Analysis
-
max time kernel
149s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
11/03/2024, 21:30
Static task
static1
Behavioral task
behavioral1
Sample
Arrival Notice.xls
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Arrival Notice.xls
Resource
win10v2004-20240226-en
General
-
Target
Arrival Notice.xls
-
Size
317KB
-
MD5
e5d7a2dd2aafaa4e55c303c3533a36be
-
SHA1
2e7dae389a400eb1e4e49fda39d9b4a282d735cb
-
SHA256
008653065299f1e96ecd195fe23948cc3976210bc8d58ba0e1456db17270154d
-
SHA512
0809255b680d8b7192ea4b79c616243a2d0d6b3a9a9defd05c9292effc68ed2242c7850ba6a81a0233c53908b70b6eefd9d9c590f011f83b7a622d8929446b90
-
SSDEEP
6144:LuunJJ7wY35qAOJl/YrLYz+WrNhZF+E+fgL+0dD8ivSbVEGMIL0pDt//yVQt/NDH:LvJJ7t3bVEGMIIN/rt/BJZHe64TGF3G
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 3612 EXCEL.EXE 1448 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeAuditPrivilege 1448 WINWORD.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3612 EXCEL.EXE 3612 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 16 IoCs
pid Process 3612 EXCEL.EXE 3612 EXCEL.EXE 3612 EXCEL.EXE 3612 EXCEL.EXE 3612 EXCEL.EXE 3612 EXCEL.EXE 3612 EXCEL.EXE 3612 EXCEL.EXE 3612 EXCEL.EXE 3612 EXCEL.EXE 3612 EXCEL.EXE 3612 EXCEL.EXE 1448 WINWORD.EXE 1448 WINWORD.EXE 1448 WINWORD.EXE 1448 WINWORD.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 1448 wrote to memory of 1416 1448 WINWORD.EXE 100 PID 1448 wrote to memory of 1416 1448 WINWORD.EXE 100 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Arrival Notice.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3612
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:1416
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:4500
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187
Filesize471B
MD5c09d8bf3c7f7cf7145bad67a0c87e786
SHA1b5e567e989c1b16c845b2bc950104754f437d249
SHA25670f3cf70aa466cdf91ea2af9f7db8bfbcc6955c65a8c9f3ce15be64779fa0edb
SHA5126b5ab45709dad85b0471a326939c51a938a1a3bf0dfd35bfb53ecbc7d636ed3ef68dc4f7a652eb38c080334367b85dee9a7a1b94c1c9c5bc39e96bab31298aac
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187
Filesize412B
MD5cda32353a441f77a76ff702ad8647c12
SHA1b15909b3dcd5c421292f9e439c5fb73ed5dc3574
SHA2568c530552f94f817c3928679e8afb95016b2dc25530f150b84a56dbdbf109ec94
SHA5122e554615ddd544a96e6f3ab62f4c13e8501f94d1fff1141d71959e4ba631f424e7b9b36e61a1aa444d214a28a0aab656a6d9d218ccaddd4edc51260694f0dd80
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\1AC5A584-0DC4-4481-B6C8-922FD3B22F8C
Filesize160KB
MD5a5da7b18fa905286d1f0bed9d8bd4797
SHA15fe6e8717440d98936b2c0efcae37b56f20af103
SHA25681cea264d48bba92cc3080a9b7ebd2a1c1ebdf2e4a11dc68522d68d300f455b9
SHA512fb1916a8b11a6ec58dd8286f9eed8dfe21273ab093a9ee03c45045eab83faa0d34467cf0180ab936e7cfcca3178a0ee6946a7bb4b5533cf23b8047c494f8473d
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize2KB
MD59652c7cf3f8885cc7e767e4a2fb6990d
SHA10ade919144e650a3f45c50a988a1884fa5c38d7f
SHA25628954098f34a5939917579a85b6d5536a5463833538eeb6d703261c937622fc8
SHA512822acf3ced0284b9e66ebe334fc40d35b0ca303094a2b5737f02423a855c9523d45d0b57e9b047256e16edd8404012aa3f3b0b3ac3d32ea641732ade6a01dd1d
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize2KB
MD5ee0732311aa8ed345d6976698d190c5f
SHA17a4ac83e2c2bd0132824512d57ec1925991c98f0
SHA256008f9e9913c2a924fa18b0b3933be3a6d6e888cf34f0ec562a97ff53215810b2
SHA5123cd43cdb68d4b567ed2ef5619ddea5d33df4ec3a58e059512a6bec7a98fc9639f9d7c448d773513b9e4a6bcc1e684685ca65c7cd0fb85b0491bd36ce9ff78b27
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\86GPDKUQ\dnamatchedlovesuccessfullycompletedwithanotherlovertouderstandhowshebelievedonmeand___lovedmealotwithlotoflove[1].doc
Filesize68KB
MD56f915ad0fda4f220768467e5246b1954
SHA1c3d6c3c80ee8445eda839bc3a3e025198d239985
SHA256b5d0c3287bff511f44ccdb36cbee7d5a6d9ae3de5cb809a9d378df18ae52865b
SHA5127489bb6419afc780a27d16c33b3a52d642d3ec809dfc871068cb29df7eda3006c87d0cff1f7d563e0ffd4dd1667f130670746fa15be8b29ad13b1b303f484519