15feeb12f8460eebe263ec750d08dd79e1d26b2704726223f0dc7c6bacd1506d

General

Target

GMB.xls
Size

317KB
MD5

cb5d55cbdd70a44948d1f976af168a59
SHA1

07d995e60e3dbdabf23690014c3a4c74aa1e2139
SHA256

15feeb12f8460eebe263ec750d08dd79e1d26b2704726223f0dc7c6bacd1506d
SHA512

5064d95029d85d8b68947176bd08a186dc18e09e24ed1eebe977710ac399cc6c3a0babfd44bd69d0a3ce14f4840f72ab01acfe0b0d87c377ab1d2cc306fb8e37
SSDEEP

6144:LuunJk9CBY35qAOJl/YrLYz+WrNhZF+E+fgL+0dD8ivSbVd1MIhFjMaZ4EX0ikpM:LvJksA3bVd1MIXMa2EEL+B

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEEXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEWINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid process

4504 EXCEL.EXE
4232 WINWORD.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WINWORD.EXE

description pid process

Token: SeAuditPrivilege 4232 WINWORD.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

EXCEL.EXE

pid process

4504 EXCEL.EXE
4504 EXCEL.EXE

description	pid	process
Token: SeAuditPrivilege	4232	WINWORD.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid	process
4504	EXCEL.EXE
4504	EXCEL.EXE
4504	EXCEL.EXE
4504	EXCEL.EXE
4504	EXCEL.EXE
4504	EXCEL.EXE
4504	EXCEL.EXE
4504	EXCEL.EXE
4504	EXCEL.EXE
4504	EXCEL.EXE
4504	EXCEL.EXE
4504	EXCEL.EXE
4232	WINWORD.EXE
4232	WINWORD.EXE
4232	WINWORD.EXE
4232	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 4232 wrote to memory of 5048	4232	WINWORD.EXE	splwow64.exe
PID 4232 wrote to memory of 5048	4232	WINWORD.EXE	splwow64.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\GMB.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4504

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4232

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:5048

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:960

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4112 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8
1⤵
PID:4336

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A
Filesize
471B

MD5
a1a53e7410f66746bd7b56059b19785b

SHA1
e82448e7de64927eca645069d22487b28c91dbb4

SHA256
cdd89f8e5fe1a3cad590b1bbef7bbd1016ae04ec12efabc3a6439463767c1484

SHA512
f7c7e0b79f726acecdec19c4e3c55dbd0b2a11b92bcaaba76f78b1d599cd01d9300c4bbfd06538ac9dfe6cc08cd92622d87fb9c41ec8f8b262c9117886983fe7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A
Filesize
412B

MD5
e4133baeac779eab211b9d1e0b6bc7b8

SHA1
e82126ba1de18919b118182337ea4e12b57c5573

SHA256
12129d866b6591433382f0c27481ed67a013af4d5af980d5602c482aba908743

SHA512
09f63224d6c50389833f01e29f0c21f038ff250f4e65fbd718dfabef955f6b3bf9778078bbc1f9228a96294dcdc5c06478826cbb1a31a6cecfdf1dc7100a2f7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\57029EEA-9F80-458C-B3DE-D11481CDAA35
Filesize
160KB

MD5
a17021b68c7af0f1743690fbb0cf6cd4

SHA1
1331d05593b2bec61e2b27093fa4a9e6bc897785

SHA256
98bb050c428089b1dbe412f4011dd279e646fc883e637130930b7b8a309526f8

SHA512
fa55c98204acecd70fb848c56c0cc374ebe41e0392bcba60631530c79392edc32588fc29c1970a2a281b74cdf1c81c0f3895e2647947571a91216014ec8c083b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize
2KB

MD5
eb59efa72cef5b2ff456aae543d2d918

SHA1
ba22d461b9a3307973a8e8d83c82e5942bc8b8da

SHA256
0cfb5311b4647ad7e360820d9ac8865e8cf869f70f0a0fef55500a3c8df81fdb

SHA512
32661252cb3caa508c996e2c6f8164092b43733ab99619ea62a08d98ea9f031c95aabf14fe2ce9bb951ad0c4921e508a0965e1506fb2a20a38d7f94ae3bc07e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize
2KB

MD5
d72410c8f14d66b3e78cd03c3b978159

SHA1
16a651ac4f90c98f291c0ca107afb9ad7a65d949

SHA256
d79c2aee484f619e491f630526f6a1ecfb55d2ae912ea023b75de3a07fc7e967

SHA512
0b3ae5c8406c104173c251b49a35b29c0ea5043c3ac7d48a716d35c8e2145ac8b89a1a279895e62608669484c8ad4496e240eeaf69e8855274b34ece680abde2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8ZO46T3J\wetrytosexwithhertrulyfromtheheartbecausesheisverybeautigfulgirlwholikesxwthmefromtheheart___toundersadhowmuchiwantherforexsheisvey[1].doc
Filesize
71KB

MD5
28f01b474be6aeb345aaca18388a3ad6

SHA1
ca62d1a84fc88a61ab5ec5162219f847ffd4ab70

SHA256
2562b562a8f29256cf16403c893b482838edee61e631639c39a705237046d225

SHA512
6e6fb47442a111643e57167b0e181aa6299362f0d3aaefb79fe5d75338af18798229f178af9a2c25ae50ffae18c6d5eef92770a76f5e4848dc5188bbfccff2e5

Download Submit
memory/4232-46-0x00007FF9A6730000-0x00007FF9A6925000-memory.dmp

Filesize
2.0MB

Download
memory/4232-122-0x00007FF9667B0000-0x00007FF9667C0000-memory.dmp

Filesize
64KB

Download
memory/4232-129-0x00007FF9A6730000-0x00007FF9A6925000-memory.dmp

Filesize
2.0MB

Download
memory/4232-130-0x00007FF9A6730000-0x00007FF9A6925000-memory.dmp

Filesize
2.0MB

Download
memory/4232-128-0x00007FF9A6730000-0x00007FF9A6925000-memory.dmp

Filesize
2.0MB

Download
memory/4232-127-0x00007FF9A6730000-0x00007FF9A6925000-memory.dmp

Filesize
2.0MB

Download
memory/4232-125-0x00007FF9667B0000-0x00007FF9667C0000-memory.dmp

Filesize
64KB

Download
memory/4232-126-0x00007FF9A6730000-0x00007FF9A6925000-memory.dmp

Filesize
2.0MB

Download
memory/4232-124-0x00007FF9667B0000-0x00007FF9667C0000-memory.dmp

Filesize
64KB

Download
memory/4232-123-0x00007FF9667B0000-0x00007FF9667C0000-memory.dmp

Filesize
64KB

Download
memory/4232-75-0x00007FF9A6730000-0x00007FF9A6925000-memory.dmp

Filesize
2.0MB

Download
memory/4232-55-0x00007FF9A6730000-0x00007FF9A6925000-memory.dmp

Filesize
2.0MB

Download
memory/4232-54-0x00007FF9A6730000-0x00007FF9A6925000-memory.dmp

Filesize
2.0MB

Download
memory/4232-53-0x00007FF9A6730000-0x00007FF9A6925000-memory.dmp

Filesize
2.0MB

Download
memory/4232-52-0x00007FF9A6730000-0x00007FF9A6925000-memory.dmp

Filesize
2.0MB

Download
memory/4232-51-0x00007FF9A6730000-0x00007FF9A6925000-memory.dmp

Filesize
2.0MB

Download
memory/4232-42-0x00007FF9A6730000-0x00007FF9A6925000-memory.dmp

Filesize
2.0MB

Download
memory/4232-44-0x00007FF9A6730000-0x00007FF9A6925000-memory.dmp

Filesize
2.0MB

Download
memory/4232-49-0x00007FF9A6730000-0x00007FF9A6925000-memory.dmp

Filesize
2.0MB

Download
memory/4232-47-0x00007FF9A6730000-0x00007FF9A6925000-memory.dmp

Filesize
2.0MB

Download
memory/4504-71-0x00007FF9A6730000-0x00007FF9A6925000-memory.dmp

Filesize
2.0MB

Download
memory/4504-18-0x00007FF9A6730000-0x00007FF9A6925000-memory.dmp

Filesize
2.0MB

Download
memory/4504-0-0x00007FF9667B0000-0x00007FF9667C0000-memory.dmp

Filesize
64KB

Download
memory/4504-19-0x00007FF9A6730000-0x00007FF9A6925000-memory.dmp

Filesize
2.0MB

Download
memory/4504-16-0x00007FF9A6730000-0x00007FF9A6925000-memory.dmp

Filesize
2.0MB

Download
memory/4504-17-0x00007FF9A6730000-0x00007FF9A6925000-memory.dmp

Filesize
2.0MB

Download
memory/4504-6-0x00007FF9A6730000-0x00007FF9A6925000-memory.dmp

Filesize
2.0MB

Download
memory/4504-7-0x00007FF9667B0000-0x00007FF9667C0000-memory.dmp

Filesize
64KB

Download
memory/4504-4-0x00007FF9A6730000-0x00007FF9A6925000-memory.dmp

Filesize
2.0MB

Download
memory/4504-3-0x00007FF9667B0000-0x00007FF9667C0000-memory.dmp

Filesize
64KB

Download
memory/4504-2-0x00007FF9667B0000-0x00007FF9667C0000-memory.dmp

Filesize
64KB

Download
memory/4504-1-0x00007FF9667B0000-0x00007FF9667C0000-memory.dmp

Filesize
64KB

Download
memory/4504-20-0x00007FF9A6730000-0x00007FF9A6925000-memory.dmp

Filesize
2.0MB

Download
memory/4504-21-0x00007FF964470000-0x00007FF964480000-memory.dmp

Filesize
64KB

Download
memory/4504-5-0x00007FF9A6730000-0x00007FF9A6925000-memory.dmp

Filesize
2.0MB

Download
memory/4504-15-0x00007FF9A6730000-0x00007FF9A6925000-memory.dmp

Filesize
2.0MB

Download
memory/4504-14-0x00007FF9A6730000-0x00007FF9A6925000-memory.dmp

Filesize
2.0MB

Download
memory/4504-13-0x00007FF964470000-0x00007FF964480000-memory.dmp

Filesize
64KB

Download
memory/4504-12-0x00007FF9A6730000-0x00007FF9A6925000-memory.dmp

Filesize
2.0MB

Download
memory/4504-11-0x00007FF9A6730000-0x00007FF9A6925000-memory.dmp

Filesize
2.0MB

Download
memory/4504-10-0x00007FF9A6730000-0x00007FF9A6925000-memory.dmp

Filesize
2.0MB

Download
memory/4504-9-0x00007FF9A6730000-0x00007FF9A6925000-memory.dmp

Filesize
2.0MB

Download
memory/4504-8-0x00007FF9A6730000-0x00007FF9A6925000-memory.dmp

Filesize
2.0MB

Download
memory/4504-138-0x00007FF9A6730000-0x00007FF9A6925000-memory.dmp

Filesize
2.0MB

Download
memory/4504-139-0x00007FF9A6730000-0x00007FF9A6925000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads