Analysis
-
max time kernel
144s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
26-03-2024 15:41
Static task
static1
Behavioral task
behavioral1
Sample
Order request list.xls
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Order request list.xls
Resource
win10v2004-20240226-en
General
-
Target
Order request list.xls
-
Size
317KB
-
MD5
e8c8fee58f84cd706cd5955773887500
-
SHA1
f80268a58e1f1635dd9ccd6dd029dae2bf93fd58
-
SHA256
3ac1e9bc1c29e4f900a34d8e98672106887155015c3d868eb35b18a546f64af9
-
SHA512
c9a2e5b267d21ce88e8ac240590048702e1054f23fdaabbef234c58ceada0b9dcb177ad5ebb219ebffde3cf6e7679fa7dbf031881024b529e0155e0e9836f57e
-
SSDEEP
6144:Q0unhXF7uY35qAOJl/YrLYz+WrNhZF+E+fgL+0dD8ivSbVsHMI2brcbJTvhl8ult:Q9hXdn3bVsHMI2cJjZlTiAp
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 3024 EXCEL.EXE 3884 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeAuditPrivilege 3884 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 18 IoCs
pid Process 3024 EXCEL.EXE 3024 EXCEL.EXE 3024 EXCEL.EXE 3024 EXCEL.EXE 3024 EXCEL.EXE 3024 EXCEL.EXE 3024 EXCEL.EXE 3024 EXCEL.EXE 3024 EXCEL.EXE 3024 EXCEL.EXE 3024 EXCEL.EXE 3024 EXCEL.EXE 3884 WINWORD.EXE 3884 WINWORD.EXE 3884 WINWORD.EXE 3884 WINWORD.EXE 3024 EXCEL.EXE 3024 EXCEL.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 3884 wrote to memory of 3464 3884 WINWORD.EXE 97 PID 3884 wrote to memory of 3464 3884 WINWORD.EXE 97 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Order request list.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3024
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3884 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:3464
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:2440
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\ECA74084-DAEC-4D17-8250-DECFD9EADE13
Filesize160KB
MD5fa56eb7425da9458f604484bf1d9a41c
SHA191b3c85210114ef1dde2ddbdecaba72099260181
SHA256aca644b9e5b31c6d97d8e2b06a31b41cee485e81c0218ea7afe7b39852bcb83e
SHA512320abd9789fa25c535301000e3014ec656e892d46eec01595d510d4e812507eb98f35b339cda83f058cbb9d6b6f495f199e6576c90da60ca20888712aa3ce790
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize2KB
MD54306c238aaa13d7442227922e4d31f87
SHA11827e8f5d94e78efb120c44549950346edd1e1ee
SHA2569e4d66939f6e667f48a0461d9a545cdba62e1eec13eb8732d8e7c2bf28dadb5e
SHA51258b2dba07ca036a422e786ce66710459f66fc23d756bd9f0c4c69709d9ccf7e3168c5e4b5265ea2eddd56389c9123510e7c0641c2ca33973fc85e748c89fbdd8
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize2KB
MD54a7227f9c12dd0ef0bbb96c0497bbe3c
SHA14b1c7b0b2563916c4f6db17e0bb8d150b2ebf66f
SHA256340cbcdd0f2590570ad87dbc82d84e477f3d27deae1b16f5815df9a7410ce121
SHA5120097718d817ff1e7adb1d0e113ea30c2b02aa3af8bbbc4a87de9e540b209883754da0acd07d48d4b368faedfa49c57aa053a7dde464e0aba81253b028491b758
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\K4KS10IH\kissinggreatwaytounderstandhowimkissingherwithlotofhearttounderstandyouaremygirliloveu_____sweethearttounderstandkissingmygirl[1].doc
Filesize73KB
MD5338da1470f51aa8116271555ee990e96
SHA10e1cb790e5bc6534c8757794512a8394a1f12d13
SHA256c02d7beb9210e4edc9fad4c7de3a6827994343e249d3f7544632d8f64847dc74
SHA51200a79d3fb886066e5f701386e445457fa489b2a63083b75a2d8ae05965cdd21ac7a11dd5267950da882b4bd89d44860506cd650b57e138d96fff353b33919039