32a842bbe2d6f9068a1aa1f2722d80cd7b8756b5abb5e7662426e1a8203c3cca

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05/03/2024, 10:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Arrival Notice 003.xls
Size

324KB
MD5

2ba28d8602c3182b87255b7b0ffaa88a
SHA1

b9667c833156b62f9b000326f799c67deca3b395
SHA256

32a842bbe2d6f9068a1aa1f2722d80cd7b8756b5abb5e7662426e1a8203c3cca
SHA512

f1af584c9935dd1ec0032a78650719490449ef4745104368397b00b2efefb76870314fa1d1f23f47f70e3034136a2bb5117938ed52d52609c000c6a2f08132cd
SSDEEP

6144:4R7unvVKZrnjVl5s2XTa2YGK2Z9Il9BsO87ShmskMXOo3F8uFR3Ns6:4RWyrjrXTte2yioV8uFpNs6

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4984	EXCEL.EXE
2092	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeAuditPrivilege	2092	WINWORD.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
4984	EXCEL.EXE
4984	EXCEL.EXE
4984	EXCEL.EXE
4984	EXCEL.EXE
4984	EXCEL.EXE
4984	EXCEL.EXE
4984	EXCEL.EXE
4984	EXCEL.EXE
4984	EXCEL.EXE
4984	EXCEL.EXE
4984	EXCEL.EXE
4984	EXCEL.EXE
2092	WINWORD.EXE
2092	WINWORD.EXE
2092	WINWORD.EXE
2092	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2092 wrote to memory of 2928	2092	WINWORD.EXE	97
PID 2092 wrote to memory of 2928	2092	WINWORD.EXE	97

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Arrival Notice 003.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4984

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2092
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2928

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Filesize
471B

MD5
0786a1d41690c9b4b65efbe4b7ba7317

SHA1
4c81810b6067304651b237757295a875542017d9

SHA256
9de5d5df986a8c9785a7e83e6f119580132479334f2ea49ae8b9ab086d1d1948

SHA512
cc9aa84a133c898c7303cbc2ae425d71d34a56ddf2a4bcccc43e3e60f222e1301d0ab2d2c34e3f5ea05cde42bc6d73011e1954c3b571a351b226ef7d3c6764eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Filesize
412B

MD5
57485334cd6752e39a242fe9e9580db7

SHA1
d5c421fa93782e909bb002b9d45fb3949be28e52

SHA256
0a166ee09a03d710c3f30369790225c89baf45e9a5268054dcd08504efde4c9f

SHA512
b93b0ae6a13afc07012050a05060100cd51a6b66d65a6116d1f303d5e3a367929a9ef88e1a192c12edd286186ee2bad84ed05be44391597a6484f678e309a607

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\4AE86E3B-0C7D-4040-8DB8-2C7EA56E0507

Filesize
160KB

MD5
07db51d519202e4dbde727e64dcf609f

SHA1
3358091179783c83753e361851ee6ac0fe9739e6

SHA256
d06e8baa54517000bf8e7991f42b16856c9e401e73c3dd70d74d091129d2206b

SHA512
1da77c240d6801fceda4d6b89fdcddfa0b059a25867e3158352f50db4b35af452e7852c03c74499aeab5e3b8b280ef3e40bbf9baabef46a91ec235e684efaa4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
ff372cccf69959a667aa9c219ecd18e8

SHA1
9110760e7e50c92d48bb1b377296c728ed20d0bb

SHA256
551a75970beb2c37a434b379f9be8ebc79f6f90533b3036407f0a7b3da81cacf

SHA512
78ced9dfe3ef767243e706b29c997f06feb8912ec0fa42c9a46bbac967b8d5e02f2c4960ef83a69f9af23e889829a6494b2e420f3abe4692280e2d3599fc14fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
f92e8609d40d5e19a78582b35c05126e

SHA1
f64049788cd54989930532e6a909dffce6f61d57

SHA256
2d678da33b967f16629bc7c5525501c98cf2bb15caf2a93dd113d892264ebca7

SHA512
4387e7edbeb815ee034168f8bf962b2a5f103539181c4d515ca4fe7e3134e45f14b58266b5a3d808987b08d4095bcaeff1269c949f94b2a10f1ed843f549f0d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\Y4F2DR2Q\hxtraloveaddedonurheartwithlotofloveandkissonurneckireallyloveyou______________sweetkissonurheartwithlotofloveiloveyousoomuch[1].doc

Filesize
71KB

MD5
26c100089e2cf5463babd1de454a67d1

SHA1
6a9d052164255970ae1429fe60617f8eafd22a54

SHA256
2e8debc110f5f5cd0a112ac5d77863b4148cd7c7c1fd888e17dade82b50a7458

SHA512
e97c29ed4d726df4687cabfe398874d253dc34f0d5fa6be1fa34139bf7b4414832b8820dd1cc7ce26f5c85562c4fbbea360349499e8c020bd53a3cbf26474e4f

Download Submit
memory/2092-59-0x00007FF85A770000-0x00007FF85A965000-memory.dmp

Filesize
2.0MB

Download
memory/2092-64-0x00007FF85A770000-0x00007FF85A965000-memory.dmp

Filesize
2.0MB

Download
memory/2092-88-0x00007FF85A770000-0x00007FF85A965000-memory.dmp

Filesize
2.0MB

Download
memory/2092-78-0x00000295BB170000-0x00000295BB24E000-memory.dmp

Filesize
888KB

Download
memory/2092-62-0x00007FF85A770000-0x00007FF85A965000-memory.dmp

Filesize
2.0MB

Download
memory/2092-61-0x00007FF85A770000-0x00007FF85A965000-memory.dmp

Filesize
2.0MB

Download
memory/2092-60-0x00007FF85A770000-0x00007FF85A965000-memory.dmp

Filesize
2.0MB

Download
memory/2092-58-0x00007FF85A770000-0x00007FF85A965000-memory.dmp

Filesize
2.0MB

Download
memory/2092-56-0x00007FF85A770000-0x00007FF85A965000-memory.dmp

Filesize
2.0MB

Download
memory/2092-55-0x00007FF85A770000-0x00007FF85A965000-memory.dmp

Filesize
2.0MB

Download
memory/2092-54-0x00007FF85A770000-0x00007FF85A965000-memory.dmp

Filesize
2.0MB

Download
memory/2092-53-0x00007FF85A770000-0x00007FF85A965000-memory.dmp

Filesize
2.0MB

Download
memory/2092-52-0x00007FF85A770000-0x00007FF85A965000-memory.dmp

Filesize
2.0MB

Download
memory/2092-51-0x00007FF85A770000-0x00007FF85A965000-memory.dmp

Filesize
2.0MB

Download
memory/2092-50-0x00007FF85A770000-0x00007FF85A965000-memory.dmp

Filesize
2.0MB

Download
memory/2092-49-0x00007FF85A770000-0x00007FF85A965000-memory.dmp

Filesize
2.0MB

Download
memory/2092-48-0x00007FF85A770000-0x00007FF85A965000-memory.dmp

Filesize
2.0MB

Download
memory/2092-47-0x00007FF85A770000-0x00007FF85A965000-memory.dmp

Filesize
2.0MB

Download
memory/2092-46-0x00007FF85A770000-0x00007FF85A965000-memory.dmp

Filesize
2.0MB

Download
memory/4984-13-0x00007FF85A770000-0x00007FF85A965000-memory.dmp

Filesize
2.0MB

Download
memory/4984-2-0x00007FF81A7F0000-0x00007FF81A800000-memory.dmp

Filesize
64KB

Download
memory/4984-22-0x00007FF85A770000-0x00007FF85A965000-memory.dmp

Filesize
2.0MB

Download
memory/4984-20-0x00007FF85A770000-0x00007FF85A965000-memory.dmp

Filesize
2.0MB

Download
memory/4984-19-0x00007FF85A770000-0x00007FF85A965000-memory.dmp

Filesize
2.0MB

Download
memory/4984-18-0x00007FF85A770000-0x00007FF85A965000-memory.dmp

Filesize
2.0MB

Download
memory/4984-17-0x00007FF85A770000-0x00007FF85A965000-memory.dmp

Filesize
2.0MB

Download
memory/4984-16-0x00007FF85A770000-0x00007FF85A965000-memory.dmp

Filesize
2.0MB

Download
memory/4984-15-0x00007FF85A770000-0x00007FF85A965000-memory.dmp

Filesize
2.0MB

Download
memory/4984-14-0x00007FF85A770000-0x00007FF85A965000-memory.dmp

Filesize
2.0MB

Download
memory/4984-12-0x00007FF817E90000-0x00007FF817EA0000-memory.dmp

Filesize
64KB

Download
memory/4984-0-0x00007FF81A7F0000-0x00007FF81A800000-memory.dmp

Filesize
64KB

Download
memory/4984-21-0x00007FF85A770000-0x00007FF85A965000-memory.dmp

Filesize
2.0MB

Download
memory/4984-23-0x00007FF85A770000-0x00007FF85A965000-memory.dmp

Filesize
2.0MB

Download
memory/4984-3-0x00007FF81A7F0000-0x00007FF81A800000-memory.dmp

Filesize
64KB

Download
memory/4984-7-0x00007FF85A770000-0x00007FF85A965000-memory.dmp

Filesize
2.0MB

Download
memory/4984-5-0x00007FF81A7F0000-0x00007FF81A800000-memory.dmp

Filesize
64KB

Download
memory/4984-6-0x00007FF85A770000-0x00007FF85A965000-memory.dmp

Filesize
2.0MB

Download
memory/4984-9-0x00007FF817E90000-0x00007FF817EA0000-memory.dmp

Filesize
64KB

Download
memory/4984-4-0x00007FF85A770000-0x00007FF85A965000-memory.dmp

Filesize
2.0MB

Download
memory/4984-77-0x0000019B1BE70000-0x0000019B1BF4E000-memory.dmp

Filesize
888KB

Download
memory/4984-10-0x00007FF85A770000-0x00007FF85A965000-memory.dmp

Filesize
2.0MB

Download
memory/4984-11-0x00007FF85A770000-0x00007FF85A965000-memory.dmp

Filesize
2.0MB

Download
memory/4984-1-0x00007FF81A7F0000-0x00007FF81A800000-memory.dmp

Filesize
64KB

Download
memory/4984-83-0x00007FF85A770000-0x00007FF85A965000-memory.dmp

Filesize
2.0MB

Download
memory/4984-8-0x00007FF85A770000-0x00007FF85A965000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads