Analysis
-
max time kernel
138s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
26-03-2024 06:54
Static task
static1
Behavioral task
behavioral1
Sample
1.xla.xls
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
1.xla.xls
Resource
win10v2004-20240226-en
General
-
Target
1.xla.xls
-
Size
49KB
-
MD5
1620224d6efdc7d009b64899a6a67626
-
SHA1
aa99049bcb8caaac23c7c3a9488b47435ce524ec
-
SHA256
d1836e6e0661938656d0d8883daa624f59b4a0885cd663be712bfa88a5ccea19
-
SHA512
88720b9050af39543b21ca51f4771b7b9afecbc7db697fb0116208d2ea18ea290d6b6304ced66d8d602b07cf13664fd4715b0816bd0d93a352c69a275d6600a5
-
SSDEEP
768:fXyBP0IZ3ovboGfJlETRro0LPpeTQMjpHJDQ/QxLEC65:fX68OPwUTRrnp2hjFJDREC
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 400 EXCEL.EXE 2352 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeAuditPrivilege 2352 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 400 EXCEL.EXE 400 EXCEL.EXE 400 EXCEL.EXE 400 EXCEL.EXE 400 EXCEL.EXE 400 EXCEL.EXE 400 EXCEL.EXE 400 EXCEL.EXE 2352 WINWORD.EXE 2352 WINWORD.EXE 2352 WINWORD.EXE 2352 WINWORD.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 2352 wrote to memory of 4324 2352 WINWORD.EXE 102 PID 2352 wrote to memory of 4324 2352 WINWORD.EXE 102 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\1.xla.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:400
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:4324
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:1756
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\D0A696EC-E466-4BE1-8998-DDA71B1B1773
Filesize160KB
MD52a1657672444801717f9e6d606f8380c
SHA13efa2e766410b872800d2efe4a5bdf7b1570cdf9
SHA2564d76f400a6ebc80e278f144df04b12f101de68cf1283e679850894833c096ec2
SHA512df318e59a310c429ee60b72541845af71819f184a873ae8766d0995eff33eb5da8dff7503194534fc9dbc5a255a1da19a4b1f4087802edd5b381ae55fc064523
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize2KB
MD5a9889c14f23ba629f87451d76e790bdc
SHA1c53da732eac2653b545325ade55e4c00c54a398d
SHA256ec9fca01e9364621d99fa72745922503b7e3291b2599dc0aacce2ffbb29586c6
SHA512012239098a1dc2fc7f59a88a4cb1900eaea9cc984bf886c62356074291670fba03ce6e410386928f1dc239d4bfa4c8827dfd33e49b70833f679d0f69ae3afba1
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize2KB
MD51fe4f9176a0886a997cc0b6e7aa0731d
SHA12923b865953347ae95c3ba52a95f91972bf74952
SHA256c1f5efcd445ce07b08b298558cff307bf3d314cf2e305b6b5857d6305d6b89e0
SHA512171efd2bd4d30e876522f69b8add42894caac5ecd440a8e6af7265a319c86cc27559333ffca1c43b3d7a870ba7dd483b78985f4ea3e4a2907eaccc300c5964ea
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\2ZG7H8ZF\heisagirlwholovedmealotwithoutanyexptationssheisreallyagoodgirlshemybabydear_____itrulylovedherfromthehearbecauseverycutebayb[1].doc
Filesize72KB
MD51b64a140f23bd235c3c482429cb05065
SHA1141c5ad46db205b08032c22292bef782007fa771
SHA25687394948b0df5b356230dcef42c97b38b2cfa29df166f9cc820b0ff440f491f2
SHA512c9a3cfa93b6edf9644e8eeb2b8f17a6be704d9256c922e3a558e71d82ed752ed3eb9eda4a5739d60712af891929b989a2600151e3ba1e7cde7eaac74cc891b30