1919a1b877651e00acebeae51a55aaf26ba8828ee78bffbe420339cf204545cc

General

Target

Purchase order.xls
Size

573KB
MD5

2057adda9d066eaf2b27b19c4643fea1
SHA1

41599cc28565373fe49464a4413ec3eaf03356e4
SHA256

1919a1b877651e00acebeae51a55aaf26ba8828ee78bffbe420339cf204545cc
SHA512

e096995223135a5c331f38e55bbd53a03feebe16705383d4d2b7a1eaf015523235e779d87250def268b9e55f37fb50f09d50ebae2dc97a5facb9b5f26a4fa0b5
SSDEEP

12288:VTk6SEXMcbNedomzE23bVGvMIgJWG+/ryf9wbw8oRU:/SSMMednE23bV/cE8z

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1788	EXCEL.EXE
2428	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeAuditPrivilege	2428	WINWORD.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
1788	EXCEL.EXE
1788	EXCEL.EXE
1788	EXCEL.EXE
1788	EXCEL.EXE
1788	EXCEL.EXE
1788	EXCEL.EXE
1788	EXCEL.EXE
1788	EXCEL.EXE
1788	EXCEL.EXE
1788	EXCEL.EXE
1788	EXCEL.EXE
1788	EXCEL.EXE
2428	WINWORD.EXE
2428	WINWORD.EXE
2428	WINWORD.EXE
2428	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2428 wrote to memory of 808	2428	WINWORD.EXE	91
PID 2428 wrote to memory of 808	2428	WINWORD.EXE	91

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Purchase order.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1788

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2428
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:808

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:2376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\9D67B74D-C0AB-44BF-B076-8CBA5E20CB26

Filesize
159KB

MD5
87c75868b142ca8e3cd269be8a680d14

SHA1
7cf08ab542b5735bce769e8a83eccf74918726c1

SHA256
33d0dc298ef46312f0e725eecddd979163a6374401d2308cb83f73e46bef15e9

SHA512
b88a9090c60cfe974603a8ca87e715220997c60de1de6770e3b1fba181c0052a64e259fe15e4b372f6310096131cdca6bdc94cb91ff57f3a054e8706773e1c19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
7712e2fc3df932008ed5b42e2584de1a

SHA1
c9fbc72aa2d2947f437dcf5d1793ffafaa288608

SHA256
bf9028708d2238a44f1fa031b9a43792dd31eca0b9fa71fb8dbdf4535d60e172

SHA512
4b7f9217bc29b86953dd0e0b02f78664e295ff451d59cd7724c140e1e40f26bf7aca4e0c8b153e9672757d57d75f6eba23509e9822d806281d02d2f005204de7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
87b4b97722018a37fbf4fa39b5dbfb6a

SHA1
edb2ba9e3e4419b33eb63b32243bfbc431527a61

SHA256
17ebbcff4e95202974cc7829c2764e7fa551fc3322232430ddc19025f4f38091

SHA512
bf6db1cc682e923e17cdbf1899edb5b339d9fffc27330147fcdf7c02eb532143f48eb599ea32888bf1c031a658a9c211292e4a96c67803ec0cac5cdaac2e7fb8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\9ALL181V\dasleodasgoodtohearthathappinessgoodforeveryonegoodtogoforupdationvalidatetheupdationgoodfortogoforgood[1].doc

Filesize
66KB

MD5
1e9c3b0f39c13c25423e676e4da9b940

SHA1
563cbb6126b3add2f872d250c40a68e9372151bf

SHA256
464c336ea903590b0ccc26e8eaa734e8b819b31f860d0d20a67d3239b2cc7f92

SHA512
735ac74fa7d1219abfcb3b2fc09c0a1d1de74c83ba185503059b88a22883addabfafb823aade144bec051eb22888339214e37d87b3c855db6213478bb2294c94

Download Submit
memory/1788-9-0x00007FFAB8F50000-0x00007FFAB8F60000-memory.dmp

Filesize
64KB

Download
memory/1788-11-0x00007FFAFB730000-0x00007FFAFB925000-memory.dmp

Filesize
2.0MB

Download
memory/1788-6-0x00007FFABB7B0000-0x00007FFABB7C0000-memory.dmp

Filesize
64KB

Download
memory/1788-7-0x00007FFAFB730000-0x00007FFAFB925000-memory.dmp

Filesize
2.0MB

Download
memory/1788-4-0x00007FFABB7B0000-0x00007FFABB7C0000-memory.dmp

Filesize
64KB

Download
memory/1788-8-0x00007FFAFB730000-0x00007FFAFB925000-memory.dmp

Filesize
2.0MB

Download
memory/1788-10-0x00007FFAFB730000-0x00007FFAFB925000-memory.dmp

Filesize
2.0MB

Download
memory/1788-5-0x00007FFAFB730000-0x00007FFAFB925000-memory.dmp

Filesize
2.0MB

Download
memory/1788-12-0x00007FFAB8F50000-0x00007FFAB8F60000-memory.dmp

Filesize
64KB

Download
memory/1788-59-0x00007FFAFB730000-0x00007FFAFB925000-memory.dmp

Filesize
2.0MB

Download
memory/1788-0-0x00007FFABB7B0000-0x00007FFABB7C0000-memory.dmp

Filesize
64KB

Download
memory/1788-2-0x00007FFABB7B0000-0x00007FFABB7C0000-memory.dmp

Filesize
64KB

Download
memory/1788-3-0x00007FFAFB730000-0x00007FFAFB925000-memory.dmp

Filesize
2.0MB

Download
memory/1788-1-0x00007FFABB7B0000-0x00007FFABB7C0000-memory.dmp

Filesize
64KB

Download
memory/2428-25-0x00007FFAFB730000-0x00007FFAFB925000-memory.dmp

Filesize
2.0MB

Download
memory/2428-31-0x00007FFAFB730000-0x00007FFAFB925000-memory.dmp

Filesize
2.0MB

Download
memory/2428-32-0x00007FFAFB730000-0x00007FFAFB925000-memory.dmp

Filesize
2.0MB

Download
memory/2428-33-0x00007FFAFB730000-0x00007FFAFB925000-memory.dmp

Filesize
2.0MB

Download
memory/2428-34-0x00007FFAFB730000-0x00007FFAFB925000-memory.dmp

Filesize
2.0MB

Download
memory/2428-30-0x00007FFAFB730000-0x00007FFAFB925000-memory.dmp

Filesize
2.0MB

Download
memory/2428-29-0x00007FFAFB730000-0x00007FFAFB925000-memory.dmp

Filesize
2.0MB

Download
memory/2428-27-0x00007FFAFB730000-0x00007FFAFB925000-memory.dmp

Filesize
2.0MB

Download
memory/2428-23-0x00007FFAFB730000-0x00007FFAFB925000-memory.dmp

Filesize
2.0MB

Download
memory/2428-21-0x00007FFAFB730000-0x00007FFAFB925000-memory.dmp

Filesize
2.0MB

Download
memory/2428-60-0x00007FFAFB730000-0x00007FFAFB925000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads