Analysis
-
max time kernel
149s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
08-03-2024 01:36
Static task
static1
Behavioral task
behavioral1
Sample
3e71b3d85e286dca892374bc71698ceb5a58762e0dc6876fe1dc994ab11c31f7.xls
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
3e71b3d85e286dca892374bc71698ceb5a58762e0dc6876fe1dc994ab11c31f7.xls
Resource
win10v2004-20231215-en
General
-
Target
3e71b3d85e286dca892374bc71698ceb5a58762e0dc6876fe1dc994ab11c31f7.xls
-
Size
317KB
-
MD5
fb5c7d14e1ec93e569a9fb56c7282d22
-
SHA1
58d681fdc19e4509fbbc91ab4c3d28d61c4daa6e
-
SHA256
3e71b3d85e286dca892374bc71698ceb5a58762e0dc6876fe1dc994ab11c31f7
-
SHA512
a014557ecb3d08d5f88510dd9fb27401985cca9e9292062489b85fa43610587ffbba59bdcfc4058a8c8e713662bbf90faca7c905a0c5fc7142d33a3eb031827e
-
SSDEEP
6144:VqunJ2VY35qAOJl/YrLYz+WrNhZF+E+fgL+0dD8ivSbVk0MIv3ZkBbqBYMzcswEq:VbJ2c3bVk0MIgiTzcUqe/nWYaLDs
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 452 EXCEL.EXE 1344 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeAuditPrivilege 1344 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 16 IoCs
pid Process 452 EXCEL.EXE 452 EXCEL.EXE 452 EXCEL.EXE 452 EXCEL.EXE 452 EXCEL.EXE 452 EXCEL.EXE 452 EXCEL.EXE 452 EXCEL.EXE 452 EXCEL.EXE 452 EXCEL.EXE 452 EXCEL.EXE 452 EXCEL.EXE 1344 WINWORD.EXE 1344 WINWORD.EXE 1344 WINWORD.EXE 1344 WINWORD.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 1344 wrote to memory of 408 1344 WINWORD.EXE 90 PID 1344 wrote to memory of 408 1344 WINWORD.EXE 90 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\3e71b3d85e286dca892374bc71698ceb5a58762e0dc6876fe1dc994ab11c31f7.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:452
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1344 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:408
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:1408
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\C3CB79BE-4857-4D62-A07F-26BA6FFE7F9D
Filesize160KB
MD53a6451b25f52586e1b7cb1656a4f185a
SHA15fc3605b9c494d4b396b09cf8264939bf2618d17
SHA2564503e6dcb5a8341d0fd3ce8985da263006d15d32f4b9fe052bba7d941b644011
SHA512c1bb454ea1b32c0f5da68c8d21092f57d5200c4c729f62d4eddbd174f53e4dc24927241b3023241b18b5a75acd4acca5a44eab56177e6fd24f43289723fdad92
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize2KB
MD5e412aa5af1298262dba336ef9c734298
SHA1f14d20b1178c095b76d6f0ef95681a1770a79395
SHA256f20b4944c890735fad7f7adc913ab7d592b27fbf83418698c764156736c2b0f3
SHA512710f97052b51430af3c78eea11198148e15602154de68e8eae36f9807a0a1cc00af7d680d31ef79cb22ba41850a3a9d8f5f64d63342e1d964f7f99b0f8103f59
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize2KB
MD5ec506e3c4acce5f25803db2f7929ac39
SHA1f696099243328eefe03822fad83d910c63f7e98f
SHA256f052517b2deb204df574f22a5fd19731b4917b5a36568a1cda22b98cf246a7db
SHA51201cbc492b782162348a7c2d8627d4299876a9b05776eea03097f80c87f95b9ddad93e3303ad337471ccf56e987c4249b5d39259f09a55dc2a0dc8f8bbbd50de7
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\SB302YPZ\iamdifferentfromothersandlovingyoutrulyfromtheheartwithoutfake____iloveyouiloveyousoomuchwithallmyhearttogetu[1].doc
Filesize70KB
MD54f0f6cd3d79ef0d367bdba2aa80554c2
SHA1cd023c49119fb7a6edf2cd4eae824f5ac0a0f6c6
SHA25663056ca0409d5e15d038ec044aa4fccf4ddddbeb17ee697274feae60fb520f0b
SHA512cd4e15e949565888e37a4b9df8350950f2aa9f1f3564e1564eb2bb4afd54b25a4415d08127002cdd7843f79e1b67fe7b6f16f00910fe2e6e801b6a5e6f4171c3