d483c4f1670ea7a69f9cdbbf716e67f1511e271d485229566afaa67011304dd6

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
21-03-2024 08:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RFQ-000753.xla.xls
Size

62KB
MD5

42d3837bf1dc78a79c488153d7ff0ca9
SHA1

40dd20643ba58bb81a27c3be4c37c84cc6a2ce6f
SHA256

d483c4f1670ea7a69f9cdbbf716e67f1511e271d485229566afaa67011304dd6
SHA512

18b9ce199b52a66f7a3666226defaf4ecdecf4293e8fd7bd51f3896e1b0f24d7d7cbe6034a16fd8f43d6c9882888a9612f2b6d73b33dcffa309a6442d7f1373d
SSDEEP

768:UyBP0/+sG1tzXyBP0nApAEhJrOawVkC43+1eaIqnxMsijgO4E9XFzd:U68/pG1tzX68ApAEzrOawaaZus04E9

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEEXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEEXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid process

2308 EXCEL.EXE
2368 WINWORD.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WINWORD.EXE

description pid process

Token: SeAuditPrivilege 2368 WINWORD.EXE

description	pid	process
Token: SeAuditPrivilege	2368	WINWORD.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid	process
2308	EXCEL.EXE
2308	EXCEL.EXE
2308	EXCEL.EXE
2308	EXCEL.EXE
2308	EXCEL.EXE
2308	EXCEL.EXE
2308	EXCEL.EXE
2308	EXCEL.EXE
2368	WINWORD.EXE
2368	WINWORD.EXE
2368	WINWORD.EXE
2368	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 2368 wrote to memory of 2156	2368	WINWORD.EXE	splwow64.exe
PID 2368 wrote to memory of 2156	2368	WINWORD.EXE	splwow64.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\RFQ-000753.xla.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2308

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2368

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:2156

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:2104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Filesize
471B

MD5
5cc2e0e109c3d69d03e379265c71e84b

SHA1
089f290c62a64b9bfc09e52f83fdf6fa271c86e8

SHA256
d0548244625b1b1d9bfb926006b7b322fca18feeab10dbec29eb7d15ef5c71bb

SHA512
49b4fa01530827fc43d90fa44a24c829e41517e61c54b9ff3813f1185bf1c19ff1c205ec3a590dcd07428b40396dcb0d9e7e9adce617d1b10ae01bb897824096

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Filesize
412B

MD5
7c3a4d5cc623e8646b275a01f0356a85

SHA1
5a4850956a901ca7b56061aeb67e3beae5d860f2

SHA256
76e6c85cbd09d0091c204dfa2c03703e3c490b92bba595c597392d2f5bcfe04a

SHA512
3e61e96afd5f0ffb2f2360791b97477e937c885b817e4b2da7d853260d3b4f527d0c10bfa222ccd6ec1ef9686cab54259cc1f32afd624e058659b4700bf6f22d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\50117AF1-9FD3-4B96-B7D9-D2FB1279D921

Filesize
160KB

MD5
8344197427a4fc6f5de6472e2deda83c

SHA1
a7d93b9574453ab7926ac7ee6b182f6eae5e9644

SHA256
99e3b47a3ee56b035766e6d29666784eb2013d8ecb71f1b7a03cde84de181bc5

SHA512
24d82cedb234af9570828932b8cf8895131618a76d38be39641f67db24d8982c60f20c4109a61283430c59287f55830e57d0925528848c070f3be391d0b5c55f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
5e59a42593e8c59b2cd0b93bd02fa978

SHA1
26b626d6434d9b807001622476e5c74ba6662373

SHA256
1bbd91a2a1d314a1e3c52bc77803e8bea428edb218cbd74c16dc3fd276e9e4d0

SHA512
3f7ef2ad7d761a95c9623010dabc069acc7b07a7dbfe49dbd7323467ebe8748b092886a821d10b0ad9ffe30f843586c432d3f3ec1a9c633f220e54e7f65c9d92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
7eef3bce952a8fa8d4fad7085f88b745

SHA1
f46c8d1dbaa8cbfb4b5d655011b2fd426f02cdd7

SHA256
84f5800df7301ea756456bc602d29a79b534d4abbf67098161daa04dd5943191

SHA512
0f921d871a4586d473eb17ebee254dd345bc6fea3eb01a396d4b67fc943c4b463aa22acdec6234214a784f1c233cb5509e334d7ac86e6a3a73506f33342d099a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\N1D00922\ilovehimtrulyfrommediafxpixelhandtreatedbymediapixelnetworkstilleverythinggodd____sweetkissigivenheronneckandfacetoget[1].doc

Filesize
61KB

MD5
e7b1dab5d64b8e37ab2c8b0a05fd486c

SHA1
5ae4d3a7dec17b9740d4573e8f1014769e683f79

SHA256
fc8d8e349b245c33b43169523d6d8ebbc617f07d3ec592bc71eccba272a53bed

SHA512
1d68bb3e96612a9dca2a7d7dbfcf17297e0c39ed6e9dd7425c21176723393dfbbf6133c7cf1441e1a971fe8d46b89d08fda9fab02679efe24e70948d187ff710

Download Submit
memory/2308-11-0x00007FFAE55D0000-0x00007FFAE55E0000-memory.dmp

Filesize
64KB

Download
memory/2308-18-0x00007FFB279F0000-0x00007FFB27BE5000-memory.dmp

Filesize
2.0MB

Download
memory/2308-8-0x00007FFB279F0000-0x00007FFB27BE5000-memory.dmp

Filesize
2.0MB

Download
memory/2308-9-0x00007FFB279F0000-0x00007FFB27BE5000-memory.dmp

Filesize
2.0MB

Download
memory/2308-10-0x00007FFB279F0000-0x00007FFB27BE5000-memory.dmp

Filesize
2.0MB

Download
memory/2308-0-0x00007FFAE7A70000-0x00007FFAE7A80000-memory.dmp

Filesize
64KB

Download
memory/2308-12-0x00007FFB279F0000-0x00007FFB27BE5000-memory.dmp

Filesize
2.0MB

Download
memory/2308-13-0x00007FFB279F0000-0x00007FFB27BE5000-memory.dmp

Filesize
2.0MB

Download
memory/2308-14-0x00007FFB279F0000-0x00007FFB27BE5000-memory.dmp

Filesize
2.0MB

Download
memory/2308-15-0x00007FFB279F0000-0x00007FFB27BE5000-memory.dmp

Filesize
2.0MB

Download
memory/2308-17-0x00007FFB279F0000-0x00007FFB27BE5000-memory.dmp

Filesize
2.0MB

Download
memory/2308-6-0x00007FFB279F0000-0x00007FFB27BE5000-memory.dmp

Filesize
2.0MB

Download
memory/2308-19-0x00007FFB279F0000-0x00007FFB27BE5000-memory.dmp

Filesize
2.0MB

Download
memory/2308-16-0x00007FFAE55D0000-0x00007FFAE55E0000-memory.dmp

Filesize
64KB

Download
memory/2308-21-0x00007FFB279F0000-0x00007FFB27BE5000-memory.dmp

Filesize
2.0MB

Download
memory/2308-20-0x00007FFB279F0000-0x00007FFB27BE5000-memory.dmp

Filesize
2.0MB

Download
memory/2308-118-0x00007FFB279F0000-0x00007FFB27BE5000-memory.dmp

Filesize
2.0MB

Download
memory/2308-2-0x00007FFB279F0000-0x00007FFB27BE5000-memory.dmp

Filesize
2.0MB

Download
memory/2308-1-0x00007FFAE7A70000-0x00007FFAE7A80000-memory.dmp

Filesize
64KB

Download
memory/2308-64-0x00007FFB279F0000-0x00007FFB27BE5000-memory.dmp

Filesize
2.0MB

Download
memory/2308-4-0x00007FFB279F0000-0x00007FFB27BE5000-memory.dmp

Filesize
2.0MB

Download
memory/2308-7-0x00007FFAE7A70000-0x00007FFAE7A80000-memory.dmp

Filesize
64KB

Download
memory/2308-3-0x00007FFAE7A70000-0x00007FFAE7A80000-memory.dmp

Filesize
64KB

Download
memory/2308-5-0x00007FFAE7A70000-0x00007FFAE7A80000-memory.dmp

Filesize
64KB

Download
memory/2368-39-0x00007FFB279F0000-0x00007FFB27BE5000-memory.dmp

Filesize
2.0MB

Download
memory/2368-44-0x00007FFB279F0000-0x00007FFB27BE5000-memory.dmp

Filesize
2.0MB

Download
memory/2368-43-0x00007FFB279F0000-0x00007FFB27BE5000-memory.dmp

Filesize
2.0MB

Download
memory/2368-42-0x00007FFB279F0000-0x00007FFB27BE5000-memory.dmp

Filesize
2.0MB

Download
memory/2368-40-0x00007FFB279F0000-0x00007FFB27BE5000-memory.dmp

Filesize
2.0MB

Download
memory/2368-38-0x00007FFB279F0000-0x00007FFB27BE5000-memory.dmp

Filesize
2.0MB

Download
memory/2368-37-0x00007FFB279F0000-0x00007FFB27BE5000-memory.dmp

Filesize
2.0MB

Download
memory/2368-65-0x00007FFB279F0000-0x00007FFB27BE5000-memory.dmp

Filesize
2.0MB

Download
memory/2368-35-0x00007FFB279F0000-0x00007FFB27BE5000-memory.dmp

Filesize
2.0MB

Download
memory/2368-33-0x00007FFB279F0000-0x00007FFB27BE5000-memory.dmp

Filesize
2.0MB

Download
memory/2368-108-0x00007FFAE7A70000-0x00007FFAE7A80000-memory.dmp

Filesize
64KB

Download
memory/2368-109-0x00007FFAE7A70000-0x00007FFAE7A80000-memory.dmp

Filesize
64KB

Download
memory/2368-110-0x00007FFAE7A70000-0x00007FFAE7A80000-memory.dmp

Filesize
64KB

Download
memory/2368-111-0x00007FFAE7A70000-0x00007FFAE7A80000-memory.dmp

Filesize
64KB

Download
memory/2368-113-0x00007FFB279F0000-0x00007FFB27BE5000-memory.dmp

Filesize
2.0MB

Download
memory/2368-115-0x00007FFB279F0000-0x00007FFB27BE5000-memory.dmp

Filesize
2.0MB

Download
memory/2368-32-0x00007FFB279F0000-0x00007FFB27BE5000-memory.dmp

Filesize
2.0MB

Download