Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25-01-2024 15:33
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Heur.25589.9954.xls
Resource
win7-20231215-en
General
-
Target
SecuriteInfo.com.Heur.25589.9954.xls
-
Size
275KB
-
MD5
e108b870cba8e39e516076ca3989372b
-
SHA1
439fd0bdcf0319994f9b91f28d4f2b2a5bde0874
-
SHA256
69f40c2f6a4540550f934e0b2f9a354629d3835b30fd13293c2f6a6b97202159
-
SHA512
710235888d211b49f89d97d2cd32a7ac47922cbe421a3eb0fbb7f50a2b5f2e46236a6b64843cf29e6163c32798b48f46b6e1fca318f8cfc04045f00bf30d244a
-
SSDEEP
6144:5kunhVY35qAOJl/YrLYz+WrNhZF+E+fgL+0dD8ivSbVLOMI2n1WbMS5Fuhix2c:5tC3bVLOMIg9Y
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEEXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
EXCEL.EXEWINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
EXCEL.EXEWINWORD.EXEpid process 2404 EXCEL.EXE 3972 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WINWORD.EXEdescription pid process Token: SeAuditPrivilege 3972 WINWORD.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
EXCEL.EXEpid process 2404 EXCEL.EXE 2404 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 16 IoCs
Processes:
EXCEL.EXEWINWORD.EXEpid process 2404 EXCEL.EXE 2404 EXCEL.EXE 2404 EXCEL.EXE 2404 EXCEL.EXE 2404 EXCEL.EXE 2404 EXCEL.EXE 2404 EXCEL.EXE 2404 EXCEL.EXE 2404 EXCEL.EXE 2404 EXCEL.EXE 2404 EXCEL.EXE 2404 EXCEL.EXE 3972 WINWORD.EXE 3972 WINWORD.EXE 3972 WINWORD.EXE 3972 WINWORD.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 3972 wrote to memory of 1504 3972 WINWORD.EXE splwow64.exe PID 3972 wrote to memory of 1504 3972 WINWORD.EXE splwow64.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.25589.9954.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2404
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3972 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:1504
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:1052
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\E9B5A4E0-ED79-46E4-8E73-AE1F762303E5Filesize
159KB
MD5ebca3b598072acd15798671b9e822f38
SHA181900a90f4bbc5ddb6175637a4095887b4e3dc67
SHA2568bf6a4b8696ea7a8cdcbe6a82a86d31fd895b9e3467854302c0d2d140fabc460
SHA512be0d8c17c4c28d90a106f224e2e392adbc9d8417156f0006c51db275a76e3bd6b43961ba83bfed0f64ac9d80d8e70d25bd20f3726d4555486966a6395c1929f1
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbresFilesize
2KB
MD523d1dfd2e95276d834ffcd63a798022d
SHA183cef1d1c4f10345e21cf407ed9de0caf1bea77c
SHA25697a698b4e58240e8a4d536800cad3f5d482d020066deb7e40ae8be757002c51b
SHA5120a4fa64887ae79ec6cf73beaa322e55cbf631b46a1a1b53b33d3f097bf4587e7d52813556a36ad8396bfcddcf205a97894f95f33975b3f8a2e4e922af6a38058
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbresFilesize
2KB
MD59c544020ac724f8a3dc1e8c5e4d834dc
SHA11a0745fc237e089d3c847889de060c5e4e243490
SHA256f66cc54d343aea7d61ba3fd7ca0d8b8c7100aa3f84c68cd9a69a4c3b7232c4dc
SHA5127021dd8de6fdf2b677ee36761aca2096988dbc0852deeda98ab744726de72b99d3e46b7e3847fbe5724e9efe9d09ab34fc17b8567584f20593792b5b93257504
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\Z0UNWU5J\vnextofficeupdationwaitingfortheentireprocesstocompleteandimprovethethecnonologyfornew[1].docFilesize
65KB
MD5869dc88123916a7193c56809db6b5e97
SHA1fb285a3be57ea12e4884152c9542dbcc4b3d1b6d
SHA256d144a111d023b667aa6a2f56af76323943ae9553b6629afe91131dfd2d5f2e0b
SHA51267bd25e403c355090ad1db59f9f15426595c7c70ab77d85cb3678bfac5c939f4a3f72d6caf713dd2ca8f2df4f8f908f190940c2035afd5efbf9e6916f52f2081
-
memory/2404-41-0x00007FFB69850000-0x00007FFB69A45000-memory.dmpFilesize
2.0MB
-
memory/2404-1-0x00007FFB298D0000-0x00007FFB298E0000-memory.dmpFilesize
64KB
-
memory/2404-7-0x00007FFB298D0000-0x00007FFB298E0000-memory.dmpFilesize
64KB
-
memory/2404-6-0x00007FFB69850000-0x00007FFB69A45000-memory.dmpFilesize
2.0MB
-
memory/2404-8-0x00007FFB69850000-0x00007FFB69A45000-memory.dmpFilesize
2.0MB
-
memory/2404-9-0x00007FFB69850000-0x00007FFB69A45000-memory.dmpFilesize
2.0MB
-
memory/2404-10-0x00007FFB273D0000-0x00007FFB273E0000-memory.dmpFilesize
64KB
-
memory/2404-11-0x00007FFB273D0000-0x00007FFB273E0000-memory.dmpFilesize
64KB
-
memory/2404-2-0x00007FFB69850000-0x00007FFB69A45000-memory.dmpFilesize
2.0MB
-
memory/2404-46-0x00007FFB69850000-0x00007FFB69A45000-memory.dmpFilesize
2.0MB
-
memory/2404-44-0x00007FFB69850000-0x00007FFB69A45000-memory.dmpFilesize
2.0MB
-
memory/2404-43-0x00007FFB69850000-0x00007FFB69A45000-memory.dmpFilesize
2.0MB
-
memory/2404-0-0x00007FFB298D0000-0x00007FFB298E0000-memory.dmpFilesize
64KB
-
memory/2404-5-0x00007FFB298D0000-0x00007FFB298E0000-memory.dmpFilesize
64KB
-
memory/2404-4-0x00007FFB69850000-0x00007FFB69A45000-memory.dmpFilesize
2.0MB
-
memory/2404-3-0x00007FFB298D0000-0x00007FFB298E0000-memory.dmpFilesize
64KB
-
memory/3972-31-0x00007FFB69850000-0x00007FFB69A45000-memory.dmpFilesize
2.0MB
-
memory/3972-30-0x00007FFB69850000-0x00007FFB69A45000-memory.dmpFilesize
2.0MB
-
memory/3972-27-0x00007FFB69850000-0x00007FFB69A45000-memory.dmpFilesize
2.0MB
-
memory/3972-28-0x00007FFB69850000-0x00007FFB69A45000-memory.dmpFilesize
2.0MB
-
memory/3972-24-0x00007FFB69850000-0x00007FFB69A45000-memory.dmpFilesize
2.0MB
-
memory/3972-25-0x00007FFB69850000-0x00007FFB69A45000-memory.dmpFilesize
2.0MB
-
memory/3972-52-0x00007FFB69850000-0x00007FFB69A45000-memory.dmpFilesize
2.0MB
-
memory/3972-53-0x00007FFB69850000-0x00007FFB69A45000-memory.dmpFilesize
2.0MB