52b32ac1009f5633f0dee6a2305af7ccdf99c726c4757fa2bca6a0ea212d720f

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
19-03-2024 02:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

52b32ac1009f5633f0dee6a2305af7ccdf99c726c4757fa2bca6a0ea212d720f.xls
Size

49KB
MD5

fef0c51aa0af0361b8dec099ed5bafa1
SHA1

94ca3c3802f4d2c28f9ef911821efae63d1d9d33
SHA256

52b32ac1009f5633f0dee6a2305af7ccdf99c726c4757fa2bca6a0ea212d720f
SHA512

53a37c375f74b77da1d77dec9183a204d47b9962ad7c03cfebe8d0a9479b8badf17d24c8a8d2346824f7d63d51a42d09a729af2ebc604197e77946c0d99744e3
SSDEEP

768:yXyBP0/kns9iP95hIlMURQIksJW9TUCV96sIbGLRtdN+/fIFagZHTB6p:yX68/ks9iP9TILWIhJWmFCVjWfIIqTB

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEWINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEEXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid process

3252 EXCEL.EXE
4316 WINWORD.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WINWORD.EXE

description pid process

Token: SeAuditPrivilege 4316 WINWORD.EXE

description	pid	process
Token: SeAuditPrivilege	4316	WINWORD.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid	process
3252	EXCEL.EXE
3252	EXCEL.EXE
3252	EXCEL.EXE
3252	EXCEL.EXE
3252	EXCEL.EXE
3252	EXCEL.EXE
3252	EXCEL.EXE
3252	EXCEL.EXE
4316	WINWORD.EXE
4316	WINWORD.EXE
4316	WINWORD.EXE
4316	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 4316 wrote to memory of 1044	4316	WINWORD.EXE	splwow64.exe
PID 4316 wrote to memory of 1044	4316	WINWORD.EXE	splwow64.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\52b32ac1009f5633f0dee6a2305af7ccdf99c726c4757fa2bca6a0ea212d720f.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3252

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4316

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1044

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:1916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Filesize
471B

MD5
4fce0e2d81c9038247f9c4b9dc125ce2

SHA1
85d341283aa0201fcdb629c730e2d704704a9a24

SHA256
5f434114781e29972cb6e66c8587e4f2dc1428221730120ff1005a90cd08cc23

SHA512
5dde6f23ee0c793c2c9f5cfafd5a01c978707e23945adfc7686c555c52d3ca1ff571d413c6cd779b73620048cb229d8f4fa14af76206c11582ba9e477b5113c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Filesize
412B

MD5
1597fb36ea6b1485aac93607515eb88c

SHA1
62ef300c8eda72979c22a995ff118a515d7595ac

SHA256
05b9bb896d8e7088b7704d8df92265aed2d6252bd7237cd926d4372e64abdaa9

SHA512
e51c8c0c7c1590064c46e77828902bb19c3836b884aa508848b9b48d5b7a20939352ea337b14bcb904ac8e9c22e3794903e2c8360dbf9a151ec6bce319a5704f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\58AE3C6F-A89F-4F21-8E73-2F3749F7EC1F

Filesize
160KB

MD5
56e93268d3cf8c9f08deec46f29c6941

SHA1
57a847cee3b5f30e13d0e9008304a950792f950a

SHA256
7d85d3813ad73784009152a5283b8031840e846f98668ba3d834461256fc4aa7

SHA512
7e59c5db2965c3a3bc0e1d7b7ed72d65285a27db3c2d9110591a0b9927b559b234059cdef5e53501f8cd3a03b23f3099874424a1c2cfc7c4959f6901477c688e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
b8126d6e26b09d2f72b7239e3e1a339a

SHA1
a731d295eca41b3445df8253eb57cc96b1b4a122

SHA256
a3aaca038fce23c16f5f30552d3d82a84e653bca80f411b29d7a2362643c1ada

SHA512
ed1cc22430e5dcf515acda116817b6a7b9190b8656a23b5a794c52eab65e9c77a03030fbbb6297e6c53794eba04a18a876c4be10ae3960dcec0eba86471d6a31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
2db7a31181630084e390b25353222bac

SHA1
16522a1e8fa7c3ff52b886b53c70589becd8b1fa

SHA256
7438ca95bc8f262428ef2ba0121dc8b29ad5ef63f8e5a64eb9f5f2e6f91461a7

SHA512
03981ec5ca750a231f939247b3ce282f631ca5ba92bd5417df26a3af52cf6bb615d6ba0f386785842bb5ba0cc9623e6db759faf3990b588fb36b6748a9de53f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\1YRVVION\imageinetheloveofactionhappenedeverytimeyoudidseetheamazingaction___weareinheretounderstandhowmuchiamlovingyou[1].doc

Filesize
71KB

MD5
8d6eb0ebe0f36b867af1c471880ce2b2

SHA1
253dde2309f7099e4b7fb049335160754175fda3

SHA256
436be17de8e60f2b4e31b01da465b470c4afbb1c9a810c095391221d1e277eca

SHA512
d0a6becdec4c9cab7c0cdfc04c5c44fdb718d4c05f4997d6390346cdbe7dd9f2991260f999eae460eaca44e87ec1feb6dfc7f59ea4508f5c7ebe419485564db1

Download Submit
memory/3252-12-0x00007FFED3130000-0x00007FFED3140000-memory.dmp

Filesize
64KB

Download
memory/3252-10-0x00007FFF15A10000-0x00007FFF15C05000-memory.dmp

Filesize
2.0MB

Download
memory/3252-8-0x00007FFED5A90000-0x00007FFED5AA0000-memory.dmp

Filesize
64KB

Download
memory/3252-132-0x00007FFF15A10000-0x00007FFF15C05000-memory.dmp

Filesize
2.0MB

Download
memory/3252-130-0x00007FFF15A10000-0x00007FFF15C05000-memory.dmp

Filesize
2.0MB

Download
memory/3252-11-0x00007FFF15A10000-0x00007FFF15C05000-memory.dmp

Filesize
2.0MB

Download
memory/3252-14-0x00007FFF15A10000-0x00007FFF15C05000-memory.dmp

Filesize
2.0MB

Download
memory/3252-13-0x00007FFF15A10000-0x00007FFF15C05000-memory.dmp

Filesize
2.0MB

Download
memory/3252-0-0x00007FFED5A90000-0x00007FFED5AA0000-memory.dmp

Filesize
64KB

Download
memory/3252-15-0x00007FFF15A10000-0x00007FFF15C05000-memory.dmp

Filesize
2.0MB

Download
memory/3252-16-0x00007FFF15A10000-0x00007FFF15C05000-memory.dmp

Filesize
2.0MB

Download
memory/3252-17-0x00007FFED3130000-0x00007FFED3140000-memory.dmp

Filesize
64KB

Download
memory/3252-18-0x00007FFF15A10000-0x00007FFF15C05000-memory.dmp

Filesize
2.0MB

Download
memory/3252-19-0x00007FFF15A10000-0x00007FFF15C05000-memory.dmp

Filesize
2.0MB

Download
memory/3252-20-0x00007FFF15A10000-0x00007FFF15C05000-memory.dmp

Filesize
2.0MB

Download
memory/3252-21-0x00007FFF15A10000-0x00007FFF15C05000-memory.dmp

Filesize
2.0MB

Download
memory/3252-128-0x00007FFED5A90000-0x00007FFED5AA0000-memory.dmp

Filesize
64KB

Download
memory/3252-125-0x00007FFED5A90000-0x00007FFED5AA0000-memory.dmp

Filesize
64KB

Download
memory/3252-126-0x00007FFF15A10000-0x00007FFF15C05000-memory.dmp

Filesize
2.0MB

Download
memory/3252-124-0x00007FFF15A10000-0x00007FFF15C05000-memory.dmp

Filesize
2.0MB

Download
memory/3252-120-0x00007FFED5A90000-0x00007FFED5AA0000-memory.dmp

Filesize
64KB

Download
memory/3252-122-0x00007FFED5A90000-0x00007FFED5AA0000-memory.dmp

Filesize
64KB

Download
memory/3252-78-0x00007FFF15A10000-0x00007FFF15C05000-memory.dmp

Filesize
2.0MB

Download
memory/3252-77-0x00007FFF15A10000-0x00007FFF15C05000-memory.dmp

Filesize
2.0MB

Download
memory/3252-131-0x00007FFF15A10000-0x00007FFF15C05000-memory.dmp

Filesize
2.0MB

Download
memory/3252-9-0x00007FFF15A10000-0x00007FFF15C05000-memory.dmp

Filesize
2.0MB

Download
memory/3252-6-0x00007FFED5A90000-0x00007FFED5AA0000-memory.dmp

Filesize
64KB

Download
memory/3252-76-0x00007FFF15A10000-0x00007FFF15C05000-memory.dmp

Filesize
2.0MB

Download
memory/3252-1-0x00007FFF15A10000-0x00007FFF15C05000-memory.dmp

Filesize
2.0MB

Download
memory/3252-3-0x00007FFF15A10000-0x00007FFF15C05000-memory.dmp

Filesize
2.0MB

Download
memory/3252-2-0x00007FFED5A90000-0x00007FFED5AA0000-memory.dmp

Filesize
64KB

Download
memory/3252-4-0x00007FFED5A90000-0x00007FFED5AA0000-memory.dmp

Filesize
64KB

Download
memory/3252-7-0x00007FFF15A10000-0x00007FFF15C05000-memory.dmp

Filesize
2.0MB

Download
memory/3252-5-0x00007FFF15A10000-0x00007FFF15C05000-memory.dmp

Filesize
2.0MB

Download
memory/4316-133-0x00007FFF15A10000-0x00007FFF15C05000-memory.dmp

Filesize
2.0MB

Download
memory/4316-43-0x00007FFF15A10000-0x00007FFF15C05000-memory.dmp

Filesize
2.0MB

Download
memory/4316-29-0x00007FFF15A10000-0x00007FFF15C05000-memory.dmp

Filesize
2.0MB

Download
memory/4316-31-0x00007FFF15A10000-0x00007FFF15C05000-memory.dmp

Filesize
2.0MB

Download
memory/4316-40-0x00007FFF15A10000-0x00007FFF15C05000-memory.dmp

Filesize
2.0MB

Download
memory/4316-34-0x00007FFF15A10000-0x00007FFF15C05000-memory.dmp

Filesize
2.0MB

Download
memory/4316-35-0x00007FFF15A10000-0x00007FFF15C05000-memory.dmp

Filesize
2.0MB

Download
memory/4316-44-0x00007FFF15A10000-0x00007FFF15C05000-memory.dmp

Filesize
2.0MB

Download
memory/4316-32-0x00007FFF15A10000-0x00007FFF15C05000-memory.dmp

Filesize
2.0MB

Download
memory/4316-79-0x00007FFF15A10000-0x00007FFF15C05000-memory.dmp

Filesize
2.0MB

Download
memory/4316-41-0x00007FFF15A10000-0x00007FFF15C05000-memory.dmp

Filesize
2.0MB

Download
memory/4316-28-0x00007FFF15A10000-0x00007FFF15C05000-memory.dmp

Filesize
2.0MB

Download
memory/4316-26-0x00007FFF15A10000-0x00007FFF15C05000-memory.dmp

Filesize
2.0MB

Download
memory/4316-24-0x00007FFF15A10000-0x00007FFF15C05000-memory.dmp

Filesize
2.0MB

Download
memory/4316-37-0x00007FFF15A10000-0x00007FFF15C05000-memory.dmp

Filesize
2.0MB

Download
memory/4316-36-0x00007FFF15A10000-0x00007FFF15C05000-memory.dmp

Filesize
2.0MB

Download
memory/4316-39-0x00007FFF15A10000-0x00007FFF15C05000-memory.dmp

Filesize
2.0MB

Download
memory/4316-45-0x00007FFF15A10000-0x00007FFF15C05000-memory.dmp

Filesize
2.0MB

Download