7120436f96a877b0b330e9a0825de42cab3972b9b24ee44a150456f6f8e00222

Analysis

max time kernel
143s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
24-01-2024 10:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Enquiry.xla.xls
Size

219KB
MD5

41b3a7e2538d7217fd54c0e22e50dece
SHA1

f65e7e2dae209eb254c4934e0a8ad80cf4dc8be5
SHA256

7120436f96a877b0b330e9a0825de42cab3972b9b24ee44a150456f6f8e00222
SHA512

90f8c88e3fb098818a17e91f82b59a7a26b4bb7609e1ef95fadbba5cdd3f74f9ccc05671cffaa5c8e7fbf67c0e63c000fab2476dd1a61bf90b9ed590d01fca3e
SSDEEP

6144:FSHBMixiMK6G+ZFrTUvCp4sJg+WxjrxxojBVeM4y:FQpozwjTqCfg+WVfo7z4y

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3096	EXCEL.EXE
3100	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeAuditPrivilege	3100	WINWORD.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
3096	EXCEL.EXE
3096	EXCEL.EXE
3096	EXCEL.EXE
3096	EXCEL.EXE
3096	EXCEL.EXE
3096	EXCEL.EXE
3096	EXCEL.EXE
3096	EXCEL.EXE
3100	WINWORD.EXE
3100	WINWORD.EXE
3100	WINWORD.EXE
3100	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3100 wrote to memory of 460	3100	WINWORD.EXE	92
PID 3100 wrote to memory of 460	3100	WINWORD.EXE	92

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Enquiry.xla.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3096

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3100
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:460

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:5040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Filesize
471B

MD5
8eee4c602fab1f63f1693f6f71ea926c

SHA1
8b4b04354e56502b0721fa4469bb80e8afda6fc1

SHA256
b28d5179aa5fd5686d309001790258417532dd41e5cdba34aedaff82c67c89b5

SHA512
ae2bb7148c9ffa3bd4b5e755bfd32eece7691bc2e8030728f8d3e675b68df239ec87cd6a407e59e57beacbe57a2616509f163f5c3432a6fe5b4ea40ec6f74c95

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Filesize
412B

MD5
5263a65b6ae63e0318b52a7016a75b12

SHA1
ae85b8d728e9d25a9aa1457bdb16d49745b8581e

SHA256
5984f374e2b7f088edece5f461c5e2c70103b1ec81b33a26a68eed12297ae693

SHA512
dbedadc309a2c402e80d145b35838097c89f9bdc55f14ff1357f8486bf8dffe10a84e8667e5823a9cf4ca8d84fba422b620be158708aae0134cfec95a8f16fb7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\213AF2AF-9507-4A48-9FA9-CD1C3C2F097E

Filesize
159KB

MD5
c09fe3eac89e528779ad4ba893fb4b91

SHA1
ebd04a62744509f18195488a1e2ef4b20faa720f

SHA256
621380f5feee60628293de58fbabde9a13495bfa5cb4cef499457a74c39be5c7

SHA512
7c65fc8e32c8f14098f7fa3c4c1350e22ea03de84fef7be9be873de8605ba9d350c0cde50f6068d36eef5bbf02197d2e4f4ca6818b90f7ead33bdc8d752a9d69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
0326094cb9921470cf31c2c9fa8b083d

SHA1
0dc3d59cfa64645a17d39914775537b97f27e93e

SHA256
02d073b94190adfc5288f3ba9c34624e29c9166ae4be0da335a8bc3545041adb

SHA512
291ca897c7efe3af4dda93d59421f295272d7f23d7b25e4a60aba5c1065bb9212ed8a447fe5e808c0d30245f4bba21bb613482e115527ff6e0f52f4e65d7f284

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
375ad68ca34991e4254c362e814c70e5

SHA1
2d29a76610f0b7e125ad8e2fcf5480e0d8e43b27

SHA256
b217f7ccbe2f00cdfe4b4215f109d04f1f9ed99d7807622f77a2790ce754b9cd

SHA512
1f89a4cb12ef1e837eafde37dabee76aad242ae0422489d56d0e7b4b6598d283d94d27b622b23817eb9f1c851c78df0cc4fa372322bd5906a4d97b0cd53dc29d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\K44LV95Q\microsoftinternationalconferencegoingtostartsoonforinternationalpaymentmodeprocesstoupdateofficeandentirethings[1].doc

Filesize
57KB

MD5
4ba3d8e7d6e2dfd627a47eee2fd4f858

SHA1
2dd344c464504ea1be755e2efa9c7ca9fea9292d

SHA256
79cd3b724c1e29309b15e1d87522afcac2ae93795a807ed07e1b5891b43bd5c9

SHA512
6a826a163219bcf4ca27baf5c0ae65523dbf03bba40b0210c858a99ed72ea57891ce9bd6ec1ff32dbcbc940c2f5002e3dba5464ab58ea804dc5068192832bee0

Download Submit
memory/3096-11-0x00007FFB70250000-0x00007FFB70445000-memory.dmp

Filesize
2.0MB

Download
memory/3096-17-0x00007FFB70250000-0x00007FFB70445000-memory.dmp

Filesize
2.0MB

Download
memory/3096-6-0x00007FFB70250000-0x00007FFB70445000-memory.dmp

Filesize
2.0MB

Download
memory/3096-9-0x00007FFB70250000-0x00007FFB70445000-memory.dmp

Filesize
2.0MB

Download
memory/3096-10-0x00007FFB70250000-0x00007FFB70445000-memory.dmp

Filesize
2.0MB

Download
memory/3096-0-0x00007FFB302D0000-0x00007FFB302E0000-memory.dmp

Filesize
64KB

Download
memory/3096-12-0x00007FFB2E010000-0x00007FFB2E020000-memory.dmp

Filesize
64KB

Download
memory/3096-13-0x00007FFB70250000-0x00007FFB70445000-memory.dmp

Filesize
2.0MB

Download
memory/3096-14-0x00007FFB70250000-0x00007FFB70445000-memory.dmp

Filesize
2.0MB

Download
memory/3096-15-0x00007FFB70250000-0x00007FFB70445000-memory.dmp

Filesize
2.0MB

Download
memory/3096-16-0x00007FFB70250000-0x00007FFB70445000-memory.dmp

Filesize
2.0MB

Download
memory/3096-5-0x00007FFB70250000-0x00007FFB70445000-memory.dmp

Filesize
2.0MB

Download
memory/3096-18-0x00007FFB70250000-0x00007FFB70445000-memory.dmp

Filesize
2.0MB

Download
memory/3096-19-0x00007FFB2E010000-0x00007FFB2E020000-memory.dmp

Filesize
64KB

Download
memory/3096-118-0x00007FFB70250000-0x00007FFB70445000-memory.dmp

Filesize
2.0MB

Download
memory/3096-117-0x00007FFB70250000-0x00007FFB70445000-memory.dmp

Filesize
2.0MB

Download
memory/3096-116-0x00007FFB70250000-0x00007FFB70445000-memory.dmp

Filesize
2.0MB

Download
memory/3096-63-0x00007FFB70250000-0x00007FFB70445000-memory.dmp

Filesize
2.0MB

Download
memory/3096-1-0x00007FFB302D0000-0x00007FFB302E0000-memory.dmp

Filesize
64KB

Download
memory/3096-2-0x00007FFB302D0000-0x00007FFB302E0000-memory.dmp

Filesize
64KB

Download
memory/3096-3-0x00007FFB70250000-0x00007FFB70445000-memory.dmp

Filesize
2.0MB

Download
memory/3096-8-0x00007FFB70250000-0x00007FFB70445000-memory.dmp

Filesize
2.0MB

Download
memory/3096-4-0x00007FFB302D0000-0x00007FFB302E0000-memory.dmp

Filesize
64KB

Download
memory/3096-7-0x00007FFB302D0000-0x00007FFB302E0000-memory.dmp

Filesize
64KB

Download
memory/3100-39-0x00007FFB70250000-0x00007FFB70445000-memory.dmp

Filesize
2.0MB

Download
memory/3100-40-0x00007FFB70250000-0x00007FFB70445000-memory.dmp

Filesize
2.0MB

Download
memory/3100-38-0x00007FFB70250000-0x00007FFB70445000-memory.dmp

Filesize
2.0MB

Download
memory/3100-37-0x00007FFB70250000-0x00007FFB70445000-memory.dmp

Filesize
2.0MB

Download
memory/3100-36-0x00007FFB70250000-0x00007FFB70445000-memory.dmp

Filesize
2.0MB

Download
memory/3100-34-0x00007FFB70250000-0x00007FFB70445000-memory.dmp

Filesize
2.0MB

Download
memory/3100-64-0x00007FFB70250000-0x00007FFB70445000-memory.dmp

Filesize
2.0MB

Download
memory/3100-102-0x00007FFB302D0000-0x00007FFB302E0000-memory.dmp

Filesize
64KB

Download
memory/3100-103-0x00007FFB302D0000-0x00007FFB302E0000-memory.dmp

Filesize
64KB

Download
memory/3100-104-0x00007FFB302D0000-0x00007FFB302E0000-memory.dmp

Filesize
64KB

Download
memory/3100-105-0x00007FFB302D0000-0x00007FFB302E0000-memory.dmp

Filesize
64KB

Download
memory/3100-106-0x00007FFB70250000-0x00007FFB70445000-memory.dmp

Filesize
2.0MB

Download
memory/3100-107-0x00007FFB70250000-0x00007FFB70445000-memory.dmp

Filesize
2.0MB

Download
memory/3100-108-0x00007FFB70250000-0x00007FFB70445000-memory.dmp

Filesize
2.0MB

Download
memory/3100-32-0x00007FFB70250000-0x00007FFB70445000-memory.dmp

Filesize
2.0MB

Download
memory/3100-31-0x00007FFB70250000-0x00007FFB70445000-memory.dmp

Filesize
2.0MB

Download
memory/3100-29-0x00007FFB70250000-0x00007FFB70445000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads