Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
26-03-2024 06:54
Static task
static1
Behavioral task
behavioral1
Sample
1.xls
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
1.xls
Resource
win10v2004-20240226-en
General
-
Target
1.xls
-
Size
49KB
-
MD5
1620224d6efdc7d009b64899a6a67626
-
SHA1
aa99049bcb8caaac23c7c3a9488b47435ce524ec
-
SHA256
d1836e6e0661938656d0d8883daa624f59b4a0885cd663be712bfa88a5ccea19
-
SHA512
88720b9050af39543b21ca51f4771b7b9afecbc7db697fb0116208d2ea18ea290d6b6304ced66d8d602b07cf13664fd4715b0816bd0d93a352c69a275d6600a5
-
SSDEEP
768:fXyBP0IZ3ovboGfJlETRro0LPpeTQMjpHJDQ/QxLEC65:fX68OPwUTRrnp2hjFJDREC
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 3012 EXCEL.EXE 1368 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeAuditPrivilege 1368 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 3012 EXCEL.EXE 3012 EXCEL.EXE 3012 EXCEL.EXE 3012 EXCEL.EXE 3012 EXCEL.EXE 3012 EXCEL.EXE 3012 EXCEL.EXE 3012 EXCEL.EXE 1368 WINWORD.EXE 1368 WINWORD.EXE 1368 WINWORD.EXE 1368 WINWORD.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 1368 wrote to memory of 4644 1368 WINWORD.EXE 99 PID 1368 wrote to memory of 4644 1368 WINWORD.EXE 99 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\1.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3012
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:4644
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:2308
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A
Filesize471B
MD59e630c60a3049f2243e7b0529220f290
SHA18b451341de008140f05b3c53710e4a3988b6e9cb
SHA256c39dfbb0481eec89862e5ca4047f8409843162506df7d1f3606d7ca81c77df2a
SHA51252b5dcd8b86a53372425a26705d4079aa75dcee7583ad6ddb3866e341c05e01e0a391c0f0a9023f176e3ddcc76b60bab1a2f9711db04f41205be1f2015987718
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A
Filesize412B
MD55096c263b3f4a5ece57269147c2706c0
SHA1faca522b44c2b8f9d5b6b96b09deb5df5432925a
SHA25637eeeb3d8944f29cfa9b5b1626cc8a0a87d2e890a1265bac007acaecc6dd694b
SHA51225fa6d7fe0ad07eff6f3f9548634bacff6229543af6b0af36bbafd7cffceb826a00e203dbfbfd4c80cae15eeffc4ee9fdf82dda6cf4bb1f6f8919f5bd1b6088e
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\1B3DE161-0096-4739-8E6B-449F31A63A9F
Filesize160KB
MD56fdaac279ab1159cb96015cefe43b668
SHA13a6ffd4441316db3b80e0bd1407f43867540d5ea
SHA2567e430426a2a60dddbbc122c2e201eade1003b9edbd2a1fc699a178b3daf99946
SHA51275e85cdf3921ef41d0bc5afeab34ddf9f15c868abc1de0700597872507414cbd9520fb0a8c092479bf7395e38b2924092895f980e2b1f587e802ff8a1a326a68
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize2KB
MD5a5c539f5386ec2d0ef3e0347e70c99bf
SHA1380203907c563f6a7e58d1610c32082bf62aae5e
SHA256a1829a95890c956c3af2f329acce18e64e5b59b98c87b3beae75452925e6cdfa
SHA5129f706b411bff3af727ceb98cde6431b4d2348bc32d1f2525ab1685dd78870da108a47bfa998a044ee2bf540a8f8195bdd320ce0bdb467b23ff6205f498178440
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize2KB
MD500acc543585bc544a8af53d0254f9d1d
SHA195830ce3d27462326c1c5d4a6d77445a019fc4b3
SHA2569d99bdcfb21f2aff6341a079e991fe9ae848f37381bc3c5adc621ca535c17112
SHA5126675c9103c22f460b736b54899bfc61fa9e8f310078fd2291f7cae89b33936f9f347483c92ea8c59b3d95a85b8828e71715bd8810c8e329861a1a6230a629dd3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\K4KS10IH\heisagirlwholovedmealotwithoutanyexptationssheisreallyagoodgirlshemybabydear_____itrulylovedherfromthehearbecauseverycutebayb[1].doc
Filesize72KB
MD51b64a140f23bd235c3c482429cb05065
SHA1141c5ad46db205b08032c22292bef782007fa771
SHA25687394948b0df5b356230dcef42c97b38b2cfa29df166f9cc820b0ff440f491f2
SHA512c9a3cfa93b6edf9644e8eeb2b8f17a6be704d9256c922e3a558e71d82ed752ed3eb9eda4a5739d60712af891929b989a2600151e3ba1e7cde7eaac74cc891b30