8d131fafbcc174ab6d33a73b0e7cbb72060a403cac403234578acfa762cef7b6

Analysis

max time kernel
147s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
24/02/2024, 08:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8d131fafbcc174ab6d33a73b0e7cbb72060a403cac403234578acfa762cef7b6.xls
Size

332KB
MD5

77d965dd6195cc14fbfdbbbf7a86b7ba
SHA1

7e796af62e94214f14a7630abfba485187b3c7de
SHA256

8d131fafbcc174ab6d33a73b0e7cbb72060a403cac403234578acfa762cef7b6
SHA512

4b44d491fd706b8ab1d748d6689c58f9b2cc752990146cc696d3239b135dbc04495b54725e0ebfeea4d3d8f0d84cc3efa4872a473b1c171fcacbfb95eda1e0f3
SSDEEP

6144:FVqYskzvCp4sJgDF1bqGHBMixiMK6G+ZFrTLOCii/D8Ug5PXYy9:FMYxbCfgD/bqEpozwjTLOC7D8DX

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4356	EXCEL.EXE
4740	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeAuditPrivilege	4740	WINWORD.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4356	EXCEL.EXE
4356	EXCEL.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
4356	EXCEL.EXE
4356	EXCEL.EXE
4356	EXCEL.EXE
4356	EXCEL.EXE
4356	EXCEL.EXE
4356	EXCEL.EXE
4356	EXCEL.EXE
4356	EXCEL.EXE
4740	WINWORD.EXE
4740	WINWORD.EXE
4740	WINWORD.EXE
4740	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4740 wrote to memory of 4336	4740	WINWORD.EXE	93
PID 4740 wrote to memory of 4336	4740	WINWORD.EXE	93

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\8d131fafbcc174ab6d33a73b0e7cbb72060a403cac403234578acfa762cef7b6.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4356

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4740
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:4336

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\D2CE07E3-87FD-4D77-966A-25875AC53114

Filesize
159KB

MD5
cbd38946eb844e0ef358671efacde68d

SHA1
aa9c4763b396e24901faf8ae36ed90fb77d14507

SHA256
088863f07755596085b61c15e3a94d1c5b470a395f88554ac49eec5a083bb500

SHA512
ff9986ba77446c39ab94e922d8d0224cc1b45c093dc2fa0435b2975a30b544e66fc3fb52fbfbc7d06ce94037ddbbf55382e66cd35dd96245d002e42c9e7e613b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
cd596ee82ec2e8fb791bf31d288340f2

SHA1
4ffc33ccbe40e81d18b8e34ad2d26f218f48a1e1

SHA256
67144aede5a3ee07dff19b71251e2a81ea55863920dc04ed8fbb9f49f23eb97d

SHA512
b7b38abbc6c3b9b709f12c6f4bd1c6aed425e6405b686f005704375bff4a9908979099dfc1742dbfb729cc1ded834a305dd4932885458163a683fc5c2f94456b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
4316246b7452d017a3ea63618b489f83

SHA1
aba1f0fa91bdd286f098593da623e4d7a342dcf6

SHA256
a2b55463951dd2db4bf08fab503c42676549302e0e56e71ed6ed379032962fc5

SHA512
c91c16fea5a308f665add26a3c0fe2691abc5df74b5fd424d4857ea797313fe22b8213d6c7a76d977111de87f56ae23a2c41ba397361429e80b7367362f98fe7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\5HLKI332\mylovetoindustrytopofthelovetoenhasednewtechnologyfordevelopnewthingsfornewthingstounderstandthenewthings[1].doc

Filesize
66KB

MD5
6acd8bd21ffe473520fe45648b23862b

SHA1
3cb79f909f5e3d9b1f0206e5c7df25ab5d5dab0e

SHA256
fc9358b07f539d49b035be443bbce78091d30bc4012a220886cc8156be7854f0

SHA512
9d60acdfcd5ca23a10614786f8b6931511e1ecc3413110a7abec26d8737df14d900f9c2dd1eab3ffb11803895f0dca22817b577cc0b29462126f06d412a636a1

Download Submit
memory/4356-11-0x00007FFE04110000-0x00007FFE04305000-memory.dmp

Filesize
2.0MB

Download
memory/4356-59-0x00007FFE04110000-0x00007FFE04305000-memory.dmp

Filesize
2.0MB

Download
memory/4356-6-0x00007FFDC4190000-0x00007FFDC41A0000-memory.dmp

Filesize
64KB

Download
memory/4356-7-0x00007FFE04110000-0x00007FFE04305000-memory.dmp

Filesize
2.0MB

Download
memory/4356-8-0x00007FFE04110000-0x00007FFE04305000-memory.dmp

Filesize
2.0MB

Download
memory/4356-9-0x00007FFE04110000-0x00007FFE04305000-memory.dmp

Filesize
2.0MB

Download
memory/4356-10-0x00007FFDC1AC0000-0x00007FFDC1AD0000-memory.dmp

Filesize
64KB

Download
memory/4356-0-0x00007FFDC4190000-0x00007FFDC41A0000-memory.dmp

Filesize
64KB

Download
memory/4356-13-0x00007FFE04110000-0x00007FFE04305000-memory.dmp

Filesize
2.0MB

Download
memory/4356-14-0x00007FFE04110000-0x00007FFE04305000-memory.dmp

Filesize
2.0MB

Download
memory/4356-12-0x00007FFDC1AC0000-0x00007FFDC1AD0000-memory.dmp

Filesize
64KB

Download
memory/4356-15-0x00007FFE04110000-0x00007FFE04305000-memory.dmp

Filesize
2.0MB

Download
memory/4356-16-0x00007FFE04110000-0x00007FFE04305000-memory.dmp

Filesize
2.0MB

Download
memory/4356-17-0x00007FFE04110000-0x00007FFE04305000-memory.dmp

Filesize
2.0MB

Download
memory/4356-18-0x00007FFE04110000-0x00007FFE04305000-memory.dmp

Filesize
2.0MB

Download
memory/4356-118-0x00007FFE04110000-0x00007FFE04305000-memory.dmp

Filesize
2.0MB

Download
memory/4356-117-0x00007FFE04110000-0x00007FFE04305000-memory.dmp

Filesize
2.0MB

Download
memory/4356-63-0x00007FFE04110000-0x00007FFE04305000-memory.dmp

Filesize
2.0MB

Download
memory/4356-62-0x00007FFE04110000-0x00007FFE04305000-memory.dmp

Filesize
2.0MB

Download
memory/4356-2-0x00007FFE04110000-0x00007FFE04305000-memory.dmp

Filesize
2.0MB

Download
memory/4356-5-0x00007FFDC4190000-0x00007FFDC41A0000-memory.dmp

Filesize
64KB

Download
memory/4356-3-0x00007FFDC4190000-0x00007FFDC41A0000-memory.dmp

Filesize
64KB

Download
memory/4356-4-0x00007FFE04110000-0x00007FFE04305000-memory.dmp

Filesize
2.0MB

Download
memory/4356-1-0x00007FFDC4190000-0x00007FFDC41A0000-memory.dmp

Filesize
64KB

Download
memory/4740-42-0x00007FFE04110000-0x00007FFE04305000-memory.dmp

Filesize
2.0MB

Download
memory/4740-64-0x00007FFE04110000-0x00007FFE04305000-memory.dmp

Filesize
2.0MB

Download
memory/4740-44-0x00007FFE04110000-0x00007FFE04305000-memory.dmp

Filesize
2.0MB

Download
memory/4740-106-0x00007FFDC4190000-0x00007FFDC41A0000-memory.dmp

Filesize
64KB

Download
memory/4740-34-0x00007FFE04110000-0x00007FFE04305000-memory.dmp

Filesize
2.0MB

Download
memory/4740-39-0x00007FFE04110000-0x00007FFE04305000-memory.dmp

Filesize
2.0MB

Download
memory/4740-35-0x00007FFE04110000-0x00007FFE04305000-memory.dmp

Filesize
2.0MB

Download
memory/4740-36-0x00007FFE04110000-0x00007FFE04305000-memory.dmp

Filesize
2.0MB

Download
memory/4740-43-0x00007FFE04110000-0x00007FFE04305000-memory.dmp

Filesize
2.0MB

Download
memory/4740-37-0x00007FFE04110000-0x00007FFE04305000-memory.dmp

Filesize
2.0MB

Download
memory/4740-40-0x00007FFE04110000-0x00007FFE04305000-memory.dmp

Filesize
2.0MB

Download
memory/4740-38-0x00007FFE04110000-0x00007FFE04305000-memory.dmp

Filesize
2.0MB

Download
memory/4740-107-0x00007FFDC4190000-0x00007FFDC41A0000-memory.dmp

Filesize
64KB

Download
memory/4740-105-0x00007FFDC4190000-0x00007FFDC41A0000-memory.dmp

Filesize
64KB

Download
memory/4740-104-0x00007FFDC4190000-0x00007FFDC41A0000-memory.dmp

Filesize
64KB

Download
memory/4740-108-0x00007FFE04110000-0x00007FFE04305000-memory.dmp

Filesize
2.0MB

Download
memory/4740-109-0x00007FFE04110000-0x00007FFE04305000-memory.dmp

Filesize
2.0MB

Download
memory/4740-32-0x00007FFE04110000-0x00007FFE04305000-memory.dmp

Filesize
2.0MB

Download
memory/4740-30-0x00007FFE04110000-0x00007FFE04305000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads