Analysis
-
max time kernel
149s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
27-03-2024 06:51
Static task
static1
Behavioral task
behavioral1
Sample
RFQ No. 5490490.xla.xls
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
RFQ No. 5490490.xla.xls
Resource
win10v2004-20240226-en
General
-
Target
RFQ No. 5490490.xla.xls
-
Size
49KB
-
MD5
dba95d2f630d7e2acde0f139b9bbaf2e
-
SHA1
5396681f648bec74056b55bd01a265eba43c2fc6
-
SHA256
f5ab99bae38d4910c1786a50abbfb3bd3c7b80e87ad86d5ce08405a9b571bce6
-
SHA512
1e8621a1098b6711b389f9876b8b7f656d80e64e893423e6d15d22bbc34e510c4382467cd65d333a57c8a5c1c6472acca5c58c3ed1fda27a3d287fae4aefad1f
-
SSDEEP
1536:iX68U7CPCEj2CqAQO5MQC23zMt0X5z/v5/bH:iX68ZaEj2Ch5J3y0dX5
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 644 EXCEL.EXE 4192 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeAuditPrivilege 4192 WINWORD.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 644 EXCEL.EXE 644 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 644 EXCEL.EXE 644 EXCEL.EXE 644 EXCEL.EXE 644 EXCEL.EXE 644 EXCEL.EXE 644 EXCEL.EXE 644 EXCEL.EXE 644 EXCEL.EXE 4192 WINWORD.EXE 4192 WINWORD.EXE 4192 WINWORD.EXE 4192 WINWORD.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 4192 wrote to memory of 4404 4192 WINWORD.EXE 97 PID 4192 wrote to memory of 4404 4192 WINWORD.EXE 97 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\RFQ No. 5490490.xla.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:644
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4192 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:4404
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:3820
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\D382E9B8-CEA4-4006-8CAD-3E4397CCB53A
Filesize14KB
MD526d79410c9454f1a6621ede500b6b5a7
SHA18561921e88fea84775716012302862f546d1e5f2
SHA256f401d3c9c4673df1b996ebe7e1bb86a1b5568426b81b1655b883d1990be07f6c
SHA512f7100d1ca00b7aa037c3c953924d6292d756df444bb6316c01a8e2c09563c654c52fcb1200dc3779078070152afa43863e144413c958a49c2f27739f2d52eaba
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize2KB
MD57e6a939138c79273d8c7bdba7c144dce
SHA195356cc53e9363bbf405766d3b9ff01fdea1b202
SHA256aff0ac657b110a14a0e2a6775c5fdb6c0a836b71c0a0bc4807c83f4c39f7702e
SHA51212e540c62b078b873c0518bd2e6fb1b3594f81482993992631c5b12289ac0a8bdff62079f9b8281673ce1c299c3a7975778a1f4440ec0b5b6210d1b2732c10f2
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize2KB
MD57471bc5951f5bfab50b7fc4e7a60bc19
SHA15d8f296d603ffa9990f08c9d4ec57e8014f919f2
SHA25679aa4ad66837e443db4ae561def71feabdf5927dba3bed02a945a484887fbd58
SHA51201fcf593b03bf36ff707afd767861cc31e2623b9faa4171fa180fc742ae60307f1737ef5e71fc60670410c8dc88ab9455cd43e9726053b8dcd85b6487ab91d2b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\V26HJUC5\kissofsosweetgirlwithabeautifullipssheneverexpectedthatkissfromemwhatabeautifulgirlshesis_____sheisluckygirlforkissing[1].doc
Filesize73KB
MD5afc0fdcc9bd5c6afdb060d0b6101babc
SHA13581cfd24a7b538b79854a84c751cbfeece74fd9
SHA256302c63158c0f6d25a02f599b7b36cb4070dc82235b6ff4cd8647326471f367bd
SHA5129cdbc20bc96500e72ee57fc49b6c064b1d98ea776e85bbabc844a2b8d5c3ae509df74bf63be34b44b9d0fa0882deb9c5329de319d04fba20d89e641290f7be06