64020a7a3f5f6c589272f28d727318eb5eb4eb4d41510679cb8134c0325c8fe2

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11/03/2024, 13:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Cerere de cotatie.xla.xls
Size

38KB
MD5

558fadb14037e01b78e223e799b568d3
SHA1

43758e1db2bc0fb7fded6ec864ec20973b26251a
SHA256

64020a7a3f5f6c589272f28d727318eb5eb4eb4d41510679cb8134c0325c8fe2
SHA512

ddf577683063e86cdcd27d850a4a1b25caa97adc7b31241d164abe5007de7ab74f832551db5a61bd105887a70ee8f7384ee602ffe40c21b8b5fa3ead25f4e254
SSDEEP

768:2yBP0SIN+KncBtECea+bTK6p4Gjtw/tO9vkpjInEzkrFW57vsk60:2689hnIt7eR64twX0nEzksBD60

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1748	EXCEL.EXE
3536	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeAuditPrivilege	3536	WINWORD.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1748	EXCEL.EXE
1748	EXCEL.EXE
1748	EXCEL.EXE
1748	EXCEL.EXE
1748	EXCEL.EXE
1748	EXCEL.EXE
1748	EXCEL.EXE
1748	EXCEL.EXE
3536	WINWORD.EXE
3536	WINWORD.EXE
3536	WINWORD.EXE
3536	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3536 wrote to memory of 1384	3536	WINWORD.EXE	96
PID 3536 wrote to memory of 1384	3536	WINWORD.EXE	96

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Cerere de cotatie.xla.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1748

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3536
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1384

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:1648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Filesize
471B

MD5
ba25b25faf256829d339af7900e404d5

SHA1
1389956a8d13cc3d49f5b0309a25a7132a8a3c9d

SHA256
71cd327b45891d3b650fa8248b5f722cec8fe4cccb4a876f91374feeebe38422

SHA512
693248c89489f0f4e59ae321431eada5d291835f6caa4f8229809800087dc8ea92d1f5d3e3c336d71c2763f836aad577575aed13a8c91e99f22d4d6fdd52f2ff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Filesize
412B

MD5
540bb5e0360022651792b56cdcf78ceb

SHA1
d8c32545d431c1868a381752155cd2cd41825696

SHA256
409241a32e47bb2877896095da39ec2317bb61418ab63ba7245ba743ba3132a9

SHA512
af43efb8e222ae16a5b11db8985add9742e5bbe47d275a18ea7bbe2b2ed6d655066c7a1e7e16d30d567e4b16e91419e600234c580f0f6573cb326fba6a43fd74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\B043A0E9-DB7B-49F4-9582-5DE753CE8266

Filesize
160KB

MD5
d0a13d018326cd6ba4161c69a5068704

SHA1
4226d2a1f3449eaaa551ccd88ac4661503dffa87

SHA256
3ba700c51e902bcdfbf60f2dfd423f11c703bbd718c0783d8667be9090e38045

SHA512
32b080bea9047a959d06c250786dd1aed5024b972c091f6f16c14fd3e40413fe6c0eb360be36e831b2265d67e103fa8b504dd4cec0cbb8279759eddf149110a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
6ebbc05c6242e37a608bcfe8ab2e1087

SHA1
826857e6fe6ba63aabfac8fb7efd6d9b815309e4

SHA256
4f91fd4da897945aee66b4c102c75327d5e45500fb4af8ec7de3dfb6f0900657

SHA512
5de48185fa4214b3cc4241228da21208f20cd12cfd024279cf1afc1333ffdeac65d5718ffef7733d3675f8d13a64d64004b7518dc06b564ef9d81150c7e930e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
9114d83a628619df4aa3aa5a301beda1

SHA1
5e5b3f63ec6c76a6d05f760d553d8772761e35a6

SHA256
528cfaad9b0e1711cc21979d1443c22c97f4a2de7ba64a55910621162e5be284

SHA512
f6941b1459b253cf60c7debac4dbfe088bfc16e6c164e475a85f8de808c11326f761b02f5a4ecd6e151dad51de8e3fe1885aad6501a3598cc80b277d6e7945ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\20RAD7Y0\weareinlovewithmygirlfriendunderstandhowitistoget___youareverybeautifilformeiloveusoomuchalwaysloveutrulyfromtheheartlove[1].doc

Filesize
78KB

MD5
561ed5405267a715e9dcfea42b63f37e

SHA1
676b6196a706316bf3e311c58fd0ef991efc41a9

SHA256
2c58ca41949aa784dce6a2006162781fe7a7a5453cafb731ee4d512efe718c43

SHA512
c746e89a41fc61077eef5ae0d7216d6d875c5cc94a53de20cfe61421aad781a2b71e668a94d8acbedab4542c488aed83753d472627033310681e7a03d9f3f986

Download Submit
memory/1748-12-0x00007FFF0CD30000-0x00007FFF0CF25000-memory.dmp

Filesize
2.0MB

Download
memory/1748-0-0x00007FFECCDB0000-0x00007FFECCDC0000-memory.dmp

Filesize
64KB

Download
memory/1748-8-0x00007FFF0CD30000-0x00007FFF0CF25000-memory.dmp

Filesize
2.0MB

Download
memory/1748-10-0x00007FFF0CD30000-0x00007FFF0CF25000-memory.dmp

Filesize
2.0MB

Download
memory/1748-9-0x00007FFECAB20000-0x00007FFECAB30000-memory.dmp

Filesize
64KB

Download
memory/1748-11-0x00007FFF0CD30000-0x00007FFF0CF25000-memory.dmp

Filesize
2.0MB

Download
memory/1748-1-0x00007FFECCDB0000-0x00007FFECCDC0000-memory.dmp

Filesize
64KB

Download
memory/1748-13-0x00007FFF0CD30000-0x00007FFF0CF25000-memory.dmp

Filesize
2.0MB

Download
memory/1748-15-0x00007FFF0CD30000-0x00007FFF0CF25000-memory.dmp

Filesize
2.0MB

Download
memory/1748-16-0x00007FFF0CD30000-0x00007FFF0CF25000-memory.dmp

Filesize
2.0MB

Download
memory/1748-17-0x00007FFF0CD30000-0x00007FFF0CF25000-memory.dmp

Filesize
2.0MB

Download
memory/1748-18-0x00007FFF0CD30000-0x00007FFF0CF25000-memory.dmp

Filesize
2.0MB

Download
memory/1748-19-0x00007FFF0CD30000-0x00007FFF0CF25000-memory.dmp

Filesize
2.0MB

Download
memory/1748-14-0x00007FFECAB20000-0x00007FFECAB30000-memory.dmp

Filesize
64KB

Download
memory/1748-122-0x00007FFF0CD30000-0x00007FFF0CF25000-memory.dmp

Filesize
2.0MB

Download
memory/1748-121-0x00007FFF0CD30000-0x00007FFF0CF25000-memory.dmp

Filesize
2.0MB

Download
memory/1748-7-0x00007FFF0CD30000-0x00007FFF0CF25000-memory.dmp

Filesize
2.0MB

Download
memory/1748-2-0x00007FFECCDB0000-0x00007FFECCDC0000-memory.dmp

Filesize
64KB

Download
memory/1748-65-0x00007FFF0CD30000-0x00007FFF0CF25000-memory.dmp

Filesize
2.0MB

Download
memory/1748-3-0x00007FFF0CD30000-0x00007FFF0CF25000-memory.dmp

Filesize
2.0MB

Download
memory/1748-4-0x00007FFECCDB0000-0x00007FFECCDC0000-memory.dmp

Filesize
64KB

Download
memory/1748-5-0x00007FFECCDB0000-0x00007FFECCDC0000-memory.dmp

Filesize
64KB

Download
memory/1748-6-0x00007FFF0CD30000-0x00007FFF0CF25000-memory.dmp

Filesize
2.0MB

Download
memory/3536-35-0x00007FFF0CD30000-0x00007FFF0CF25000-memory.dmp

Filesize
2.0MB

Download
memory/3536-33-0x00007FFF0CD30000-0x00007FFF0CF25000-memory.dmp

Filesize
2.0MB

Download
memory/3536-44-0x00007FFF0CD30000-0x00007FFF0CF25000-memory.dmp

Filesize
2.0MB

Download
memory/3536-45-0x00007FFF0CD30000-0x00007FFF0CF25000-memory.dmp

Filesize
2.0MB

Download
memory/3536-41-0x00007FFF0CD30000-0x00007FFF0CF25000-memory.dmp

Filesize
2.0MB

Download
memory/3536-40-0x00007FFF0CD30000-0x00007FFF0CF25000-memory.dmp

Filesize
2.0MB

Download
memory/3536-38-0x00007FFF0CD30000-0x00007FFF0CF25000-memory.dmp

Filesize
2.0MB

Download
memory/3536-37-0x00007FFF0CD30000-0x00007FFF0CF25000-memory.dmp

Filesize
2.0MB

Download
memory/3536-36-0x00007FFF0CD30000-0x00007FFF0CF25000-memory.dmp

Filesize
2.0MB

Download
memory/3536-106-0x00007FFECCDB0000-0x00007FFECCDC0000-memory.dmp

Filesize
64KB

Download
memory/3536-43-0x00007FFF0CD30000-0x00007FFF0CF25000-memory.dmp

Filesize
2.0MB

Download
memory/3536-42-0x00007FFF0CD30000-0x00007FFF0CF25000-memory.dmp

Filesize
2.0MB

Download
memory/3536-66-0x00007FFF0CD30000-0x00007FFF0CF25000-memory.dmp

Filesize
2.0MB

Download
memory/3536-107-0x00007FFECCDB0000-0x00007FFECCDC0000-memory.dmp

Filesize
64KB

Download
memory/3536-109-0x00007FFECCDB0000-0x00007FFECCDC0000-memory.dmp

Filesize
64KB

Download
memory/3536-110-0x00007FFF0CD30000-0x00007FFF0CF25000-memory.dmp

Filesize
2.0MB

Download
memory/3536-108-0x00007FFECCDB0000-0x00007FFECCDC0000-memory.dmp

Filesize
64KB

Download
memory/3536-111-0x00007FFF0CD30000-0x00007FFF0CF25000-memory.dmp

Filesize
2.0MB

Download
memory/3536-112-0x00007FFF0CD30000-0x00007FFF0CF25000-memory.dmp

Filesize
2.0MB

Download
memory/3536-113-0x00007FFF0CD30000-0x00007FFF0CF25000-memory.dmp

Filesize
2.0MB

Download
memory/3536-31-0x00007FFF0CD30000-0x00007FFF0CF25000-memory.dmp

Filesize
2.0MB

Download
memory/3536-30-0x00007FFF0CD30000-0x00007FFF0CF25000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads