

Filesize
1.9MB

Download
memory/2788-13-0x00007FFF04A20000-0x00007FFF04BFB000-memory.dmp

Filesize
1.9MB

Download
memory/2788-12-0x00007FFEC1CC0000-0x00007FFEC1CD0000-memory.dmp

Filesize
64KB

Download
memory/2788-14-0x00007FFF04A20000-0x00007FFF04BFB000-memory.dmp

Filesize
1.9MB

Download
memory/2788-15-0x00007FFF04A20000-0x00007FFF04BFB000-memory.dmp

Filesize
1.9MB

Download
memory/2788-16-0x00007FFF04A20000-0x00007FFF04BFB000-memory.dmp

Filesize
1.9MB

Download
memory/2788-17-0x00007FFF04A20000-0x00007FFF04BFB000-memory.dmp

Filesize
1.9MB

Download
memory/2788-20-0x00007FFF04A20000-0x00007FFF04BFB000-memory.dmp

Filesize
1.9MB

Download
memory/2788-19-0x00007FFF04A20000-0x00007FFF04BFB000-memory.dmp

Filesize
1.9MB

Download
memory/2788-21-0x00007FFF04A20000-0x00007FFF04BFB000-memory.dmp

Filesize
1.9MB

Download
memory/2788-275-0x00007FFF04A20000-0x00007FFF04BFB000-memory.dmp

Filesize
1.9MB

Download
memory/2788-22-0x00007FFF04A20000-0x00007FFF04BFB000-memory.dmp

Filesize
1.9MB

Download
memory/2788-23-0x00007FFF04A20000-0x00007FFF04BFB000-memory.dmp

Filesize
1.9MB

Download
memory/2788-24-0x00007FFF04A20000-0x00007FFF04BFB000-memory.dmp

Filesize
1.9MB

Download
memory/2788-25-0x00007FFF035E0000-0x00007FFF0368E000-memory.dmp

Filesize
696KB

Download
memory/2788-26-0x00007FFF04A20000-0x00007FFF04BFB000-memory.dmp

Filesize
1.9MB

Download
memory/2788-27-0x00007FFF04A20000-0x00007FFF04BFB000-memory.dmp

Filesize
1.9MB

Download
memory/2788-28-0x00007FFF04A20000-0x00007FFF04BFB000-memory.dmp

Filesize
1.9MB

Download
memory/2788-0-0x00007FFEC4AB0000-0x00007FFEC4AC0000-memory.dmp

Filesize
64KB

Download
memory/2788-30-0x00007FFF04A20000-0x00007FFF04BFB000-memory.dmp

Filesize
1.9MB

Download
memory/2788-1-0x00007FFEC4AB0000-0x00007FFEC4AC0000-memory.dmp

Filesize
64KB

Download
memory/2788-18-0x00007FFEC1CC0000-0x00007FFEC1CD0000-memory.dmp

Filesize
64KB

Download
memory/2788-276-0x00007FFF04A20000-0x00007FFF04BFB000-memory.dmp

Filesize
1.9MB

Download
memory/3960-182-0x00007FFF04A20000-0x00007FFF04BFB000-memory.dmp

Filesize
1.9MB

Download
memory/3960-179-0x00007FFF04A20000-0x00007FFF04BFB000-memory.dmp

Filesize
1.9MB

Download
memory/3960-180-0x00007FFF04A20000-0x00007FFF04BFB000-memory.dmp

Filesize
1.9MB

Download
memory/3960-184-0x00007FFF04A20000-0x00007FFF04BFB000-memory.dmp

Filesize
1.9MB

Download
memory/3960-181-0x00007FFF04A20000-0x00007FFF04BFB000-memory.dmp

Filesize
1.9MB

Download
memory/3960-187-0x00007FFF04A20000-0x00007FFF04BFB000-memory.dmp

Filesize
1.9MB

Download
memory/3960-188-0x00007FFF04A20000-0x00007FFF04BFB000-memory.dmp

Filesize
1.9MB

Download
memory/3960-199-0x00007FFF04A20000-0x00007FFF04BFB000-memory.dmp

Filesize
1.9MB

Download
memory/3960-189-0x00007FFF04A20000-0x00007FFF04BFB000-memory.dmp

Filesize
1.9MB

Download
memory/3960-191-0x00007FFF04A20000-0x00007FFF04BFB000-memory.dmp

Filesize
1.9MB

Download
memory/3960-192-0x00007FFF04A20000-0x00007FFF04BFB000-memory.dmp

Filesize
1.9MB

Download
memory/3960-279-0x00007FFF035E0000-0x00007FFF0368E000-memory.dmp

Filesize
696KB

Download
memory/3960-197-0x00007FFF04A20000-0x00007FFF04BFB000-memory.dmp

Filesize
1.9MB

Download
memory/3960-196-0x00007FFF04A20000-0x00007FFF04BFB000-memory.dmp

Filesize
1.9MB

Download
memory/3960-186-0x00007FFF04A20000-0x00007FFF04BFB000-memory.dmp

Filesize
1.9MB

Download
memory/3960-203-0x00007FFF04A20000-0x00007FFF04BFB000-memory.dmp

Filesize
1.9MB

Download
memory/3960-206-0x00007FFF04A20000-0x00007FFF04BFB000-memory.dmp

Filesize
1.9MB

Download
memory/3960-209-0x00007FFF04A20000-0x00007FFF04BFB000-memory.dmp

Filesize
1.9MB

Download
memory/3960-208-0x00007FFF04A20000-0x00007FFF04BFB000-memory.dmp

Filesize
1.9MB

Download
memory/3960-211-0x00007FFF04A20000-0x00007FFF04BFB000-memory.dmp

Filesize
1.9MB

Download
memory/3960-214-0x00007FFF04A20000-0x00007FFF04BFB000-memory.dmp

Filesize
1.9MB

Download
memory/3960-201-0x00007FFF035E0000-0x00007FFF0368E000-memory.dmp

Filesize
696KB

Download
memory/3960-277-0x00007FFF04A20000-0x00007FFF04BFB000-memory.dmp

Filesize
1.9MB

Download
memory/3960-278-0x00007FFF04A20000-0x00007FFF04BFB000-memory.dmp

Filesize
1.9MB

Download
memory/3960-194-0x00007FFF04A20000-0x00007FFF04BFB000-memory.dmp

Filesize
1.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads