91679240b2a48727bb2bf1a2193dda89e238f98b0859a5dfa169512bfb9ef641

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
25/01/2024, 01:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

91679240b2a48727bb2bf1a2193dda89e238f98b0859a5dfa169512bfb9ef641.xls
Size

649KB
MD5

1ab4496b7169a2da02da21e37b955c46
SHA1

1c1431f691118948783af2036c81a21302f17f11
SHA256

91679240b2a48727bb2bf1a2193dda89e238f98b0859a5dfa169512bfb9ef641
SHA512

a00d67be27684bc40d5d4be7ebfd2e69339c59f097467d2c5197e40198891100ad4376c8fd0399c67c8761879228d6e4a2bf684b9de0b320f6a91e909552e843
SSDEEP

12288:OSVpBC6uEkDogpozwjToLn9Iz79q1uaXgX/r196YlajfsQa5hX:7w6siWGg7I1uaXgXj196uaTOv

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1704	EXCEL.EXE
2552	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeAuditPrivilege	2552	WINWORD.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
1704	EXCEL.EXE
1704	EXCEL.EXE
1704	EXCEL.EXE
1704	EXCEL.EXE
1704	EXCEL.EXE
1704	EXCEL.EXE
1704	EXCEL.EXE
1704	EXCEL.EXE
1704	EXCEL.EXE
1704	EXCEL.EXE
1704	EXCEL.EXE
1704	EXCEL.EXE
2552	WINWORD.EXE
2552	WINWORD.EXE
2552	WINWORD.EXE
2552	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2552 wrote to memory of 2628	2552	WINWORD.EXE	92
PID 2552 wrote to memory of 2628	2552	WINWORD.EXE	92

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\91679240b2a48727bb2bf1a2193dda89e238f98b0859a5dfa169512bfb9ef641.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1704

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2552
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2628

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\447C795F-ED5E-4BAC-8EE9-9299CEB8808C

Filesize
159KB

MD5
aeb290052aaf71a9df853a771f6e75aa

SHA1
b04c5a2e83bcde5cdbb9844a442012f81f713494

SHA256
42f2280ff7bb1c055fb6c061d090397baae8edaba02b304625d26a9ca8412b55

SHA512
e8ad63ff90d43669dc5f4a751913e7f1e2738e77fc3276dd9ec9f9362c25889d2d45e45b44c190b0da2968aec237a85259ad002345fa5c8adfb9e268990c2bba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
c25eb05dc42960a4e36a909765ecb5ea

SHA1
32c161742d9dc6c78b887f12c6e060b27d346100

SHA256
66498ad67b498c6beea7f028b4b5991b158d48e06328e0dc46e6a033253e905b

SHA512
c22f5b04116c36a34253a121fd4e3618e1e4d7c71ab5ba20208807e4e5095a7803394763ce7bc33dc71e2ca5edf4fc89a803469c3a523ce7877a273c59e5b12d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
818710f7c5df048650d3db7cd3ce1aba

SHA1
ab8423cc5561d53a98467bb63d8df3d10e05a9cf

SHA256
014eaf1d08ce6aeee1c49346dc03445940b834f9f5b7bd3b06a278d203fbcf06

SHA512
86aaa75e7c5f679d78b2675eeaf2ad98d84f87000e44f7ae5bda982ffcd8297e10422eefeddb26bf5ce68ab9b87d007ba43b9e2f78b4409b90bed202f8b1bc71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NSWVVUXL\microsoftunderstandhowimportantfortheupdationofnewserviceentirefuturewaitingfordesignthenew[1].doc

Filesize
54KB

MD5
1576f9c9b9bd52cc54a24122585d04e5

SHA1
df18e510cb424c1a14235be98eb44f6cf797a0a7

SHA256
9a683ca63641a2e7a96bd11bf621a9968add7bb4d11ab4ec20f53ceb0904cef2

SHA512
fe25fc1b1213c3e28b9682d3e3eab63d1fdc24a56ce62e3ea982fd8bdcc4b120046e07bcb56f237b98bc0dfaecafe6e9ef143cdf733f159a961cc1c28f88f8c1

Download Submit
memory/1704-19-0x00007FF8E3BF0000-0x00007FF8E3DE5000-memory.dmp

Filesize
2.0MB

Download
memory/1704-17-0x00007FF8E3BF0000-0x00007FF8E3DE5000-memory.dmp

Filesize
2.0MB

Download
memory/1704-7-0x00007FF8E3BF0000-0x00007FF8E3DE5000-memory.dmp

Filesize
2.0MB

Download
memory/1704-6-0x00007FF8A3C70000-0x00007FF8A3C80000-memory.dmp

Filesize
64KB

Download
memory/1704-8-0x00007FF8E3BF0000-0x00007FF8E3DE5000-memory.dmp

Filesize
2.0MB

Download
memory/1704-9-0x00007FF8E3BF0000-0x00007FF8E3DE5000-memory.dmp

Filesize
2.0MB

Download
memory/1704-11-0x00007FF8E3BF0000-0x00007FF8E3DE5000-memory.dmp

Filesize
2.0MB

Download
memory/1704-12-0x00007FF8E3BF0000-0x00007FF8E3DE5000-memory.dmp

Filesize
2.0MB

Download
memory/1704-10-0x00007FF8A1510000-0x00007FF8A1520000-memory.dmp

Filesize
64KB

Download
memory/1704-13-0x00007FF8E3BF0000-0x00007FF8E3DE5000-memory.dmp

Filesize
2.0MB

Download
memory/1704-14-0x00007FF8E3BF0000-0x00007FF8E3DE5000-memory.dmp

Filesize
2.0MB

Download
memory/1704-15-0x00007FF8E3BF0000-0x00007FF8E3DE5000-memory.dmp

Filesize
2.0MB

Download
memory/1704-16-0x00007FF8A1510000-0x00007FF8A1520000-memory.dmp

Filesize
64KB

Download
memory/1704-2-0x00007FF8A3C70000-0x00007FF8A3C80000-memory.dmp

Filesize
64KB

Download
memory/1704-18-0x00007FF8E3BF0000-0x00007FF8E3DE5000-memory.dmp

Filesize
2.0MB

Download
memory/1704-20-0x00007FF8E3BF0000-0x00007FF8E3DE5000-memory.dmp

Filesize
2.0MB

Download
memory/1704-21-0x00007FF8E3BF0000-0x00007FF8E3DE5000-memory.dmp

Filesize
2.0MB

Download
memory/1704-22-0x00007FF8E3BF0000-0x00007FF8E3DE5000-memory.dmp

Filesize
2.0MB

Download
memory/1704-0-0x00007FF8A3C70000-0x00007FF8A3C80000-memory.dmp

Filesize
64KB

Download
memory/1704-23-0x00007FF8E3BF0000-0x00007FF8E3DE5000-memory.dmp

Filesize
2.0MB

Download
memory/1704-5-0x00007FF8E3BF0000-0x00007FF8E3DE5000-memory.dmp

Filesize
2.0MB

Download
memory/1704-74-0x00007FF8E3BF0000-0x00007FF8E3DE5000-memory.dmp

Filesize
2.0MB

Download
memory/1704-1-0x00007FF8A3C70000-0x00007FF8A3C80000-memory.dmp

Filesize
64KB

Download
memory/1704-3-0x00007FF8E3BF0000-0x00007FF8E3DE5000-memory.dmp

Filesize
2.0MB

Download
memory/1704-4-0x00007FF8A3C70000-0x00007FF8A3C80000-memory.dmp

Filesize
64KB

Download
memory/2552-39-0x00007FF8E3BF0000-0x00007FF8E3DE5000-memory.dmp

Filesize
2.0MB

Download
memory/2552-46-0x00007FF8E3BF0000-0x00007FF8E3DE5000-memory.dmp

Filesize
2.0MB

Download
memory/2552-47-0x00007FF8E3BF0000-0x00007FF8E3DE5000-memory.dmp

Filesize
2.0MB

Download
memory/2552-48-0x00007FF8E3BF0000-0x00007FF8E3DE5000-memory.dmp

Filesize
2.0MB

Download
memory/2552-45-0x00007FF8E3BF0000-0x00007FF8E3DE5000-memory.dmp

Filesize
2.0MB

Download
memory/2552-49-0x00007FF8E3BF0000-0x00007FF8E3DE5000-memory.dmp

Filesize
2.0MB

Download
memory/2552-51-0x00007FF8E3BF0000-0x00007FF8E3DE5000-memory.dmp

Filesize
2.0MB

Download
memory/2552-52-0x00007FF8E3BF0000-0x00007FF8E3DE5000-memory.dmp

Filesize
2.0MB

Download
memory/2552-53-0x00007FF8E3BF0000-0x00007FF8E3DE5000-memory.dmp

Filesize
2.0MB

Download
memory/2552-44-0x00007FF8E3BF0000-0x00007FF8E3DE5000-memory.dmp

Filesize
2.0MB

Download
memory/2552-42-0x00007FF8E3BF0000-0x00007FF8E3DE5000-memory.dmp

Filesize
2.0MB

Download
memory/2552-40-0x00007FF8E3BF0000-0x00007FF8E3DE5000-memory.dmp

Filesize
2.0MB

Download
memory/2552-37-0x00007FF8E3BF0000-0x00007FF8E3DE5000-memory.dmp

Filesize
2.0MB

Download
memory/2552-35-0x00007FF8E3BF0000-0x00007FF8E3DE5000-memory.dmp

Filesize
2.0MB

Download
memory/2552-75-0x00007FF8E3BF0000-0x00007FF8E3DE5000-memory.dmp

Filesize
2.0MB

Download
memory/2552-76-0x00007FF8E3BF0000-0x00007FF8E3DE5000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads