f8107dcd6388dddcd4133a3bd3bbfb6a12b5ce3b17b2b0b3ec59e23c9771ba5b

Analysis

max time kernel
144s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
18/01/2024, 05:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8549cb420ed5c1edf32b7e28d9d2010dac4867c0dba3650e1f8e7655278d4c5b.xls
Size

302KB
MD5

250841072f7bb27d6a75cd026249bb87
SHA1

190342d9c712d9af9a3dce9eb3f2ff32bf100e23
SHA256

8549cb420ed5c1edf32b7e28d9d2010dac4867c0dba3650e1f8e7655278d4c5b
SHA512

27435486bd6eec7c591ec5388aec063d0ceb6f7198bda22dcb5c01dab11aaf878fa5d4b8723fefcb1983387e011100effd1e39d9e38f5b5511e2b1c997b788f0
SSDEEP

6144:6vBNSHBMixiMK6G+ZFrTUvCp4sJgo0r6Rz4rN9RjymY7TaGv37Aodpz:6vBNQpozwjTqCfgo0ugNymWbvrf3

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2680	EXCEL.EXE
3224	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeAuditPrivilege	3224	WINWORD.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2680	EXCEL.EXE
2680	EXCEL.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
2680	EXCEL.EXE
2680	EXCEL.EXE
2680	EXCEL.EXE
2680	EXCEL.EXE
2680	EXCEL.EXE
2680	EXCEL.EXE
2680	EXCEL.EXE
2680	EXCEL.EXE
2680	EXCEL.EXE
2680	EXCEL.EXE
2680	EXCEL.EXE
2680	EXCEL.EXE
3224	WINWORD.EXE
3224	WINWORD.EXE
3224	WINWORD.EXE
3224	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3224 wrote to memory of 4444	3224	WINWORD.EXE	93
PID 3224 wrote to memory of 4444	3224	WINWORD.EXE	93

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\8549cb420ed5c1edf32b7e28d9d2010dac4867c0dba3650e1f8e7655278d4c5b.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2680

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3224
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:4444

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:3892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\5C725172-6467-4E95-ACF7-7E3C242ECBB7

Filesize
158KB

MD5
1bb1d0124e74eb7bab7b41f6e08b63b9

SHA1
56bdf600fa61fa42ccfaf6e4e82365cb87b542bc

SHA256
59cfcc69d1a0722dceee1f72ea505bd37c779c95cde627fe2fd9d5df5799a3f3

SHA512
73ec4815d1ac32fb4e7a6fc587dc2b403e4e3763b831a3c28baf7256c347b799e31ce71cc6c0e71f4fecb2dd7fee6ef9aa2682494e70adafe27c9f448bd6d1be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
a6204c15daf2f6c77f638aa89796c6a8

SHA1
75da253069e822e439e171313e64fe0562af3a3f

SHA256
a0a3db8d68f007122c61dc6a5e8a9fde7dd150162424f5f6ffeb60e7e4c80cf0

SHA512
39e23f5894e5acd1dbb13ff2cc5b5a7322c1b7772bfaa747d80f229e12c2135910c80de6ece17cb67ae225c0f0894043ed6c2bbc84b38fd553b5d936ad2b29c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
cf2127e120ba81bca0a3fa8b0f93a0af

SHA1
c27df69f44b949ae45b13cc83a8b4bca12d4043f

SHA256
93ed2134af9170efe00e624eb599e374fdb0e6c6eebea83f1192d6ef1cac04ed

SHA512
9e58c5b107a7341e70ca1b756773e18a0e1ab2150a4c0124cf501b8fb58607bcf4776ac6a68d50cecfb5ac7d6ff6e11c5a6290c399ee2e84c530832e4593fc9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BMK4G1YN\microbiolagicalthingshappeneingaroundtheworldforentireprocesstostartfromthefirsttonowforev[1].doc

Filesize
61KB

MD5
adf6b4115caf260b8f57c1fd9bb618ec

SHA1
5ed800417118abeb366163bcda0608b0d0109a66

SHA256
6ebe7e25c68f5e44b3e542b47ca7d0faab3fa7c7f1b71e17f5fdaeb7f4a7b003

SHA512
706d851d922f53e83783f7f5ed65b24e8322c64db3f6e03f19e5aa6bce3ea504a5f221cfa8d6700e374b5cc5c94415c9f0bd3386dd872974738c9788400f43dc

Download Submit
memory/2680-11-0x00007FF977490000-0x00007FF977685000-memory.dmp

Filesize
2.0MB

Download
memory/2680-9-0x00007FF977490000-0x00007FF977685000-memory.dmp

Filesize
2.0MB

Download
memory/2680-3-0x00007FF977490000-0x00007FF977685000-memory.dmp

Filesize
2.0MB

Download
memory/2680-7-0x00007FF937510000-0x00007FF937520000-memory.dmp

Filesize
64KB

Download
memory/2680-8-0x00007FF977490000-0x00007FF977685000-memory.dmp

Filesize
2.0MB

Download
memory/2680-10-0x00007FF977490000-0x00007FF977685000-memory.dmp

Filesize
2.0MB

Download
memory/2680-0-0x00007FF937510000-0x00007FF937520000-memory.dmp

Filesize
64KB

Download
memory/2680-13-0x00007FF977490000-0x00007FF977685000-memory.dmp

Filesize
2.0MB

Download
memory/2680-12-0x00007FF9354B0000-0x00007FF9354C0000-memory.dmp

Filesize
64KB

Download
memory/2680-122-0x00007FF977490000-0x00007FF977685000-memory.dmp

Filesize
2.0MB

Download
memory/2680-18-0x00007FF977490000-0x00007FF977685000-memory.dmp

Filesize
2.0MB

Download
memory/2680-19-0x00007FF977490000-0x00007FF977685000-memory.dmp

Filesize
2.0MB

Download
memory/2680-17-0x00007FF9354B0000-0x00007FF9354C0000-memory.dmp

Filesize
64KB

Download
memory/2680-15-0x00007FF977490000-0x00007FF977685000-memory.dmp

Filesize
2.0MB

Download
memory/2680-22-0x00007FF977490000-0x00007FF977685000-memory.dmp

Filesize
2.0MB

Download
memory/2680-23-0x00007FF977490000-0x00007FF977685000-memory.dmp

Filesize
2.0MB

Download
memory/2680-21-0x00007FF977490000-0x00007FF977685000-memory.dmp

Filesize
2.0MB

Download
memory/2680-20-0x00007FF977490000-0x00007FF977685000-memory.dmp

Filesize
2.0MB

Download
memory/2680-4-0x00007FF937510000-0x00007FF937520000-memory.dmp

Filesize
64KB

Download
memory/2680-14-0x00007FF977490000-0x00007FF977685000-memory.dmp

Filesize
2.0MB

Download
memory/2680-16-0x00007FF977490000-0x00007FF977685000-memory.dmp

Filesize
2.0MB

Download
memory/2680-67-0x00007FF977490000-0x00007FF977685000-memory.dmp

Filesize
2.0MB

Download
memory/2680-2-0x00007FF937510000-0x00007FF937520000-memory.dmp

Filesize
64KB

Download
memory/2680-1-0x00007FF977490000-0x00007FF977685000-memory.dmp

Filesize
2.0MB

Download
memory/2680-6-0x00007FF977490000-0x00007FF977685000-memory.dmp

Filesize
2.0MB

Download
memory/2680-5-0x00007FF937510000-0x00007FF937520000-memory.dmp

Filesize
64KB

Download
memory/3224-38-0x00007FF977490000-0x00007FF977685000-memory.dmp

Filesize
2.0MB

Download
memory/3224-40-0x00007FF977490000-0x00007FF977685000-memory.dmp

Filesize
2.0MB

Download
memory/3224-37-0x00007FF977490000-0x00007FF977685000-memory.dmp

Filesize
2.0MB

Download
memory/3224-36-0x00007FF977490000-0x00007FF977685000-memory.dmp

Filesize
2.0MB

Download
memory/3224-34-0x00007FF977490000-0x00007FF977685000-memory.dmp

Filesize
2.0MB

Download
memory/3224-68-0x00007FF977490000-0x00007FF977685000-memory.dmp

Filesize
2.0MB

Download
memory/3224-110-0x00007FF937510000-0x00007FF937520000-memory.dmp

Filesize
64KB

Download
memory/3224-111-0x00007FF937510000-0x00007FF937520000-memory.dmp

Filesize
64KB

Download
memory/3224-112-0x00007FF937510000-0x00007FF937520000-memory.dmp

Filesize
64KB

Download
memory/3224-113-0x00007FF937510000-0x00007FF937520000-memory.dmp

Filesize
64KB

Download
memory/3224-114-0x00007FF977490000-0x00007FF977685000-memory.dmp

Filesize
2.0MB

Download
memory/3224-32-0x00007FF977490000-0x00007FF977685000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads