1a49ecab4926721e64c3ef58e9d567bef2d0af4bb8494ee2ef5fd56e713af5cd

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
19-03-2024 08:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

scanned Draft Copy.xls
Size

49KB
MD5

903d5012df813abb990f663da1af4c8a
SHA1

18115c32fca740c959e005493511bf3b6842becb
SHA256

1a49ecab4926721e64c3ef58e9d567bef2d0af4bb8494ee2ef5fd56e713af5cd
SHA512

103e9ccda54df1317ba8d14fa5189a54ca303ceff1707826e4b73bd614556a2c2053e486833be4ea09b54398f1f604be00118a39b2cf07d6538ff7c80e7b28e4
SSDEEP

1536:iX68xwcRZrCO+68f4Rdc4AdoOVOrAjtev:iX68ecfrCO+6pRdc4Ado7Am

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEWINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEEXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid process

3488 EXCEL.EXE
3556 WINWORD.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WINWORD.EXE

description pid process

Token: SeAuditPrivilege 3556 WINWORD.EXE

description	pid	process
Token: SeAuditPrivilege	3556	WINWORD.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid	process
3488	EXCEL.EXE
3488	EXCEL.EXE
3488	EXCEL.EXE
3488	EXCEL.EXE
3488	EXCEL.EXE
3488	EXCEL.EXE
3488	EXCEL.EXE
3488	EXCEL.EXE
3556	WINWORD.EXE
3556	WINWORD.EXE
3556	WINWORD.EXE
3556	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 3556 wrote to memory of 4104	3556	WINWORD.EXE	splwow64.exe
PID 3556 wrote to memory of 4104	3556	WINWORD.EXE	splwow64.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\scanned Draft Copy.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3488

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3556

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:4104

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:3144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\2945DDAC-F24D-4CEE-A93C-33AB978334C5

Filesize
160KB

MD5
d9aa3dee5538c1e8a05978d02936ec52

SHA1
6992b2fefe4b38669fdf3f081483916a34fb23eb

SHA256
172ce5c79264e37c74e1bef4c29c2859240ad7b32dc7b6b37918c98d6d8db228

SHA512
c6593b79351c3d3f7940ff7b4dde43ddeaf00a875e6e68d8cc7c5823a169dc8bd173efbd058fd5c058f8beb7680ed1445d8597cd114156229595bcc8566cdb6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
bb69c2a9f97fde83cfbc31cf4559b306

SHA1
456fdf5be61435aa20220f543934f26201a10cf4

SHA256
bc94d4b46e68ff8808357f5bdf0b2d0ff55eae45e92bd30956e85781266eaac6

SHA512
fc5f6f278f03ccdebd75cd2668f207d025f42051a0aec929a5d5c63ec4eea33e878a33f877b5d3328dddf2ef453632464e99951355817d2ab7c78068ea675b50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
1af131e0e9015ed3de7b5aff88ee0836

SHA1
99187d4631db1adab297b821d09cba11994b0176

SHA256
a357b31dec9ff5ec91a69ac041bef271e52f34703a39908b383d4d2e299ab576

SHA512
bb3e1813feaa0d86771c2b309181cb2499c47becf3ad2649b5ea08aef4d6dc5c0ebd6746760a09c08f18e0e7e82925a2ad266a78e4922801a2c6b8aac8f38c8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6Y4OXOYV\macbookproloverkissedeachotherstohanldhowamaclovercanbeatanothermacloverwithallmyheartshekissedtheperson____withentireprocesskissoflove[1].doc

Filesize
65KB

MD5
d36738689697fff4cd6dd39dcd065aee

SHA1
dc8e8a4988987f7c8b6d628597429ffe9b398056

SHA256
989d32416fa41d152d4db47469c9cbc7a35c50c72b0d3b52f5781709227896b3

SHA512
4217caf74242412f7dc37cd3dc62900514a3206456b0abf18ea264a4b3938ddaa96e5c230cf60654dcab74b8ecf824f06506cd3e5332ad5be1763fbeb78099d9

Download Submit
memory/3488-13-0x00007FFF192B0000-0x00007FFF194A5000-memory.dmp

Filesize
2.0MB

Download
memory/3488-9-0x00007FFF192B0000-0x00007FFF194A5000-memory.dmp

Filesize
2.0MB

Download
memory/3488-14-0x00007FFF192B0000-0x00007FFF194A5000-memory.dmp

Filesize
2.0MB

Download
memory/3488-15-0x00007FFF192B0000-0x00007FFF194A5000-memory.dmp

Filesize
2.0MB

Download
memory/3488-18-0x00007FFED6D30000-0x00007FFED6D40000-memory.dmp

Filesize
64KB

Download
memory/3488-20-0x00007FFF192B0000-0x00007FFF194A5000-memory.dmp

Filesize
2.0MB

Download
memory/3488-19-0x00007FFF192B0000-0x00007FFF194A5000-memory.dmp

Filesize
2.0MB

Download
memory/3488-17-0x00007FFF192B0000-0x00007FFF194A5000-memory.dmp

Filesize
2.0MB

Download
memory/3488-16-0x00007FFF192B0000-0x00007FFF194A5000-memory.dmp

Filesize
2.0MB

Download
memory/3488-3-0x00007FFED9330000-0x00007FFED9340000-memory.dmp

Filesize
64KB

Download
memory/3488-11-0x00007FFF192B0000-0x00007FFF194A5000-memory.dmp

Filesize
2.0MB

Download
memory/3488-8-0x00007FFF192B0000-0x00007FFF194A5000-memory.dmp

Filesize
2.0MB

Download
memory/3488-7-0x00007FFED9330000-0x00007FFED9340000-memory.dmp

Filesize
64KB

Download
memory/3488-4-0x00007FFF192B0000-0x00007FFF194A5000-memory.dmp

Filesize
2.0MB

Download
memory/3488-133-0x00007FFF192B0000-0x00007FFF194A5000-memory.dmp

Filesize
2.0MB

Download
memory/3488-1-0x00007FFED9330000-0x00007FFED9340000-memory.dmp

Filesize
64KB

Download
memory/3488-0-0x00007FFED9330000-0x00007FFED9340000-memory.dmp

Filesize
64KB

Download
memory/3488-78-0x00007FFF192B0000-0x00007FFF194A5000-memory.dmp

Filesize
2.0MB

Download
memory/3488-72-0x00007FFF192B0000-0x00007FFF194A5000-memory.dmp

Filesize
2.0MB

Download
memory/3488-5-0x00007FFED9330000-0x00007FFED9340000-memory.dmp

Filesize
64KB

Download
memory/3488-6-0x00007FFF192B0000-0x00007FFF194A5000-memory.dmp

Filesize
2.0MB

Download
memory/3488-12-0x00007FFED6D30000-0x00007FFED6D40000-memory.dmp

Filesize
64KB

Download
memory/3488-2-0x00007FFF192B0000-0x00007FFF194A5000-memory.dmp

Filesize
2.0MB

Download
memory/3488-10-0x00007FFF192B0000-0x00007FFF194A5000-memory.dmp

Filesize
2.0MB

Download
memory/3556-50-0x00007FFF192B0000-0x00007FFF194A5000-memory.dmp

Filesize
2.0MB

Download
memory/3556-124-0x00007FFF192B0000-0x00007FFF194A5000-memory.dmp

Filesize
2.0MB

Download
memory/3556-51-0x00007FFF192B0000-0x00007FFF194A5000-memory.dmp

Filesize
2.0MB

Download
memory/3556-44-0x00007FFF192B0000-0x00007FFF194A5000-memory.dmp

Filesize
2.0MB

Download
memory/3556-53-0x00007FFF192B0000-0x00007FFF194A5000-memory.dmp

Filesize
2.0MB

Download
memory/3556-54-0x00007FFF192B0000-0x00007FFF194A5000-memory.dmp

Filesize
2.0MB

Download
memory/3556-43-0x00007FFF192B0000-0x00007FFF194A5000-memory.dmp

Filesize
2.0MB

Download
memory/3556-52-0x00007FFF192B0000-0x00007FFF194A5000-memory.dmp

Filesize
2.0MB

Download
memory/3556-42-0x00007FFF192B0000-0x00007FFF194A5000-memory.dmp

Filesize
2.0MB

Download
memory/3556-122-0x00007FFF192B0000-0x00007FFF194A5000-memory.dmp

Filesize
2.0MB

Download
memory/3556-49-0x00007FFF192B0000-0x00007FFF194A5000-memory.dmp

Filesize
2.0MB

Download
memory/3556-47-0x00007FFF192B0000-0x00007FFF194A5000-memory.dmp

Filesize
2.0MB

Download
memory/3556-40-0x00007FFF192B0000-0x00007FFF194A5000-memory.dmp

Filesize
2.0MB

Download
memory/3556-56-0x00007FFF192B0000-0x00007FFF194A5000-memory.dmp

Filesize
2.0MB

Download
memory/3556-58-0x00007FFF192B0000-0x00007FFF194A5000-memory.dmp

Filesize
2.0MB

Download
memory/3556-81-0x00007FFF192B0000-0x00007FFF194A5000-memory.dmp

Filesize
2.0MB

Download
memory/3556-119-0x00007FFED9330000-0x00007FFED9340000-memory.dmp

Filesize
64KB

Download
memory/3556-120-0x00007FFED9330000-0x00007FFED9340000-memory.dmp

Filesize
64KB

Download
memory/3556-45-0x00007FFF192B0000-0x00007FFF194A5000-memory.dmp

Filesize
2.0MB

Download
memory/3556-121-0x00007FFED9330000-0x00007FFED9340000-memory.dmp

Filesize
64KB

Download
memory/3556-123-0x00007FFED9330000-0x00007FFED9340000-memory.dmp

Filesize
64KB

Download
memory/3556-41-0x00007FFF192B0000-0x00007FFF194A5000-memory.dmp

Filesize
2.0MB

Download
memory/3556-125-0x00007FFF192B0000-0x00007FFF194A5000-memory.dmp

Filesize
2.0MB

Download
memory/3556-48-0x00007FFF192B0000-0x00007FFF194A5000-memory.dmp

Filesize
2.0MB

Download