d1836e6e0661938656d0d8883daa624f59b4a0885cd663be712bfa88a5ccea19

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
26-03-2024 06:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1.xls
Size

49KB
MD5

1620224d6efdc7d009b64899a6a67626
SHA1

aa99049bcb8caaac23c7c3a9488b47435ce524ec
SHA256

d1836e6e0661938656d0d8883daa624f59b4a0885cd663be712bfa88a5ccea19
SHA512

88720b9050af39543b21ca51f4771b7b9afecbc7db697fb0116208d2ea18ea290d6b6304ced66d8d602b07cf13664fd4715b0816bd0d93a352c69a275d6600a5
SSDEEP

768:fXyBP0IZ3ovboGfJlETRro0LPpeTQMjpHJDQ/QxLEC65:fX68OPwUTRrnp2hjFJDREC

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEWINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEWINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid process

3012 EXCEL.EXE
1368 WINWORD.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WINWORD.EXE

description pid process

Token: SeAuditPrivilege 1368 WINWORD.EXE

description	pid	process
Token: SeAuditPrivilege	1368	WINWORD.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid	process
3012	EXCEL.EXE
3012	EXCEL.EXE
3012	EXCEL.EXE
3012	EXCEL.EXE
3012	EXCEL.EXE
3012	EXCEL.EXE
3012	EXCEL.EXE
3012	EXCEL.EXE
1368	WINWORD.EXE
1368	WINWORD.EXE
1368	WINWORD.EXE
1368	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 1368 wrote to memory of 4644	1368	WINWORD.EXE	splwow64.exe
PID 1368 wrote to memory of 4644	1368	WINWORD.EXE	splwow64.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\1.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3012

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1368

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:4644

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:2308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Filesize
471B

MD5
9e630c60a3049f2243e7b0529220f290

SHA1
8b451341de008140f05b3c53710e4a3988b6e9cb

SHA256
c39dfbb0481eec89862e5ca4047f8409843162506df7d1f3606d7ca81c77df2a

SHA512
52b5dcd8b86a53372425a26705d4079aa75dcee7583ad6ddb3866e341c05e01e0a391c0f0a9023f176e3ddcc76b60bab1a2f9711db04f41205be1f2015987718

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Filesize
412B

MD5
5096c263b3f4a5ece57269147c2706c0

SHA1
faca522b44c2b8f9d5b6b96b09deb5df5432925a

SHA256
37eeeb3d8944f29cfa9b5b1626cc8a0a87d2e890a1265bac007acaecc6dd694b

SHA512
25fa6d7fe0ad07eff6f3f9548634bacff6229543af6b0af36bbafd7cffceb826a00e203dbfbfd4c80cae15eeffc4ee9fdf82dda6cf4bb1f6f8919f5bd1b6088e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\1B3DE161-0096-4739-8E6B-449F31A63A9F

Filesize
160KB

MD5
6fdaac279ab1159cb96015cefe43b668

SHA1
3a6ffd4441316db3b80e0bd1407f43867540d5ea

SHA256
7e430426a2a60dddbbc122c2e201eade1003b9edbd2a1fc699a178b3daf99946

SHA512
75e85cdf3921ef41d0bc5afeab34ddf9f15c868abc1de0700597872507414cbd9520fb0a8c092479bf7395e38b2924092895f980e2b1f587e802ff8a1a326a68

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
a5c539f5386ec2d0ef3e0347e70c99bf

SHA1
380203907c563f6a7e58d1610c32082bf62aae5e

SHA256
a1829a95890c956c3af2f329acce18e64e5b59b98c87b3beae75452925e6cdfa

SHA512
9f706b411bff3af727ceb98cde6431b4d2348bc32d1f2525ab1685dd78870da108a47bfa998a044ee2bf540a8f8195bdd320ce0bdb467b23ff6205f498178440

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
00acc543585bc544a8af53d0254f9d1d

SHA1
95830ce3d27462326c1c5d4a6d77445a019fc4b3

SHA256
9d99bdcfb21f2aff6341a079e991fe9ae848f37381bc3c5adc621ca535c17112

SHA512
6675c9103c22f460b736b54899bfc61fa9e8f310078fd2291f7cae89b33936f9f347483c92ea8c59b3d95a85b8828e71715bd8810c8e329861a1a6230a629dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\K4KS10IH\heisagirlwholovedmealotwithoutanyexptationssheisreallyagoodgirlshemybabydear_____itrulylovedherfromthehearbecauseverycutebayb[1].doc

Filesize
72KB

MD5
1b64a140f23bd235c3c482429cb05065

SHA1
141c5ad46db205b08032c22292bef782007fa771

SHA256
87394948b0df5b356230dcef42c97b38b2cfa29df166f9cc820b0ff440f491f2

SHA512
c9a3cfa93b6edf9644e8eeb2b8f17a6be704d9256c922e3a558e71d82ed752ed3eb9eda4a5739d60712af891929b989a2600151e3ba1e7cde7eaac74cc891b30

Download Submit
memory/1368-48-0x00007FFC8D5B0000-0x00007FFC8D7A5000-memory.dmp

Filesize
2.0MB

Download
memory/1368-42-0x00007FFC8D5B0000-0x00007FFC8D7A5000-memory.dmp

Filesize
2.0MB

Download
memory/1368-123-0x00007FFC8D5B0000-0x00007FFC8D7A5000-memory.dmp

Filesize
2.0MB

Download
memory/1368-124-0x00007FFC8D5B0000-0x00007FFC8D7A5000-memory.dmp

Filesize
2.0MB

Download
memory/1368-41-0x00007FFC8D5B0000-0x00007FFC8D7A5000-memory.dmp

Filesize
2.0MB

Download
memory/1368-46-0x00007FFC8D5B0000-0x00007FFC8D7A5000-memory.dmp

Filesize
2.0MB

Download
memory/1368-44-0x00007FFC8D5B0000-0x00007FFC8D7A5000-memory.dmp

Filesize
2.0MB

Download
memory/1368-71-0x00007FFC8D5B0000-0x00007FFC8D7A5000-memory.dmp

Filesize
2.0MB

Download
memory/1368-29-0x00007FFC8D5B0000-0x00007FFC8D7A5000-memory.dmp

Filesize
2.0MB

Download
memory/1368-31-0x00007FFC8D5B0000-0x00007FFC8D7A5000-memory.dmp

Filesize
2.0MB

Download
memory/1368-33-0x00007FFC8D5B0000-0x00007FFC8D7A5000-memory.dmp

Filesize
2.0MB

Download
memory/1368-35-0x00007FFC8D5B0000-0x00007FFC8D7A5000-memory.dmp

Filesize
2.0MB

Download
memory/1368-36-0x00007FFC8D5B0000-0x00007FFC8D7A5000-memory.dmp

Filesize
2.0MB

Download
memory/1368-38-0x00007FFC8D5B0000-0x00007FFC8D7A5000-memory.dmp

Filesize
2.0MB

Download
memory/1368-39-0x00007FFC8D5B0000-0x00007FFC8D7A5000-memory.dmp

Filesize
2.0MB

Download
memory/1368-40-0x00007FFC8D5B0000-0x00007FFC8D7A5000-memory.dmp

Filesize
2.0MB

Download
memory/3012-11-0x00007FFC8D5B0000-0x00007FFC8D7A5000-memory.dmp

Filesize
2.0MB

Download
memory/3012-66-0x00007FFC8D5B0000-0x00007FFC8D7A5000-memory.dmp

Filesize
2.0MB

Download
memory/3012-12-0x00007FFC4AED0000-0x00007FFC4AEE0000-memory.dmp

Filesize
64KB

Download
memory/3012-0-0x00007FFC4D630000-0x00007FFC4D640000-memory.dmp

Filesize
64KB

Download
memory/3012-10-0x00007FFC8D5B0000-0x00007FFC8D7A5000-memory.dmp

Filesize
2.0MB

Download
memory/3012-9-0x00007FFC4D630000-0x00007FFC4D640000-memory.dmp

Filesize
64KB

Download
memory/3012-8-0x00007FFC8D5B0000-0x00007FFC8D7A5000-memory.dmp

Filesize
2.0MB

Download
memory/3012-7-0x00007FFC4D630000-0x00007FFC4D640000-memory.dmp

Filesize
64KB

Download
memory/3012-6-0x00007FFC8D5B0000-0x00007FFC8D7A5000-memory.dmp

Filesize
2.0MB

Download
memory/3012-5-0x00007FFC8D5B0000-0x00007FFC8D7A5000-memory.dmp

Filesize
2.0MB

Download
memory/3012-2-0x00007FFC4D630000-0x00007FFC4D640000-memory.dmp

Filesize
64KB

Download
memory/3012-13-0x00007FFC4AED0000-0x00007FFC4AEE0000-memory.dmp

Filesize
64KB

Download
memory/3012-69-0x00007FFC8D5B0000-0x00007FFC8D7A5000-memory.dmp

Filesize
2.0MB

Download
memory/3012-70-0x00007FFC8D5B0000-0x00007FFC8D7A5000-memory.dmp

Filesize
2.0MB

Download
memory/3012-4-0x00007FFC4D630000-0x00007FFC4D640000-memory.dmp

Filesize
64KB

Download
memory/3012-112-0x00007FFC4D630000-0x00007FFC4D640000-memory.dmp

Filesize
64KB

Download
memory/3012-113-0x00007FFC4D630000-0x00007FFC4D640000-memory.dmp

Filesize
64KB

Download
memory/3012-114-0x00007FFC4D630000-0x00007FFC4D640000-memory.dmp

Filesize
64KB

Download
memory/3012-116-0x00007FFC8D5B0000-0x00007FFC8D7A5000-memory.dmp

Filesize
2.0MB

Download
memory/3012-115-0x00007FFC4D630000-0x00007FFC4D640000-memory.dmp

Filesize
64KB

Download
memory/3012-118-0x00007FFC8D5B0000-0x00007FFC8D7A5000-memory.dmp

Filesize
2.0MB

Download
memory/3012-119-0x00007FFC8D5B0000-0x00007FFC8D7A5000-memory.dmp

Filesize
2.0MB

Download
memory/3012-3-0x00007FFC8D5B0000-0x00007FFC8D7A5000-memory.dmp

Filesize
2.0MB

Download
memory/3012-1-0x00007FFC8D5B0000-0x00007FFC8D7A5000-memory.dmp

Filesize
2.0MB

Download