3a1b13e80cfd6e053f5a605e531c17a936a33fc5c5467e40be5a8845a2d2dbcb

Analysis

max time kernel
149s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
19-01-2024 16:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PO-5299.xls
Size

389KB
MD5

ca93ad9d9887663ed1afc2197b775268
SHA1

017bb90012dfa9fd9a6a05efd01d1d929e411039
SHA256

3a1b13e80cfd6e053f5a605e531c17a936a33fc5c5467e40be5a8845a2d2dbcb
SHA512

02278f911322f744155b59908b13fcb69fed701230921cdf3ae041ec1beafafb24322712025498925e192922203b3325e8e7896c156a489c43e992e8d02585af
SSDEEP

6144:6zcOPqGlSHBMixiMK6G+ZFrTUvCp4sJgKWQdywS26nd1WejItjFGDoo1Cz:6zBZlQpozwjTqCfgKFdyV2Qjc5GY

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1460	EXCEL.EXE
528	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeAuditPrivilege	528	WINWORD.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
1460	EXCEL.EXE
1460	EXCEL.EXE
1460	EXCEL.EXE
1460	EXCEL.EXE
1460	EXCEL.EXE
1460	EXCEL.EXE
1460	EXCEL.EXE
1460	EXCEL.EXE
1460	EXCEL.EXE
1460	EXCEL.EXE
1460	EXCEL.EXE
1460	EXCEL.EXE
528	WINWORD.EXE
528	WINWORD.EXE
528	WINWORD.EXE
528	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 528 wrote to memory of 4628	528	WINWORD.EXE	96
PID 528 wrote to memory of 4628	528	WINWORD.EXE	96

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\PO-5299.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1460

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:528
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:4628

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:2960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Filesize
471B

MD5
0b0f53ac2e1023a00eee30309c661a8e

SHA1
76be2d52c31c1d7a8d6e4446d156670344ad1e7d

SHA256
2601835e3edf3860609da5196dfbb8b1705dde559b1285425101d6eab7a869c7

SHA512
b088f4838c15b45e91305f7e2d38813874aaaff4393fc0f855eeab6194cf84ed2fcafefc5907b57b4eca5da624138077532d8d7a3383a752ef6f5c8fa9dd28f0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Filesize
412B

MD5
d36681cfca6d29d8728147f34544a77e

SHA1
0d99117e36fefa1c37d958b786dbbf109aa5b055

SHA256
6ec4df5bd83ffacd2971309aa6717223960b36d801c7335ab6a3c4712e6bd859

SHA512
8241e4df6653471d4916f97f7f201b4e458a81a6e338dd5b67fe4dc2d1a299afffb278c16351611d18dde20ccb747123a11805f77dc6049e9cf312425494f94f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\450F6FED-049C-4F55-96F3-4F05A6E8B8BE

Filesize
140KB

MD5
6ada6ab6614173249bcb65d97e57412b

SHA1
d5442f52fb3b6d152ad9377204854f8e31760a97

SHA256
0ffbaf39c752621247e4d397025c5af4d1cd62b6fe8f64af21ec107a5723f4d5

SHA512
b41ead1f5e992ca26892408a67bc6a37e0797a3e5bbb4b288e1e9a08205c5a53bbe0f07f2a077cfbb224516d13c66a2889daa355f532edda94c9361e683a3415

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
053f03ba6bf754d44dec7d6fe353830e

SHA1
ead4e6707746c34b95f76af4b1c577fac456d734

SHA256
d4e1daa3edf3fd10865ff8d07fc81d0fb40c96e57f2526e2c86586740ee73d58

SHA512
2f3dc21bc80add1f2e971333c84a8ec034d47693333a7c435b088a09ccdae6af572e88c92738b3725b7046857239671bda7dd74f5e9830c5228b486fe9a31aad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
02adc03d6d528ba52c2218541b2b868f

SHA1
e676f8565ae039afd865879fb4aa6d07e97b956d

SHA256
25186645bb9c6cf5f5212534845111daa26fe991f77c557efe7a7e8be19f8fdc

SHA512
998be92b879adbf8aff385631f9e0ec3dad646167bb93ac3b1437e220c764195b2982907c97290e12404d88e5e7c9fb0bc822b23f5856dd46be2443d31eb0f08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8D1Z5HG5\microsoftreturnedthrpolicytocontineutheserviceupdationfromthesystemprotocoltounderstandentireprocessfromth[1].doc

Filesize
66KB

MD5
0f15c2649a458ea6d0421b673571b5af

SHA1
a7cd0504cee1402625b1ab2bd13e89d344b3cb60

SHA256
19903b449b7a97eff2293836d617b509039bc4b8b108b9b5ae299f0e2a2ce9d7

SHA512
61ffb5b2d56bc32ee03a4e9ea70adeb5869226e92e8e4bc3d26f29c08060c8d4f5350d6fde19e26a3e536b9aaee3c24b072d7541e01c217471cd3f9f2868a1b5

Download Submit
memory/528-43-0x00007FFBE8570000-0x00007FFBE8765000-memory.dmp

Filesize
2.0MB

Download
memory/528-41-0x00007FFBE8570000-0x00007FFBE8765000-memory.dmp

Filesize
2.0MB

Download
memory/528-28-0x00007FFBE8570000-0x00007FFBE8765000-memory.dmp

Filesize
2.0MB

Download
memory/528-74-0x00007FFBE8570000-0x00007FFBE8765000-memory.dmp

Filesize
2.0MB

Download
memory/528-42-0x00007FFBE8570000-0x00007FFBE8765000-memory.dmp

Filesize
2.0MB

Download
memory/528-40-0x00007FFBE8570000-0x00007FFBE8765000-memory.dmp

Filesize
2.0MB

Download
memory/528-37-0x00007FFBE8570000-0x00007FFBE8765000-memory.dmp

Filesize
2.0MB

Download
memory/528-39-0x00007FFBE8570000-0x00007FFBE8765000-memory.dmp

Filesize
2.0MB

Download
memory/528-36-0x00007FFBE8570000-0x00007FFBE8765000-memory.dmp

Filesize
2.0MB

Download
memory/528-29-0x00007FFBE8570000-0x00007FFBE8765000-memory.dmp

Filesize
2.0MB

Download
memory/528-34-0x00007FFBE8570000-0x00007FFBE8765000-memory.dmp

Filesize
2.0MB

Download
memory/528-32-0x00007FFBE8570000-0x00007FFBE8765000-memory.dmp

Filesize
2.0MB

Download
memory/1460-11-0x00007FFBE8570000-0x00007FFBE8765000-memory.dmp

Filesize
2.0MB

Download
memory/1460-0-0x00007FFBA85F0000-0x00007FFBA8600000-memory.dmp

Filesize
64KB

Download
memory/1460-20-0x00007FFBE8570000-0x00007FFBE8765000-memory.dmp

Filesize
2.0MB

Download
memory/1460-21-0x00007FFBE8570000-0x00007FFBE8765000-memory.dmp

Filesize
2.0MB

Download
memory/1460-22-0x00007FFBE8570000-0x00007FFBE8765000-memory.dmp

Filesize
2.0MB

Download
memory/1460-23-0x00007FFBE8570000-0x00007FFBE8765000-memory.dmp

Filesize
2.0MB

Download
memory/1460-15-0x00007FFBE8570000-0x00007FFBE8765000-memory.dmp

Filesize
2.0MB

Download
memory/1460-18-0x00007FFBE8570000-0x00007FFBE8765000-memory.dmp

Filesize
2.0MB

Download
memory/1460-16-0x00007FFBA6180000-0x00007FFBA6190000-memory.dmp

Filesize
64KB

Download
memory/1460-17-0x00007FFBE8570000-0x00007FFBE8765000-memory.dmp

Filesize
2.0MB

Download
memory/1460-14-0x00007FFBE8570000-0x00007FFBE8765000-memory.dmp

Filesize
2.0MB

Download
memory/1460-13-0x00007FFBE8570000-0x00007FFBE8765000-memory.dmp

Filesize
2.0MB

Download
memory/1460-12-0x00007FFBE8570000-0x00007FFBE8765000-memory.dmp

Filesize
2.0MB

Download
memory/1460-19-0x00007FFBE8570000-0x00007FFBE8765000-memory.dmp

Filesize
2.0MB

Download
memory/1460-10-0x00007FFBA6180000-0x00007FFBA6190000-memory.dmp

Filesize
64KB

Download
memory/1460-9-0x00007FFBE8570000-0x00007FFBE8765000-memory.dmp

Filesize
2.0MB

Download
memory/1460-7-0x00007FFBE8570000-0x00007FFBE8765000-memory.dmp

Filesize
2.0MB

Download
memory/1460-8-0x00007FFBE8570000-0x00007FFBE8765000-memory.dmp

Filesize
2.0MB

Download
memory/1460-4-0x00007FFBA85F0000-0x00007FFBA8600000-memory.dmp

Filesize
64KB

Download
memory/1460-6-0x00007FFBA85F0000-0x00007FFBA8600000-memory.dmp

Filesize
64KB

Download
memory/1460-5-0x00007FFBE8570000-0x00007FFBE8765000-memory.dmp

Filesize
2.0MB

Download
memory/1460-3-0x00007FFBE8570000-0x00007FFBE8765000-memory.dmp

Filesize
2.0MB

Download
memory/1460-2-0x00007FFBA85F0000-0x00007FFBA8600000-memory.dmp

Filesize
64KB

Download
memory/1460-72-0x00007FFBE8570000-0x00007FFBE8765000-memory.dmp

Filesize
2.0MB

Download
memory/1460-73-0x00007FFBE8570000-0x00007FFBE8765000-memory.dmp

Filesize
2.0MB

Download
memory/1460-1-0x00007FFBA85F0000-0x00007FFBA8600000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads