fee043b165f08a1a9feff54e1598057d3f60c416934e750191c2430e6dc74cf6

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
12/03/2024, 15:05

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

fee043b165f08a1a9feff54e1598057d3f60c416934e750191c2430e6dc74cf6.xls
Size

47KB
MD5

ee897194e4828c128e71e23a82768103
SHA1

787e7acdfddcf2797335afa88f2f2d8a904095ff
SHA256

fee043b165f08a1a9feff54e1598057d3f60c416934e750191c2430e6dc74cf6
SHA512

33c528aad2371a00ccb0ecacf75b10cda2ad1f270c579405aa183f11b59286a78a968c95efb48ca783a51fbcc2210ce1affeec4845e796a2dbc2a8f1d1a05837
SSDEEP

768:V5C+J5xgOYA5ycJEOJh74Vko56I4gy3++JYZ2YRCQ63skfnmcqD+58:VE+4/A5yUb74Vd56PgyOFZvMQ+jfmcql

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1696	EXCEL.EXE
4252	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeAuditPrivilege	4252	WINWORD.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
1696	EXCEL.EXE
1696	EXCEL.EXE
1696	EXCEL.EXE
1696	EXCEL.EXE
1696	EXCEL.EXE
1696	EXCEL.EXE
1696	EXCEL.EXE
1696	EXCEL.EXE
1696	EXCEL.EXE
1696	EXCEL.EXE
1696	EXCEL.EXE
1696	EXCEL.EXE
4252	WINWORD.EXE
4252	WINWORD.EXE
4252	WINWORD.EXE
4252	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4252 wrote to memory of 2152	4252	WINWORD.EXE	90
PID 4252 wrote to memory of 2152	4252	WINWORD.EXE	90

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\fee043b165f08a1a9feff54e1598057d3f60c416934e750191c2430e6dc74cf6.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1696

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4252
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2152

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:3896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\C2CE0814-7B44-449A-957A-28F82B773E7E

Filesize
160KB

MD5
64845c54a8442749da4c25262aa0ec10

SHA1
f825e4e137fa83587e5d48942915a4d6e7b18308

SHA256
f1137d39a45caa659c396e1f90743d8629c8e9977948e8cd15a57f02baae40f8

SHA512
0ab452b422e31703a4b30caf0caadfcf059780cb12943da575debcb6ce706748dcdd1510a4f1f65807e39654f511a138a73741ba3432e09ea94f287bef06c7ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
fa45b63a194297dce50ce157c3cbf78f

SHA1
e50dd52ca37b610541bcb3d0b81cee96313e2548

SHA256
0ea177b153b71595c3e4587c4db106e50b322ae2d3289b2654611f8ad2a6277f

SHA512
b76d36e9f12c37116c466a452ee7ab5fc63277ba1a0d62175e25b2772ebbd91a3a32ca15093507836672c786320b9b7aa451647e1e6bdfb2a3df54ae6544133e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
12a37913d9659c0005bf6aa73644860b

SHA1
5fc2ca99caf3de90151368b7316f711882251821

SHA256
eeb867ac788c672421d018bdb9e9761511ae73cf2ae8955cad00cc563903bd7f

SHA512
f0733eab88f3c619447fcc0a45ba4b1e4a8aee6cdd316bd73b0f031a53ccfac684a0777179fe8e457e380fe040f010b86d888d19725871196048bbfe6b2b64d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\W8BIYKF7\eveningloversarereallygreattotelluthatitscoverentireprocesstounderstandhowitisgreat_____newloversneverunderstandhowtoloveagirlwithlotoflovetoget[1].doc

Filesize
70KB

MD5
e959e69dfb1a7811bbe481bff160f3d4

SHA1
196b0cbc196dab44d19d8252e115a8045e919ea1

SHA256
a6dcc8e0c9af9d28865e6d64f6c2317c7970dd5e2706fcde33871c4d12329469

SHA512
e3c94647083f65fae550ab77ab07227bf034f10c62fa6f9341d2ceb8fd2df23ce26bec5ef4038efb1d248fd8d53cfa9fadee78e75a2bdb96f78520e5ddc8f6ee

Download Submit
memory/1696-21-0x00007FFCCE130000-0x00007FFCCE325000-memory.dmp

Filesize
2.0MB

Download
memory/1696-0-0x00007FFC8E1B0000-0x00007FFC8E1C0000-memory.dmp

Filesize
64KB

Download
memory/1696-6-0x00007FFC8E1B0000-0x00007FFC8E1C0000-memory.dmp

Filesize
64KB

Download
memory/1696-8-0x00007FFCCE130000-0x00007FFCCE325000-memory.dmp

Filesize
2.0MB

Download
memory/1696-7-0x00007FFCCE130000-0x00007FFCCE325000-memory.dmp

Filesize
2.0MB

Download
memory/1696-10-0x00007FFCCE130000-0x00007FFCCE325000-memory.dmp

Filesize
2.0MB

Download
memory/1696-11-0x00007FFCCE130000-0x00007FFCCE325000-memory.dmp

Filesize
2.0MB

Download
memory/1696-12-0x00007FFCCE130000-0x00007FFCCE325000-memory.dmp

Filesize
2.0MB

Download
memory/1696-9-0x00007FFC8E1B0000-0x00007FFC8E1C0000-memory.dmp

Filesize
64KB

Download
memory/1696-13-0x00007FFCCE130000-0x00007FFCCE325000-memory.dmp

Filesize
2.0MB

Download
memory/1696-15-0x00007FFCCE130000-0x00007FFCCE325000-memory.dmp

Filesize
2.0MB

Download
memory/1696-16-0x00007FFC8B8B0000-0x00007FFC8B8C0000-memory.dmp

Filesize
64KB

Download
memory/1696-14-0x00007FFCCE130000-0x00007FFCCE325000-memory.dmp

Filesize
2.0MB

Download
memory/1696-17-0x00007FFCCE130000-0x00007FFCCE325000-memory.dmp

Filesize
2.0MB

Download
memory/1696-18-0x00007FFCCE130000-0x00007FFCCE325000-memory.dmp

Filesize
2.0MB

Download
memory/1696-20-0x00007FFC8B8B0000-0x00007FFC8B8C0000-memory.dmp

Filesize
64KB

Download
memory/1696-76-0x00007FFCCE130000-0x00007FFCCE325000-memory.dmp

Filesize
2.0MB

Download
memory/1696-19-0x00007FFCCE130000-0x00007FFCCE325000-memory.dmp

Filesize
2.0MB

Download
memory/1696-5-0x00007FFCCE130000-0x00007FFCCE325000-memory.dmp

Filesize
2.0MB

Download
memory/1696-75-0x00007FFCCE130000-0x00007FFCCE325000-memory.dmp

Filesize
2.0MB

Download
memory/1696-72-0x00007FFCCE130000-0x00007FFCCE325000-memory.dmp

Filesize
2.0MB

Download
memory/1696-1-0x00007FFCCE130000-0x00007FFCCE325000-memory.dmp

Filesize
2.0MB

Download
memory/1696-2-0x00007FFC8E1B0000-0x00007FFC8E1C0000-memory.dmp

Filesize
64KB

Download
memory/1696-4-0x00007FFC8E1B0000-0x00007FFC8E1C0000-memory.dmp

Filesize
64KB

Download
memory/1696-3-0x00007FFCCE130000-0x00007FFCCE325000-memory.dmp

Filesize
2.0MB

Download
memory/4252-42-0x00007FFCCE130000-0x00007FFCCE325000-memory.dmp

Filesize
2.0MB

Download
memory/4252-37-0x00007FFCCE130000-0x00007FFCCE325000-memory.dmp

Filesize
2.0MB

Download
memory/4252-49-0x00007FFCCE130000-0x00007FFCCE325000-memory.dmp

Filesize
2.0MB

Download
memory/4252-50-0x00007FFCCE130000-0x00007FFCCE325000-memory.dmp

Filesize
2.0MB

Download
memory/4252-51-0x00007FFCCE130000-0x00007FFCCE325000-memory.dmp

Filesize
2.0MB

Download
memory/4252-48-0x00007FFCCE130000-0x00007FFCCE325000-memory.dmp

Filesize
2.0MB

Download
memory/4252-44-0x00007FFCCE130000-0x00007FFCCE325000-memory.dmp

Filesize
2.0MB

Download
memory/4252-40-0x00007FFCCE130000-0x00007FFCCE325000-memory.dmp

Filesize
2.0MB

Download
memory/4252-47-0x00007FFCCE130000-0x00007FFCCE325000-memory.dmp

Filesize
2.0MB

Download
memory/4252-46-0x00007FFCCE130000-0x00007FFCCE325000-memory.dmp

Filesize
2.0MB

Download
memory/4252-45-0x00007FFCCE130000-0x00007FFCCE325000-memory.dmp

Filesize
2.0MB

Download
memory/4252-39-0x00007FFCCE130000-0x00007FFCCE325000-memory.dmp

Filesize
2.0MB

Download
memory/4252-53-0x00007FFCCE130000-0x00007FFCCE325000-memory.dmp

Filesize
2.0MB

Download
memory/4252-77-0x00007FFCCE130000-0x00007FFCCE325000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads