1a49ecab4926721e64c3ef58e9d567bef2d0af4bb8494ee2ef5fd56e713af5cd

Analysis

max time kernel
145s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
19-03-2024 08:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

scanned Draft Copy.xla.xls
Size

49KB
MD5

903d5012df813abb990f663da1af4c8a
SHA1

18115c32fca740c959e005493511bf3b6842becb
SHA256

1a49ecab4926721e64c3ef58e9d567bef2d0af4bb8494ee2ef5fd56e713af5cd
SHA512

103e9ccda54df1317ba8d14fa5189a54ca303ceff1707826e4b73bd614556a2c2053e486833be4ea09b54398f1f604be00118a39b2cf07d6538ff7c80e7b28e4
SSDEEP

1536:iX68xwcRZrCO+68f4Rdc4AdoOVOrAjtev:iX68ecfrCO+6pRdc4Ado7Am

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEEXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEWINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid process

1868 EXCEL.EXE
2720 WINWORD.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WINWORD.EXE

description pid process

Token: SeAuditPrivilege 2720 WINWORD.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

EXCEL.EXE

pid process

1868 EXCEL.EXE
1868 EXCEL.EXE

description	pid	process
Token: SeAuditPrivilege	2720	WINWORD.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid	process
1868	EXCEL.EXE
1868	EXCEL.EXE
1868	EXCEL.EXE
1868	EXCEL.EXE
1868	EXCEL.EXE
1868	EXCEL.EXE
1868	EXCEL.EXE
1868	EXCEL.EXE
2720	WINWORD.EXE
2720	WINWORD.EXE
2720	WINWORD.EXE
2720	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 2720 wrote to memory of 4708	2720	WINWORD.EXE	splwow64.exe
PID 2720 wrote to memory of 4708	2720	WINWORD.EXE	splwow64.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\scanned Draft Copy.xla.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1868

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2720

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:4708

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:4648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Filesize
471B

MD5
4fce0e2d81c9038247f9c4b9dc125ce2

SHA1
85d341283aa0201fcdb629c730e2d704704a9a24

SHA256
5f434114781e29972cb6e66c8587e4f2dc1428221730120ff1005a90cd08cc23

SHA512
5dde6f23ee0c793c2c9f5cfafd5a01c978707e23945adfc7686c555c52d3ca1ff571d413c6cd779b73620048cb229d8f4fa14af76206c11582ba9e477b5113c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Filesize
412B

MD5
6ee8296ff78980a745154ada0a1b8bf0

SHA1
52246913beff0765e008fca6600ad4a62c6a296b

SHA256
07bcc42e6fad6a3e72c036428244ad06cd044419d9b0f71e79ddc399e2b63201

SHA512
98c1c96656e57186f46e25961cacec0b16d998b300fd375430de36acdd6e81f1b95a5e705e61d90235ee58d5484d4f403766e75536ee414fdad085ab5df167e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\F4CC65D7-D79C-44CA-BE94-03089882F3E6

Filesize
160KB

MD5
56d74ae9a0355615a5de48b8d38b6ea4

SHA1
40b3ad47ccc57b0507f92318b60117c10cde2b14

SHA256
aed9fbcf86c69466b95c3141dec57f42dfe4875863470340378ac8c11172a0bb

SHA512
3902bdf0d934dbc298cbe8f7b8b5fdd1b7c9ceb84d53bd431d3033ea403150d31ac549200dced05a849c82ec171f601d41890ad2a79066529ec7d94e3fcb05bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
6efffd8dcb7a6e7261791818655cfa31

SHA1
40e7f09eeac414ce53581045e52150059e67602d

SHA256
84d5b69b5412dddf9eacddf7ece3ebee8481ab99b119c241da251a1feeb60e6d

SHA512
d2bfee8222f56079f30d5d21e58dd043c4b10f5fad7ea69fe4981198ad61cb05ce0da598086f4a51a707074b34a345811a35917c3366d67d04d8a6ecbace41a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
7f81fab63f321717e96d4aef5d0724fb

SHA1
3cdf5ac240d9b55975958671030a6c25bbdadbe2

SHA256
74eb11d1132641ab4b4e6b78b72f9c3b63e92cbc0c295605d941b7934ca251a7

SHA512
e37cc099e854c4f39f9e1d7bb011a3385c862ed0b7c02dc310e459504666d57c42e2854f50ef382bc65e2b3ba8cf09f0255c90aea76f9691c86fe581d1a407af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\KPYHB2C1\macbookproloverkissedeachotherstohanldhowamaclovercanbeatanothermacloverwithallmyheartshekissedtheperson____withentireprocesskissoflove[1].doc

Filesize
65KB

MD5
d36738689697fff4cd6dd39dcd065aee

SHA1
dc8e8a4988987f7c8b6d628597429ffe9b398056

SHA256
989d32416fa41d152d4db47469c9cbc7a35c50c72b0d3b52f5781709227896b3

SHA512
4217caf74242412f7dc37cd3dc62900514a3206456b0abf18ea264a4b3938ddaa96e5c230cf60654dcab74b8ecf824f06506cd3e5332ad5be1763fbeb78099d9

Download Submit
memory/1868-70-0x00007FFB4D6F0000-0x00007FFB4D8E5000-memory.dmp

Filesize
2.0MB

Download
memory/1868-73-0x00007FFB4D6F0000-0x00007FFB4D8E5000-memory.dmp

Filesize
2.0MB

Download
memory/1868-8-0x00007FFB4D6F0000-0x00007FFB4D8E5000-memory.dmp

Filesize
2.0MB

Download
memory/1868-9-0x00007FFB4D6F0000-0x00007FFB4D8E5000-memory.dmp

Filesize
2.0MB

Download
memory/1868-10-0x00007FFB4D6F0000-0x00007FFB4D8E5000-memory.dmp

Filesize
2.0MB

Download
memory/1868-11-0x00007FFB0B450000-0x00007FFB0B460000-memory.dmp

Filesize
64KB

Download
memory/1868-12-0x00007FFB4D6F0000-0x00007FFB4D8E5000-memory.dmp

Filesize
2.0MB

Download
memory/1868-13-0x00007FFB4D6F0000-0x00007FFB4D8E5000-memory.dmp

Filesize
2.0MB

Download
memory/1868-14-0x00007FFB0B450000-0x00007FFB0B460000-memory.dmp

Filesize
64KB

Download
memory/1868-15-0x00007FFB4D6F0000-0x00007FFB4D8E5000-memory.dmp

Filesize
2.0MB

Download
memory/1868-17-0x00007FFB4D6F0000-0x00007FFB4D8E5000-memory.dmp

Filesize
2.0MB

Download
memory/1868-16-0x00007FFB4D6F0000-0x00007FFB4D8E5000-memory.dmp

Filesize
2.0MB

Download
memory/1868-18-0x00007FFB4D6F0000-0x00007FFB4D8E5000-memory.dmp

Filesize
2.0MB

Download
memory/1868-19-0x00007FFB4D6F0000-0x00007FFB4D8E5000-memory.dmp

Filesize
2.0MB

Download
memory/1868-20-0x00007FFB4D6F0000-0x00007FFB4D8E5000-memory.dmp

Filesize
2.0MB

Download
memory/1868-21-0x00007FFB4D6F0000-0x00007FFB4D8E5000-memory.dmp

Filesize
2.0MB

Download
memory/1868-119-0x00007FFB4D6F0000-0x00007FFB4D8E5000-memory.dmp

Filesize
2.0MB

Download
memory/1868-120-0x00007FFB4D6F0000-0x00007FFB4D8E5000-memory.dmp

Filesize
2.0MB

Download
memory/1868-118-0x00007FFB4D6F0000-0x00007FFB4D8E5000-memory.dmp

Filesize
2.0MB

Download
memory/1868-117-0x00007FFB0D770000-0x00007FFB0D780000-memory.dmp

Filesize
64KB

Download
memory/1868-116-0x00007FFB0D770000-0x00007FFB0D780000-memory.dmp

Filesize
64KB

Download
memory/1868-115-0x00007FFB0D770000-0x00007FFB0D780000-memory.dmp

Filesize
64KB

Download
memory/1868-114-0x00007FFB0D770000-0x00007FFB0D780000-memory.dmp

Filesize
64KB

Download
memory/1868-7-0x00007FFB4D6F0000-0x00007FFB4D8E5000-memory.dmp

Filesize
2.0MB

Download
memory/1868-0-0x00007FFB0D770000-0x00007FFB0D780000-memory.dmp

Filesize
64KB

Download
memory/1868-1-0x00007FFB0D770000-0x00007FFB0D780000-memory.dmp

Filesize
64KB

Download
memory/1868-3-0x00007FFB4D6F0000-0x00007FFB4D8E5000-memory.dmp

Filesize
2.0MB

Download
memory/1868-6-0x00007FFB0D770000-0x00007FFB0D780000-memory.dmp

Filesize
64KB

Download
memory/1868-5-0x00007FFB0D770000-0x00007FFB0D780000-memory.dmp

Filesize
64KB

Download
memory/1868-4-0x00007FFB4D6F0000-0x00007FFB4D8E5000-memory.dmp

Filesize
2.0MB

Download
memory/1868-2-0x00007FFB0D770000-0x00007FFB0D780000-memory.dmp

Filesize
64KB

Download
memory/2720-44-0x00007FFB4D6F0000-0x00007FFB4D8E5000-memory.dmp

Filesize
2.0MB

Download
memory/2720-46-0x00007FFB4D6F0000-0x00007FFB4D8E5000-memory.dmp

Filesize
2.0MB

Download
memory/2720-50-0x00007FFB4D6F0000-0x00007FFB4D8E5000-memory.dmp

Filesize
2.0MB

Download
memory/2720-48-0x00007FFB4D6F0000-0x00007FFB4D8E5000-memory.dmp

Filesize
2.0MB

Download
memory/2720-52-0x00007FFB4D6F0000-0x00007FFB4D8E5000-memory.dmp

Filesize
2.0MB

Download
memory/2720-47-0x00007FFB4D6F0000-0x00007FFB4D8E5000-memory.dmp

Filesize
2.0MB

Download
memory/2720-51-0x00007FFB4D6F0000-0x00007FFB4D8E5000-memory.dmp

Filesize
2.0MB

Download
memory/2720-45-0x00007FFB4D6F0000-0x00007FFB4D8E5000-memory.dmp

Filesize
2.0MB

Download
memory/2720-76-0x00007FFB4D6F0000-0x00007FFB4D8E5000-memory.dmp

Filesize
2.0MB

Download
memory/2720-43-0x00007FFB4D6F0000-0x00007FFB4D8E5000-memory.dmp

Filesize
2.0MB

Download
memory/2720-41-0x00007FFB4D6F0000-0x00007FFB4D8E5000-memory.dmp

Filesize
2.0MB

Download
memory/2720-39-0x00007FFB4D6F0000-0x00007FFB4D8E5000-memory.dmp

Filesize
2.0MB

Download
memory/2720-127-0x00007FFB4D6F0000-0x00007FFB4D8E5000-memory.dmp

Filesize
2.0MB

Download
memory/2720-129-0x00007FFB4D6F0000-0x00007FFB4D8E5000-memory.dmp

Filesize
2.0MB

Download
memory/2720-131-0x00007FFB4D6F0000-0x00007FFB4D8E5000-memory.dmp

Filesize
2.0MB

Download
memory/2720-130-0x00007FFB4D6F0000-0x00007FFB4D8E5000-memory.dmp

Filesize
2.0MB

Download