Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
26-03-2024 09:20
Static task
static1
Behavioral task
behavioral1
Sample
Order request list.xls
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
Order request list.xls
Resource
win10v2004-20240226-en
General
-
Target
Order request list.xls
-
Size
317KB
-
MD5
e8c8fee58f84cd706cd5955773887500
-
SHA1
f80268a58e1f1635dd9ccd6dd029dae2bf93fd58
-
SHA256
3ac1e9bc1c29e4f900a34d8e98672106887155015c3d868eb35b18a546f64af9
-
SHA512
c9a2e5b267d21ce88e8ac240590048702e1054f23fdaabbef234c58ceada0b9dcb177ad5ebb219ebffde3cf6e7679fa7dbf031881024b529e0155e0e9836f57e
-
SSDEEP
6144:Q0unhXF7uY35qAOJl/YrLYz+WrNhZF+E+fgL+0dD8ivSbVsHMI2brcbJTvhl8ult:Q9hXdn3bVsHMI2cJjZlTiAp
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 3940 EXCEL.EXE 1644 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeAuditPrivilege 1644 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 16 IoCs
pid Process 3940 EXCEL.EXE 3940 EXCEL.EXE 3940 EXCEL.EXE 3940 EXCEL.EXE 3940 EXCEL.EXE 3940 EXCEL.EXE 3940 EXCEL.EXE 3940 EXCEL.EXE 3940 EXCEL.EXE 3940 EXCEL.EXE 3940 EXCEL.EXE 3940 EXCEL.EXE 1644 WINWORD.EXE 1644 WINWORD.EXE 1644 WINWORD.EXE 1644 WINWORD.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 1644 wrote to memory of 3112 1644 WINWORD.EXE 97 PID 1644 wrote to memory of 3112 1644 WINWORD.EXE 97 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Order request list.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3940
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:3112
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:212
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\422FDAA8-9699-47AD-874A-E67A5EE8AA8C
Filesize160KB
MD56cccfe736058f9ea7041803921283797
SHA1e8e96014027b5a793818861d22004bafa47f1819
SHA256a474327c868945911f452246175fee91f61e992eef2fe2bc65ee78c95006ce08
SHA51252fb36899e162c82dd695b5e16e61c9131c2091923b5c86e32aa43b954caedfb5e8742d9c6860e4d33de6b08238cbe84d3ddc0ea3d6ca6810294679ade1a6a92
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize2KB
MD5664151f3d4744e8e375a8aaf6ed5d362
SHA1c4b3a07df9e6d4c0757820ee7139b34dc1d17082
SHA25621917b02a90692454ee41e1fd6cbfe0edbc846c17592fad1eaefc869462dc45d
SHA512504214405a05e731152d485cb81506996ac55a1f6b478a146cb5e20131d6fba5083a505578184397e71e4a50a338246564048ffcd5dedadfe920b3b121f538a5
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize2KB
MD5e06cfa94be1672d64dc17d4e5c2e178d
SHA177ac9bf5dfb8b56600fe6c27dbd325a37f15d692
SHA2561af6d19e6ae36193b22b375f9fb57aaed75c92ab242b8109ff8c83f333c2eeb5
SHA512fca77a238898dc49fc9e1a7740a0d2375fe7af2514f0b4f5885f2e06dc094db4cfd10218009364be4359ee5b2b1dad937acf8aa353ac9310c24e2ea1563c74ec
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6Y4OXOYV\kissinggreatwaytounderstandhowimkissingherwithlotofhearttounderstandyouaremygirliloveu_____sweethearttounderstandkissingmygirl[1].doc
Filesize73KB
MD5338da1470f51aa8116271555ee990e96
SHA10e1cb790e5bc6534c8757794512a8394a1f12d13
SHA256c02d7beb9210e4edc9fad4c7de3a6827994343e249d3f7544632d8f64847dc74
SHA51200a79d3fb886066e5f701386e445457fa489b2a63083b75a2d8ae05965cdd21ac7a11dd5267950da882b4bd89d44860506cd650b57e138d96fff353b33919039