15feeb12f8460eebe263ec750d08dd79e1d26b2704726223f0dc7c6bacd1506d

Analysis

max time kernel
147s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
16-04-2024 07:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GMB.xls
Size

317KB
MD5

cb5d55cbdd70a44948d1f976af168a59
SHA1

07d995e60e3dbdabf23690014c3a4c74aa1e2139
SHA256

15feeb12f8460eebe263ec750d08dd79e1d26b2704726223f0dc7c6bacd1506d
SHA512

5064d95029d85d8b68947176bd08a186dc18e09e24ed1eebe977710ac399cc6c3a0babfd44bd69d0a3ce14f4840f72ab01acfe0b0d87c377ab1d2cc306fb8e37
SSDEEP

6144:LuunJk9CBY35qAOJl/YrLYz+WrNhZF+E+fgL+0dD8ivSbVd1MIhFjMaZ4EX0ikpM:LvJksA3bVd1MIXMa2EEL+B

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEWINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEWINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid process

2252 EXCEL.EXE
1832 WINWORD.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WINWORD.EXE

description pid process

Token: SeAuditPrivilege 1832 WINWORD.EXE

description	pid	process
Token: SeAuditPrivilege	1832	WINWORD.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid	process
2252	EXCEL.EXE
2252	EXCEL.EXE
2252	EXCEL.EXE
2252	EXCEL.EXE
2252	EXCEL.EXE
2252	EXCEL.EXE
2252	EXCEL.EXE
2252	EXCEL.EXE
2252	EXCEL.EXE
2252	EXCEL.EXE
2252	EXCEL.EXE
2252	EXCEL.EXE
1832	WINWORD.EXE
1832	WINWORD.EXE
1832	WINWORD.EXE
1832	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 1832 wrote to memory of 2028	1832	WINWORD.EXE	splwow64.exe
PID 1832 wrote to memory of 2028	1832	WINWORD.EXE	splwow64.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\GMB.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2252

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1832

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:2028

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:4496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
77fff4010e48018b867bb350fb78b7c2

SHA1
31b0dfcc0b92a789cd5c94dbf8d0f5aca820ed31

SHA256
3e95094f49fea7951fb5ea5551a8b344c1ec16ddaf4f5da7b6bfe1151afa9ee5

SHA512
78a8fc7de1b3cbbc2225790bf55fd64b3c7fa922b4601dcbb1103cc12491da71ebae1eebfaa3a2ce2e0b3b3a7b7229dd448012c23a707f84aae8fe0e996c7e89

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
0fb7645f336e03ccbfadad6319682901

SHA1
1719129c14f8f1239250ef8d7fc171e22126246c

SHA256
6a6a2ba8b4286f3ab23cf0fd7785352c61e0efc5076a96cb044ee06ebc056e92

SHA512
8251e53a9216b99aef3703cb333c3b532a978851af221388341aa237b8329aa8ed333648a399ab2a1e5fc2ee0f603c856fc8e95c3f11b6a44c7aa6909c823075

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
392B

MD5
9a679a5adeab591d1ebb9c93c69cb46b

SHA1
332278b67602e2111473c0304f50d987bb33f87d

SHA256
d6ae646485d3bfb318591cc7f928a391ca978e057a3ad645c667cd36cd65643a

SHA512
8f679b0c1f5ca2e1f92e9676450ca51280f464c969074c1e69e2678500417e184d712225bca017f72f36fda2b18bc5a55de07effa654b90b880741a5b4727398

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\CDB1BAC2-196B-4A5C-9048-05292CD609CF

Filesize
160KB

MD5
1849c8591bd3e179b9365606ff22d569

SHA1
831c815f20216a06f5aa9395e6f487f8fa33c750

SHA256
973cfccdb0c224631557c114d24c755aed82519048c36f2ccb840029c3e2d94a

SHA512
b91c60149465388896918b385d7fabdbde1dcdc4bb9f522bb3a8745df40adab285f23201859656efe3aca742b81570b051895e91fc6f1cf17cfbc41b03092526

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

Filesize
21KB

MD5
f92c3012746cde7473aec19d9e9e9b98

SHA1
60e071951458d49f82713aee7559201659cc10e3

SHA256
9502e26a7b32dc648e7d57db8773e7d5b641f4826bce51db547c94da95bd1b7b

SHA512
5427902a916438b97eb28a27d0ed40b58f2e8bf7fdad301f9d9dadc4ecb61b5b3eef97a7ae770097026e8e6fd9a26f99691c95025cbd02b45d5c1b024eacb2c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
d54ad62dae15efd1670ece4a4326ae62

SHA1
dfec29a0f9b2920c668f706eddba5ea2e37d3f9a

SHA256
8ba77b1c65e1dcb77dac2d2bd0c8947cf29fdee825d303d8d7fc20ffb31ab845

SHA512
a3b5a5a77ddc454573efe81893ddc9bf1558e7745f0dff3808134e757f374cbc0468e4810a50d3f4bca018f5068206edd25696d2d31aef14224760c45ca448bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
dbcae02b32c10961a00284b074aafc4f

SHA1
882922025b26e373b33c882ed4c3fb8a0f865176

SHA256
09b75982f82c49dcb78ec76f5fd831fafa26b095f3c9795bee1125b9322d33fa

SHA512
b1be7e408dacf6a9b80497e4b58fe9a3b8a7eef74983ca2c70f1af72754ad5876d02aee851e540155bc6c6744e4fdd11ac0d45bcb651e94f07237badc4caffaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\3A2IAT6Y\wetrytosexwithhertrulyfromtheheartbecausesheisverybeautigfulgirlwholikesxwthmefromtheheart___toundersadhowmuchiwantherforexsheisvey[1].doc

Filesize
71KB

MD5
28f01b474be6aeb345aaca18388a3ad6

SHA1
ca62d1a84fc88a61ab5ec5162219f847ffd4ab70

SHA256
2562b562a8f29256cf16403c893b482838edee61e631639c39a705237046d225

SHA512
6e6fb47442a111643e57167b0e181aa6299362f0d3aaefb79fe5d75338af18798229f178af9a2c25ae50ffae18c6d5eef92770a76f5e4848dc5188bbfccff2e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCD9215.tmp\iso690.xsl

Filesize
263KB

MD5
ff0e07eff1333cdf9fc2523d323dd654

SHA1
77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

SHA256
3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

SHA512
b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
230B

MD5
917fe82e6f0604edf64b881a7609da51

SHA1
e5556f531af825d564692dcb3a45fdd581d95996

SHA256
082600aeb814b0cd0ce8ec62a636a806a0bdaa2c25ed4ca2e744117aa1c18bcd

SHA512
e01aa4bf73cdfe43cb660158ff8fc362b69c8ac8c5ebe1d3e2d411cd1d9866dc076aa0ec8330ad6f0f770550d66dceae5579055118090928134e7166fd81dc53

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
65c5fed710367592578e595d55aca422

SHA1
be144d8950be07c3996f0347b9e498b538c58527

SHA256
a4e91ed8848ad5a1822c6d7d22a722712a8c16753b9cb0095e84c4cedd874cd6

SHA512
5b592e5c8b271c68aa41cfe913b89a41c6f909eca49ea3df4d9a8a0e53783ecef0fcb43caf260e990376f49e495cb27f3eb4cb7625906e78858969a67e9ae910

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms~RFe577ca2.TMP

Filesize
5KB

MD5
d8d54c1803d9d59da92e473c7ebd7bb0

SHA1
64f792efd11718b07879169d09105af6afba25ac

SHA256
cdc3684d6dd8ba16ce076c3d537f5d1914946a2cf6f3df0285fe4120ec6736f7

SHA512
d0b09a624a556365142e07bb222107bc0599b6eb0ce52bb5f7bb66421b2dd7dd2952de20cde78294dd9efb4f0bd30a4fed9a3e0d3c8c7ad03f6b56168ad9776a

Download Submit
memory/1832-42-0x00007FFDC3DF0000-0x00007FFDC3FE5000-memory.dmp

Filesize
2.0MB

Download
memory/1832-44-0x00007FFDC3DF0000-0x00007FFDC3FE5000-memory.dmp

Filesize
2.0MB

Download
memory/1832-578-0x00007FFDC3DF0000-0x00007FFDC3FE5000-memory.dmp

Filesize
2.0MB

Download
memory/1832-577-0x00007FFDC3DF0000-0x00007FFDC3FE5000-memory.dmp

Filesize
2.0MB

Download
memory/1832-52-0x00007FFDC3DF0000-0x00007FFDC3FE5000-memory.dmp

Filesize
2.0MB

Download
memory/1832-51-0x00007FFDC3DF0000-0x00007FFDC3FE5000-memory.dmp

Filesize
2.0MB

Download
memory/1832-50-0x00007FFDC3DF0000-0x00007FFDC3FE5000-memory.dmp

Filesize
2.0MB

Download
memory/1832-49-0x00007FFDC3DF0000-0x00007FFDC3FE5000-memory.dmp

Filesize
2.0MB

Download
memory/1832-47-0x00007FFDC3DF0000-0x00007FFDC3FE5000-memory.dmp

Filesize
2.0MB

Download
memory/1832-45-0x00007FFDC3DF0000-0x00007FFDC3FE5000-memory.dmp

Filesize
2.0MB

Download
memory/1832-40-0x00007FFDC3DF0000-0x00007FFDC3FE5000-memory.dmp

Filesize
2.0MB

Download
memory/2252-22-0x00007FFDC3DF0000-0x00007FFDC3FE5000-memory.dmp

Filesize
2.0MB

Download
memory/2252-10-0x00007FFDC3DF0000-0x00007FFDC3FE5000-memory.dmp

Filesize
2.0MB

Download
memory/2252-14-0x00007FFDC3DF0000-0x00007FFDC3FE5000-memory.dmp

Filesize
2.0MB

Download
memory/2252-21-0x00007FFDC3DF0000-0x00007FFDC3FE5000-memory.dmp

Filesize
2.0MB

Download
memory/2252-20-0x00007FFDC3DF0000-0x00007FFDC3FE5000-memory.dmp

Filesize
2.0MB

Download
memory/2252-19-0x00007FFDC3DF0000-0x00007FFDC3FE5000-memory.dmp

Filesize
2.0MB

Download
memory/2252-17-0x00007FFDC3DF0000-0x00007FFDC3FE5000-memory.dmp

Filesize
2.0MB

Download
memory/2252-18-0x00007FFDC3DF0000-0x00007FFDC3FE5000-memory.dmp

Filesize
2.0MB

Download
memory/2252-13-0x00007FFDC3DF0000-0x00007FFDC3FE5000-memory.dmp

Filesize
2.0MB

Download
memory/2252-11-0x00007FFDC3DF0000-0x00007FFDC3FE5000-memory.dmp

Filesize
2.0MB

Download
memory/2252-12-0x00007FFD81E10000-0x00007FFD81E20000-memory.dmp

Filesize
64KB

Download
memory/2252-0-0x00007FFD83E70000-0x00007FFD83E80000-memory.dmp

Filesize
64KB

Download
memory/2252-8-0x00007FFD81E10000-0x00007FFD81E20000-memory.dmp

Filesize
64KB

Download
memory/2252-9-0x00007FFDC3DF0000-0x00007FFDC3FE5000-memory.dmp

Filesize
2.0MB

Download
memory/2252-7-0x00007FFDC3DF0000-0x00007FFDC3FE5000-memory.dmp

Filesize
2.0MB

Download
memory/2252-6-0x00007FFD83E70000-0x00007FFD83E80000-memory.dmp

Filesize
64KB

Download
memory/2252-4-0x00007FFD83E70000-0x00007FFD83E80000-memory.dmp

Filesize
64KB

Download
memory/2252-5-0x00007FFDC3DF0000-0x00007FFDC3FE5000-memory.dmp

Filesize
2.0MB

Download
memory/2252-3-0x00007FFDC3DF0000-0x00007FFDC3FE5000-memory.dmp

Filesize
2.0MB

Download
memory/2252-2-0x00007FFD83E70000-0x00007FFD83E80000-memory.dmp

Filesize
64KB

Download
memory/2252-1-0x00007FFD83E70000-0x00007FFD83E80000-memory.dmp

Filesize
64KB

Download
memory/2252-576-0x00007FFDC3DF0000-0x00007FFDC3FE5000-memory.dmp

Filesize
2.0MB

Download
memory/2252-16-0x00007FFDC3DF0000-0x00007FFDC3FE5000-memory.dmp

Filesize
2.0MB

Download
memory/2252-15-0x00007FFDC3DF0000-0x00007FFDC3FE5000-memory.dmp

Filesize
2.0MB

Download