7ae95a8a8acbb5edb84c2972ac93b61f525c74d9731d2d72af88e53a40faf01e

Analysis

max time kernel
149s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
16-04-2024 15:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

new.xls
Size

162KB
MD5

3656be2ecdf6e61566462ef1488090ad
SHA1

09de9cf6875a005f44bed96ed5ef95903b1c79ef
SHA256

7ae95a8a8acbb5edb84c2972ac93b61f525c74d9731d2d72af88e53a40faf01e
SHA512

c7c4fad2497ed78611a557d93460b3069fe53e79fbb7da03e5b7468dc607e2a9fa608a1e380e0ad5e0794094daef4df00114d85a0485a17d9cda0f27535bd9f3
SSDEEP

3072:AXkJAg15J68xcYy/iCkku4+CyX4l9WGodWRtFxNP8l4eXa0H1G:AXunJ1cYy/ElCwW9zodWtF0l4en

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEWINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEWINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid process

4060 EXCEL.EXE
3676 WINWORD.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WINWORD.EXE

description pid process

Token: SeAuditPrivilege 3676 WINWORD.EXE

description	pid	process
Token: SeAuditPrivilege	3676	WINWORD.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid	process
4060	EXCEL.EXE
4060	EXCEL.EXE
4060	EXCEL.EXE
4060	EXCEL.EXE
4060	EXCEL.EXE
4060	EXCEL.EXE
4060	EXCEL.EXE
4060	EXCEL.EXE
4060	EXCEL.EXE
4060	EXCEL.EXE
4060	EXCEL.EXE
4060	EXCEL.EXE
3676	WINWORD.EXE
3676	WINWORD.EXE
3676	WINWORD.EXE
3676	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 3676 wrote to memory of 3588	3676	WINWORD.EXE	splwow64.exe
PID 3676 wrote to memory of 3588	3676	WINWORD.EXE	splwow64.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\new.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4060

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3676

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:3588

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:4032

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
1KB

MD5
8a19e2f05bb9c727f7fb24ef7e6541e7

SHA1
fc4e212ec0c090fffc2c1b9c70fe5cb6c77592db

SHA256
7eb17f03f49ad906d62f715fe4e81e9341f8e7e900e429bc83d0787340dfa42f

SHA512
82b40631302b2338d74c48aaf0b848435020936eb99a1945a6a5397e123a6107eb5681d458595af641d4078383de41370afc882d94aec89e4c65f51e86c4c0d4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
410B

MD5
4c33b64c6ceb038818f762a7e07516db

SHA1
4ae2c6b62c074fd75395f53ce58993f0c4ae7a5f

SHA256
ae4e33c14460f69d9d39cf14ad4f3432a6c2f8ead8dcf0937f3b740fbc3fb1b2

SHA512
2028c609a5c81e91b5a5cbbfda2600790fc8a81a41cfbb63dda3db6ca49a4aad50d92e776eb13fad373231aacfe30d7112ce04f3d09d9dcd99d8eaf4896d1442

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
392B

MD5
75a4f2d94e10977a688e0a99cb474661

SHA1
af4182d534ec443cdad19b69ea421ad5c1aff1a1

SHA256
c3ad587b86b4b284ae0f7e16a599511f6cf7ec321cc17fd3a97ad4912c9887b3

SHA512
73cc18f3fb8f7028ed9140284a4c7277592ed3ae6893312a9550e7b8b5083e2310d252a442ca93f8bee1521990299bb056196644088eee4bcbfe82df509cde55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\DCA20228-7853-4388-927A-C5DE3AA3B0AD
Filesize
160KB

MD5
774fea600a7f9aa4dfe1119ee41c54a3

SHA1
c7cf2ce89c8ed271c8c996182c5546f2c2750837

SHA256
da39378b814b5beb9931c8ddc62f2296be40440e3f1baa8ca7fbfc460c5cb9d7

SHA512
23887008ed5dddd21e0ed115974507c6c3fb6b4cd85f557c37c20ebedc84b39c11113079dc8e1ee09e5b427d5f6606ca276dbfbacbf9faa235fc8f55b90b1ae3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog
Filesize
21KB

MD5
0a360b0454c5559fac202686f082799e

SHA1
bd7f567b565138753d6f8a575a62837db07bad9e

SHA256
95ede811a3750370eba1960c4e6a665efb1e0bdc5d20ab5bc9f35502e80a0fcd

SHA512
1cadaa61c8f7888e9d7901f809ef46461de5101d461617823b02786ba21672dceb11f901e86fde6a8dae04f662166bf49185f797d9682560f389452d99304b8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize
2KB

MD5
039f766bd5f55ad50fcf58a646ca3b95

SHA1
b1fadc99f1bf613cbfc440388775ff608ddd3989

SHA256
deb98d5535f4b71eb542e276269ed38151e8a7cb18be99fdad9d3ce134828e32

SHA512
09a31018b8fec1ada5e0ccd0899b5c8d7be99d3d86917cf719fb4516f7b8a2ab8d2d56495c843461be91ee510f0438c7967e7bcec7a5fb3ba8ed71d53c4360e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize
2KB

MD5
f735b12374d5a8f39b19b58b27d4ce85

SHA1
89a6572806bd3acd94028a1ef6d52fbb6c7ecf2b

SHA256
3dc22f168f8ba933d2fac7c816d9c22a0beb86f8092780785c9179709db88d2b

SHA512
d7aae610f51886e12d4057c97a5d7a281d1c4dc649d1233b4c79af344955dbdc1d72f14ec4ee8cbdea1406f67ed15331c014c7a7d90aad4f0d22b1f7b59a5e07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\M6O2ZN5Q\needfreshlovequotestotakeyouininterestedkisserloverwhohavesuchamemorytoloveherkisshertrulyfor__sheisbeautifulgirl[1].doc
Filesize
65KB

MD5
c7d0967e4b8c8a0a1309e97d549b828d

SHA1
61cd7eb2ee3b0e0664b5efd753a342c5a2ceb7fd

SHA256
3d9744bfdd9d8e6dc31dd3f8b6485a0acb76d96dc0dd121248e29a3d975b600f

SHA512
82eedbf550f28b70a3c6b59c3bdaa7f7d70e6d52acb361a98512e10db230cd16b507b72545210daba2843c8105b921c02cd9919be8534529884b62233684e1b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCD7A09.tmp\sist02.xsl
Filesize
245KB

MD5
f883b260a8d67082ea895c14bf56dd56

SHA1
7954565c1f243d46ad3b1e2f1baf3281451fc14b

SHA256
ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

SHA512
d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
Filesize
230B

MD5
33298c71f174064ede2380615786154e

SHA1
de5ac6b2b0b6bf748076492bbd21cb6322d3e8c2

SHA256
b65f0d80131a41005571e2f3ad7eb36e25ee182efbee1b40a4a9fb5d05614045

SHA512
fc3214db1cbec361d11e8d0f551587465e9e072e314cad1cec521f2ec94c84f97e83d696953989075398bacae7830fc5b0ba88d332eafef6b41a0eeb4225d539

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize
5KB

MD5
b1cb7055538bec8d591a886526b2b4b1

SHA1
2c3ad64e86648a40959707f9561e2b5d639bbcc2

SHA256
194e8513ea81ded128b4cf2a042ec346d0a7cf535c52a468dc6e7d77ca27af4d

SHA512
d8b40308813248cddaf84feb151aa033d3121dfec3b7b7edf92f1960b11d546d98475eb67af1f932c0ad87aa05c2691bf932f7949b722a60e9ab52707282ba79

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize
3KB

MD5
34a8bf869faf9797842575638a7e3b47

SHA1
89e57689b21e2a030d3c34ff0d83d004c5fb7777

SHA256
2672f9d7499476a4429fdab046d9fb6f711ac50e348bac745aa96b801aae34ce

SHA512
a8abeac988b41a75d2bb8a9b79cd6c7e4036ddda80f6ba829d19145c51e81077cba5b12439b92e8aa2c24cc76a926712ffe5131b7303494e64a305da9170c228

Download Submit
memory/3676-60-0x00007FF816850000-0x00007FF816A45000-memory.dmp

Filesize
2.0MB

Download
memory/3676-54-0x00007FF816850000-0x00007FF816A45000-memory.dmp

Filesize
2.0MB

Download
memory/3676-582-0x00007FF816850000-0x00007FF816A45000-memory.dmp

Filesize
2.0MB

Download
memory/3676-61-0x00007FF816850000-0x00007FF816A45000-memory.dmp

Filesize
2.0MB

Download
memory/3676-59-0x00007FF816850000-0x00007FF816A45000-memory.dmp

Filesize
2.0MB

Download
memory/3676-57-0x00007FF816850000-0x00007FF816A45000-memory.dmp

Filesize
2.0MB

Download
memory/3676-55-0x00007FF816850000-0x00007FF816A45000-memory.dmp

Filesize
2.0MB

Download
memory/3676-41-0x00007FF816850000-0x00007FF816A45000-memory.dmp

Filesize
2.0MB

Download
memory/3676-42-0x00007FF816850000-0x00007FF816A45000-memory.dmp

Filesize
2.0MB

Download
memory/3676-44-0x00007FF816850000-0x00007FF816A45000-memory.dmp

Filesize
2.0MB

Download
memory/3676-46-0x00007FF816850000-0x00007FF816A45000-memory.dmp

Filesize
2.0MB

Download
memory/3676-47-0x00007FF816850000-0x00007FF816A45000-memory.dmp

Filesize
2.0MB

Download
memory/3676-48-0x00007FF816850000-0x00007FF816A45000-memory.dmp

Filesize
2.0MB

Download
memory/3676-50-0x00007FF816850000-0x00007FF816A45000-memory.dmp

Filesize
2.0MB

Download
memory/3676-51-0x00007FF816850000-0x00007FF816A45000-memory.dmp

Filesize
2.0MB

Download
memory/3676-53-0x00007FF816850000-0x00007FF816A45000-memory.dmp

Filesize
2.0MB

Download
memory/4060-10-0x00007FF7D3FD0000-0x00007FF7D3FE0000-memory.dmp

Filesize
64KB

Download
memory/4060-8-0x00007FF816850000-0x00007FF816A45000-memory.dmp

Filesize
2.0MB

Download
memory/4060-18-0x00007FF816850000-0x00007FF816A45000-memory.dmp

Filesize
2.0MB

Download
memory/4060-14-0x00007FF7D3FD0000-0x00007FF7D3FE0000-memory.dmp

Filesize
64KB

Download
memory/4060-13-0x00007FF816850000-0x00007FF816A45000-memory.dmp

Filesize
2.0MB

Download
memory/4060-17-0x00007FF816850000-0x00007FF816A45000-memory.dmp

Filesize
2.0MB

Download
memory/4060-0-0x00007FF7D68D0000-0x00007FF7D68E0000-memory.dmp

Filesize
64KB

Download
memory/4060-16-0x00007FF816850000-0x00007FF816A45000-memory.dmp

Filesize
2.0MB

Download
memory/4060-12-0x00007FF816850000-0x00007FF816A45000-memory.dmp

Filesize
2.0MB

Download
memory/4060-11-0x00007FF816850000-0x00007FF816A45000-memory.dmp

Filesize
2.0MB

Download
memory/4060-9-0x00007FF816850000-0x00007FF816A45000-memory.dmp

Filesize
2.0MB

Download
memory/4060-19-0x00007FF816850000-0x00007FF816A45000-memory.dmp

Filesize
2.0MB

Download
memory/4060-7-0x00007FF816850000-0x00007FF816A45000-memory.dmp

Filesize
2.0MB

Download
memory/4060-6-0x00007FF7D68D0000-0x00007FF7D68E0000-memory.dmp

Filesize
64KB

Download
memory/4060-5-0x00007FF7D68D0000-0x00007FF7D68E0000-memory.dmp

Filesize
64KB

Download
memory/4060-4-0x00007FF816850000-0x00007FF816A45000-memory.dmp

Filesize
2.0MB

Download
memory/4060-3-0x00007FF816850000-0x00007FF816A45000-memory.dmp

Filesize
2.0MB

Download
memory/4060-2-0x00007FF7D68D0000-0x00007FF7D68E0000-memory.dmp

Filesize
64KB

Download
memory/4060-1-0x00007FF7D68D0000-0x00007FF7D68E0000-memory.dmp

Filesize
64KB

Download
memory/4060-581-0x00007FF816850000-0x00007FF816A45000-memory.dmp

Filesize
2.0MB

Download
memory/4060-15-0x00007FF816850000-0x00007FF816A45000-memory.dmp

Filesize
2.0MB

Download