Resubmissions

26-03-2024 15:41

240326-s4zq5sdc96 10

26-03-2024 09:20

240326-la8zdshh8x 10

Analysis

  • max time kernel
    144s
  • max time network
    136s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-03-2024 15:41

General

  • Target

    Order request list.xls

  • Size

    317KB

  • MD5

    e8c8fee58f84cd706cd5955773887500

  • SHA1

    f80268a58e1f1635dd9ccd6dd029dae2bf93fd58

  • SHA256

    3ac1e9bc1c29e4f900a34d8e98672106887155015c3d868eb35b18a546f64af9

  • SHA512

    c9a2e5b267d21ce88e8ac240590048702e1054f23fdaabbef234c58ceada0b9dcb177ad5ebb219ebffde3cf6e7679fa7dbf031881024b529e0155e0e9836f57e

  • SSDEEP

    6144:Q0unhXF7uY35qAOJl/YrLYz+WrNhZF+E+fgL+0dD8ivSbVsHMI2brcbJTvhl8ult:Q9hXdn3bVsHMI2cJjZlTiAp

Score
1/10

Malware Config

Signatures

  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 6 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 18 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Order request list.xls"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:3024
  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3884
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:3464
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
      1⤵
        PID:2440

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\ECA74084-DAEC-4D17-8250-DECFD9EADE13

        Filesize

        160KB

        MD5

        fa56eb7425da9458f604484bf1d9a41c

        SHA1

        91b3c85210114ef1dde2ddbdecaba72099260181

        SHA256

        aca644b9e5b31c6d97d8e2b06a31b41cee485e81c0218ea7afe7b39852bcb83e

        SHA512

        320abd9789fa25c535301000e3014ec656e892d46eec01595d510d4e812507eb98f35b339cda83f058cbb9d6b6f495f199e6576c90da60ca20888712aa3ce790

      • C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

        Filesize

        2KB

        MD5

        4306c238aaa13d7442227922e4d31f87

        SHA1

        1827e8f5d94e78efb120c44549950346edd1e1ee

        SHA256

        9e4d66939f6e667f48a0461d9a545cdba62e1eec13eb8732d8e7c2bf28dadb5e

        SHA512

        58b2dba07ca036a422e786ce66710459f66fc23d756bd9f0c4c69709d9ccf7e3168c5e4b5265ea2eddd56389c9123510e7c0641c2ca33973fc85e748c89fbdd8

      • C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

        Filesize

        2KB

        MD5

        4a7227f9c12dd0ef0bbb96c0497bbe3c

        SHA1

        4b1c7b0b2563916c4f6db17e0bb8d150b2ebf66f

        SHA256

        340cbcdd0f2590570ad87dbc82d84e477f3d27deae1b16f5815df9a7410ce121

        SHA512

        0097718d817ff1e7adb1d0e113ea30c2b02aa3af8bbbc4a87de9e540b209883754da0acd07d48d4b368faedfa49c57aa053a7dde464e0aba81253b028491b758

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\K4KS10IH\kissinggreatwaytounderstandhowimkissingherwithlotofhearttounderstandyouaremygirliloveu_____sweethearttounderstandkissingmygirl[1].doc

        Filesize

        73KB

        MD5

        338da1470f51aa8116271555ee990e96

        SHA1

        0e1cb790e5bc6534c8757794512a8394a1f12d13

        SHA256

        c02d7beb9210e4edc9fad4c7de3a6827994343e249d3f7544632d8f64847dc74

        SHA512

        00a79d3fb886066e5f701386e445457fa489b2a63083b75a2d8ae05965cdd21ac7a11dd5267950da882b4bd89d44860506cd650b57e138d96fff353b33919039

      • memory/3024-22-0x00007FFEF0430000-0x00007FFEF0625000-memory.dmp

        Filesize

        2.0MB

      • memory/3024-4-0x00007FFEB04B0000-0x00007FFEB04C0000-memory.dmp

        Filesize

        64KB

      • memory/3024-7-0x00007FFEF0430000-0x00007FFEF0625000-memory.dmp

        Filesize

        2.0MB

      • memory/3024-86-0x00007FFEF0430000-0x00007FFEF0625000-memory.dmp

        Filesize

        2.0MB

      • memory/3024-8-0x00007FFEF0430000-0x00007FFEF0625000-memory.dmp

        Filesize

        2.0MB

      • memory/3024-9-0x00007FFEADEA0000-0x00007FFEADEB0000-memory.dmp

        Filesize

        64KB

      • memory/3024-10-0x00007FFEF0430000-0x00007FFEF0625000-memory.dmp

        Filesize

        2.0MB

      • memory/3024-12-0x00007FFEF0430000-0x00007FFEF0625000-memory.dmp

        Filesize

        2.0MB

      • memory/3024-11-0x00007FFEF0430000-0x00007FFEF0625000-memory.dmp

        Filesize

        2.0MB

      • memory/3024-13-0x00007FFEF0430000-0x00007FFEF0625000-memory.dmp

        Filesize

        2.0MB

      • memory/3024-14-0x00007FFEADEA0000-0x00007FFEADEB0000-memory.dmp

        Filesize

        64KB

      • memory/3024-15-0x00007FFEF0430000-0x00007FFEF0625000-memory.dmp

        Filesize

        2.0MB

      • memory/3024-16-0x00007FFEF0430000-0x00007FFEF0625000-memory.dmp

        Filesize

        2.0MB

      • memory/3024-17-0x00007FFEF0430000-0x00007FFEF0625000-memory.dmp

        Filesize

        2.0MB

      • memory/3024-18-0x00007FFEF0430000-0x00007FFEF0625000-memory.dmp

        Filesize

        2.0MB

      • memory/3024-3-0x00007FFEB04B0000-0x00007FFEB04C0000-memory.dmp

        Filesize

        64KB

      • memory/3024-20-0x00007FFEF0430000-0x00007FFEF0625000-memory.dmp

        Filesize

        2.0MB

      • memory/3024-21-0x00007FFEF0430000-0x00007FFEF0625000-memory.dmp

        Filesize

        2.0MB

      • memory/3024-2-0x00007FFEF0430000-0x00007FFEF0625000-memory.dmp

        Filesize

        2.0MB

      • memory/3024-26-0x00007FFEF0430000-0x00007FFEF0625000-memory.dmp

        Filesize

        2.0MB

      • memory/3024-87-0x00007FFEF0430000-0x00007FFEF0625000-memory.dmp

        Filesize

        2.0MB

      • memory/3024-6-0x00007FFEF0430000-0x00007FFEF0625000-memory.dmp

        Filesize

        2.0MB

      • memory/3024-19-0x00007FFEF0430000-0x00007FFEF0625000-memory.dmp

        Filesize

        2.0MB

      • memory/3024-1-0x00007FFEB04B0000-0x00007FFEB04C0000-memory.dmp

        Filesize

        64KB

      • memory/3024-0-0x00007FFEB04B0000-0x00007FFEB04C0000-memory.dmp

        Filesize

        64KB

      • memory/3024-5-0x00007FFEB04B0000-0x00007FFEB04C0000-memory.dmp

        Filesize

        64KB

      • memory/3884-55-0x00007FFEF0430000-0x00007FFEF0625000-memory.dmp

        Filesize

        2.0MB

      • memory/3884-59-0x00007FFEF0430000-0x00007FFEF0625000-memory.dmp

        Filesize

        2.0MB

      • memory/3884-54-0x00007FFEF0430000-0x00007FFEF0625000-memory.dmp

        Filesize

        2.0MB

      • memory/3884-58-0x00007FFEF0430000-0x00007FFEF0625000-memory.dmp

        Filesize

        2.0MB

      • memory/3884-57-0x00007FFEF0430000-0x00007FFEF0625000-memory.dmp

        Filesize

        2.0MB

      • memory/3884-60-0x00007FFEF0430000-0x00007FFEF0625000-memory.dmp

        Filesize

        2.0MB

      • memory/3884-62-0x00007FFEF0430000-0x00007FFEF0625000-memory.dmp

        Filesize

        2.0MB

      • memory/3884-65-0x00007FFEF0430000-0x00007FFEF0625000-memory.dmp

        Filesize

        2.0MB

      • memory/3884-51-0x00007FFEF0430000-0x00007FFEF0625000-memory.dmp

        Filesize

        2.0MB

      • memory/3884-52-0x00007FFEF0430000-0x00007FFEF0625000-memory.dmp

        Filesize

        2.0MB

      • memory/3884-88-0x00007FFEF0430000-0x00007FFEF0625000-memory.dmp

        Filesize

        2.0MB

      • memory/3884-66-0x00007FFEF0430000-0x00007FFEF0625000-memory.dmp

        Filesize

        2.0MB

      • memory/3884-50-0x00007FFEF0430000-0x00007FFEF0625000-memory.dmp

        Filesize

        2.0MB

      • memory/3884-49-0x00007FFEF0430000-0x00007FFEF0625000-memory.dmp

        Filesize

        2.0MB

      • memory/3884-48-0x00007FFEF0430000-0x00007FFEF0625000-memory.dmp

        Filesize

        2.0MB

      • memory/3884-45-0x00007FFEF0430000-0x00007FFEF0625000-memory.dmp

        Filesize

        2.0MB

      • memory/3884-63-0x00007FFEF0430000-0x00007FFEF0625000-memory.dmp

        Filesize

        2.0MB