93946883de3d4074ac4baed60abcc3f2d0c57c8ef6e41ceaedbc5ca0de55dc30

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
14/03/2024, 02:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

93946883de3d4074ac4baed60abcc3f2d0c57c8ef6e41ceaedbc5ca0de55dc30.xls
Size

47KB
MD5

11a62e1437c97806b4087a209952abb1
SHA1

6f4a65dd084cfcd67567da0b232226a08d6ac1bf
SHA256

93946883de3d4074ac4baed60abcc3f2d0c57c8ef6e41ceaedbc5ca0de55dc30
SHA512

f75bbaf5debf2620ef1bb47eed90367a0afd03398e7d25847182f8a29f51d128fd3abd38f31aaa2b71bc7282dbec5c6afadb10149d90bcbe6903ff922e02474a
SSDEEP

768:rXyBP05j54QzpC555L3Nj7PRFpXoP0cHSJmE6A:rX685V4+pQ5L3NbpXo8cHSJmE

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4624	EXCEL.EXE
3328	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeAuditPrivilege	3328	WINWORD.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
4624	EXCEL.EXE
4624	EXCEL.EXE
4624	EXCEL.EXE
4624	EXCEL.EXE
4624	EXCEL.EXE
4624	EXCEL.EXE
4624	EXCEL.EXE
4624	EXCEL.EXE
3328	WINWORD.EXE
3328	WINWORD.EXE
3328	WINWORD.EXE
3328	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3328 wrote to memory of 512	3328	WINWORD.EXE	102
PID 3328 wrote to memory of 512	3328	WINWORD.EXE	102

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\93946883de3d4074ac4baed60abcc3f2d0c57c8ef6e41ceaedbc5ca0de55dc30.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4624

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3328
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:512

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:2184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Filesize
471B

MD5
0036cd341a5c6b65ef2e5dc7f1f587b9

SHA1
0df419ce44bcc31a61af07196694d10b341dd168

SHA256
d8ad8789af97cebd782c26dd800a1ee5f1fa75efdc4b47c882a9c89b52bc53a9

SHA512
fa2d98e5216e2b93d6d7b39a2bdd1a6e352fb71980cb212216295efb12455136efba4d5fa3cdd4977590ff89e0a6cbc06f3c198f68aab375f9f99761ba7a2a89

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Filesize
412B

MD5
4ba92591fda28cddf8558d5d0da6e00b

SHA1
69661974fc08d7b63cd2887918db1717cfb71a3e

SHA256
f66c5c9fa162e828f4e367aea1b130d2eb3388c1cc200fad16064f5a71575001

SHA512
4aa4ab0ed8ad303b54ce1da8d892bf6102cc19face7aad432993b5e90990790ec74f6939c2b420c5e9c6c14e0b08065e8f6b3a140e4432e821ac8c56f67d2360

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\810F5E26-8724-44C1-8595-71C068FCD4CF

Filesize
160KB

MD5
b33902e9402748a3354dcd5676b576cc

SHA1
8de1080d9c3f4e9cb24dfef7257e24dc961b3cbc

SHA256
5a7b7ec844b124afb63981a612e682a5896328a8c49ef07c0810a932c4ce5ea4

SHA512
3444be432caccc289e294f35c803c292abdad490e9fa0ea95ec2450d600526dd079875234dd1572bfd0c56a66332bdd8188e4d60853f78a3daebd0c3805bb0d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
cd64aecdada66a3cbf9a92c8f63ec69f

SHA1
1b259332965bbd0b4137ab38dd0b2937a30a4546

SHA256
50470b960d6828da07cbcb76652c7e813db186a8c43b3bfaef9e28df820d99c6

SHA512
ebe09bce983f2a69bb1f82c53f6ef659c16a61699ef80cff56ce3430fcd8cc0b607f239b5cb07f17a3cc9a458e5742c35b22ed2e5b4324d5df107ed3a7f126c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
fa1ffda2684286742642b61bdc97d1af

SHA1
a5665110e9201954147354d71a32dd870b0f25d5

SHA256
6a62bb55faa4bc76f1b232287dfcf03627341bc5ae3672e103974c0083b59c14

SHA512
6e4880782928c8deb545833076b0b26959f7f05bfa7b55b391ba67ab3157019006ab90b96e1e351b33c42fb8be62531c740db55fab0fe771140f93a98aa8af6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\UUFWLFGT\shelovemywifemorethankanyonebutsametimeiloveagirlwholovingmealot_____sheisreallymyloverwhocarewholovedmefromtheheart[1].doc

Filesize
71KB

MD5
65e41469da1397e3e1c9d70fc29fe2e2

SHA1
b234d40cee175effca9a503c908b408a91c7a7da

SHA256
a60f72316633a40d5ab45b035ecd03b7cd0162ce161946cfa2ad86d11fbc9c13

SHA512
22a75d17446e8b6556a1fb3fdb1f8f4671d3f894a717541c7b51861f1c87c2bdd593b998762b37b1844c9028d9cd79510a0414d87c79f679266b519f44e75c56

Download Submit
memory/3328-32-0x00007FFA15210000-0x00007FFA15405000-memory.dmp

Filesize
2.0MB

Download
memory/3328-26-0x00007FFA15210000-0x00007FFA15405000-memory.dmp

Filesize
2.0MB

Download
memory/3328-125-0x00007FFA15210000-0x00007FFA15405000-memory.dmp

Filesize
2.0MB

Download
memory/3328-74-0x00007FFA15210000-0x00007FFA15405000-memory.dmp

Filesize
2.0MB

Download
memory/3328-41-0x00007FFA15210000-0x00007FFA15405000-memory.dmp

Filesize
2.0MB

Download
memory/3328-40-0x00007FFA15210000-0x00007FFA15405000-memory.dmp

Filesize
2.0MB

Download
memory/3328-39-0x00007FFA15210000-0x00007FFA15405000-memory.dmp

Filesize
2.0MB

Download
memory/3328-38-0x00007FFA15210000-0x00007FFA15405000-memory.dmp

Filesize
2.0MB

Download
memory/3328-36-0x00007FFA15210000-0x00007FFA15405000-memory.dmp

Filesize
2.0MB

Download
memory/3328-35-0x00007FFA15210000-0x00007FFA15405000-memory.dmp

Filesize
2.0MB

Download
memory/3328-34-0x00007FFA15210000-0x00007FFA15405000-memory.dmp

Filesize
2.0MB

Download
memory/3328-33-0x00007FFA15210000-0x00007FFA15405000-memory.dmp

Filesize
2.0MB

Download
memory/3328-31-0x00007FFA15210000-0x00007FFA15405000-memory.dmp

Filesize
2.0MB

Download
memory/3328-29-0x00007FFA15210000-0x00007FFA15405000-memory.dmp

Filesize
2.0MB

Download
memory/3328-28-0x00007FFA15210000-0x00007FFA15405000-memory.dmp

Filesize
2.0MB

Download
memory/3328-23-0x00007FFA15210000-0x00007FFA15405000-memory.dmp

Filesize
2.0MB

Download
memory/4624-17-0x00007FFA15210000-0x00007FFA15405000-memory.dmp

Filesize
2.0MB

Download
memory/4624-5-0x00007FFA15210000-0x00007FFA15405000-memory.dmp

Filesize
2.0MB

Download
memory/4624-19-0x00007FFA15210000-0x00007FFA15405000-memory.dmp

Filesize
2.0MB

Download
memory/4624-8-0x00007FF9D5290000-0x00007FF9D52A0000-memory.dmp

Filesize
64KB

Download
memory/4624-0-0x00007FF9D5290000-0x00007FF9D52A0000-memory.dmp

Filesize
64KB

Download
memory/4624-18-0x00007FFA15210000-0x00007FFA15405000-memory.dmp

Filesize
2.0MB

Download
memory/4624-16-0x00007FFA15210000-0x00007FFA15405000-memory.dmp

Filesize
2.0MB

Download
memory/4624-15-0x00007FF9D2BC0000-0x00007FF9D2BD0000-memory.dmp

Filesize
64KB

Download
memory/4624-14-0x00007FFA15210000-0x00007FFA15405000-memory.dmp

Filesize
2.0MB

Download
memory/4624-13-0x00007FFA15210000-0x00007FFA15405000-memory.dmp

Filesize
2.0MB

Download
memory/4624-11-0x00007FF9D2BC0000-0x00007FF9D2BD0000-memory.dmp

Filesize
64KB

Download
memory/4624-12-0x00007FFA15210000-0x00007FFA15405000-memory.dmp

Filesize
2.0MB

Download
memory/4624-7-0x00007FFA15210000-0x00007FFA15405000-memory.dmp

Filesize
2.0MB

Download
memory/4624-6-0x00007FF9D5290000-0x00007FF9D52A0000-memory.dmp

Filesize
64KB

Download
memory/4624-3-0x00007FF9D5290000-0x00007FF9D52A0000-memory.dmp

Filesize
64KB

Download
memory/4624-20-0x00007FFA15210000-0x00007FFA15405000-memory.dmp

Filesize
2.0MB

Download
memory/4624-4-0x00007FFA15210000-0x00007FFA15405000-memory.dmp

Filesize
2.0MB

Download
memory/4624-2-0x00007FF9D5290000-0x00007FF9D52A0000-memory.dmp

Filesize
64KB

Download
memory/4624-1-0x00007FFA15210000-0x00007FFA15405000-memory.dmp

Filesize
2.0MB

Download
memory/4624-69-0x00007FFA15210000-0x00007FFA15405000-memory.dmp

Filesize
2.0MB

Download
memory/4624-72-0x00007FFA15210000-0x00007FFA15405000-memory.dmp

Filesize
2.0MB

Download
memory/4624-73-0x00007FFA15210000-0x00007FFA15405000-memory.dmp

Filesize
2.0MB

Download
memory/4624-10-0x00007FFA15210000-0x00007FFA15405000-memory.dmp

Filesize
2.0MB

Download
memory/4624-112-0x00007FF9D5290000-0x00007FF9D52A0000-memory.dmp

Filesize
64KB

Download
memory/4624-113-0x00007FF9D5290000-0x00007FF9D52A0000-memory.dmp

Filesize
64KB

Download
memory/4624-114-0x00007FF9D5290000-0x00007FF9D52A0000-memory.dmp

Filesize
64KB

Download
memory/4624-115-0x00007FF9D5290000-0x00007FF9D52A0000-memory.dmp

Filesize
64KB

Download
memory/4624-117-0x00007FFA15210000-0x00007FFA15405000-memory.dmp

Filesize
2.0MB

Download
memory/4624-116-0x00007FFA15210000-0x00007FFA15405000-memory.dmp

Filesize
2.0MB

Download
memory/4624-9-0x00007FFA15210000-0x00007FFA15405000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads