fd363c89da6fb751baac4db6bc4d1cc302c88e1efeba1bfab397a627d4c1eead

Analysis

max time kernel
149s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
16-04-2024 15:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

OFFER DETAIL 75645.xls
Size

319KB
MD5

1dc1fa973594e14e2b517f281400941f
SHA1

1565eb8c6dc5248ecd19cfe4ff1cb6c33541ed1e
SHA256

fd363c89da6fb751baac4db6bc4d1cc302c88e1efeba1bfab397a627d4c1eead
SHA512

90e146ad9faa2acc760511fbdeed8c6883bbb274a158349ac995714709d77374789f77454e1bb818477274e0c60eb90684bcad3da3daa46f9d558861cf307669
SSDEEP

6144:xLunJatY35qAOJl/YrLYz+WrNhZF+E+fgL+0dD8ivSbVX2MIMflDClBnPlWjIKw8:xmJaU3bVX2MIuVC7ntWjIKN

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEEXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEWINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid process

228 EXCEL.EXE
3812 WINWORD.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WINWORD.EXE

description pid process

Token: SeAuditPrivilege 3812 WINWORD.EXE

description	pid	process
Token: SeAuditPrivilege	3812	WINWORD.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid	process
228	EXCEL.EXE
228	EXCEL.EXE
228	EXCEL.EXE
228	EXCEL.EXE
228	EXCEL.EXE
228	EXCEL.EXE
228	EXCEL.EXE
228	EXCEL.EXE
228	EXCEL.EXE
228	EXCEL.EXE
228	EXCEL.EXE
228	EXCEL.EXE
3812	WINWORD.EXE
3812	WINWORD.EXE
3812	WINWORD.EXE
3812	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 3812 wrote to memory of 3488	3812	WINWORD.EXE	splwow64.exe
PID 3812 wrote to memory of 3488	3812	WINWORD.EXE	splwow64.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\OFFER DETAIL 75645.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:228

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3812

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:3488

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:4332

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
1KB

MD5
8a19e2f05bb9c727f7fb24ef7e6541e7

SHA1
fc4e212ec0c090fffc2c1b9c70fe5cb6c77592db

SHA256
7eb17f03f49ad906d62f715fe4e81e9341f8e7e900e429bc83d0787340dfa42f

SHA512
82b40631302b2338d74c48aaf0b848435020936eb99a1945a6a5397e123a6107eb5681d458595af641d4078383de41370afc882d94aec89e4c65f51e86c4c0d4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
410B

MD5
b9725a2ecacee1154e61ac2732076dd8

SHA1
cc4e74cfc56dac5d29b0e9434198163f4bc172c9

SHA256
2061a591a8747168ff8d34a2b0cd6331f5a80740a1f002ea2f98b1c12d0aea87

SHA512
c8a6d53ab1a3c48108829e121431a2d439bdddcf9a314641c61833b4e788835ac91336ba3da37048a4c6953615962b78302fecead8d30cad49eb5484ca23e0de

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
392B

MD5
3833910477bd2c92d79e39b786e320d4

SHA1
5d5d4d0872294ed6e1ca0bc18b407f0106076037

SHA256
8e2b1d1464ed4dc5e1351a57e248e991af06ef046beb59c8e83306cc81074b90

SHA512
bd88b15f6a9ea642c095917f9b3c44ee9fc09a74c75142a32add6badb9335afed932ef56b013ae75236acc363f4e7cc93828d74e6c703eeae3158016e7960506

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\F205C6E3-E7E4-4FE8-AA7B-BBCD74773A55
Filesize
160KB

MD5
9afaba5b9b5fea417dc241d77bbaa4a5

SHA1
c13e86fb3c9a41fc2fa1df829e62d21f66cf38b5

SHA256
9a03c5e4ddae6b794011839724dfb914287db64f403e9a619fe391961c9dff6d

SHA512
6592ccd65c2fa035d2a20c731efd3e89753253a0c361e5bb65e820c93e08da9194de878425bd43755373130dfdaca9cf68a40a06d22d2f7b49501ee23466a0c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog
Filesize
21KB

MD5
164d68348c8758636c49b37a282297d5

SHA1
4b59ffe25304bcb2a2a22397c735a726e29bf8a7

SHA256
248db267a69c98e21aaf237e687b5bb1c8c6d0b91b0dd292d6ae06e1928a66bb

SHA512
fcc5e8528200ee160eef98324038b0f664b8d8508338a4b70e524929cb2da635c040aa3dcbbade1952e2ba096ebed42b769979e19a3a2cf750f0dc4d840325ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize
2KB

MD5
48a6621a90b03675e03fd9a8d42da02e

SHA1
13bc2f689cfc2824a38416ca132d42ef5dc85783

SHA256
ac63ba8f9e221aca5444063abf924d72294d450a7d54b84fbf82ef3df5ea78e0

SHA512
91fb6e3ee18a785ad1276c6ea6adf55437c13a8cdc97a1bc007a09f92515d933e715f001db53d2ef38e46303f3873de66b0fa54dcf57735e3b7f0c329b181b4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize
2KB

MD5
dadf8d28541eb0935e36111e126b1e77

SHA1
d3f3e66cb7afcc2975cec27c0671b7fdbc59f816

SHA256
2ec3ee28ec821ea65497301da782c6693de71f3fbc182506140ee16460539ced

SHA512
1bd3fd0dc118623456729fdcd8e2555560f286ebab7e31c61eca12737fc4526bb5b7f12b593ac2b805daa5abb5b8d620022faa6f862331ad4b3760c053a09120

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FBEJHBLX\iamwithyoubecauseiloveyoualotwhichneverbeenforesxyoumysweetheartialwaysloveryoutrulybeaucse___ineverwanttokissyou[1].doc
Filesize
73KB

MD5
96bd8f3d1b8badd184f3b8de29a26ab5

SHA1
5bbf4c72f5d2adc0348ac73cc1f70608dd1d554b

SHA256
74b7cbd3c66d01a6e25ccbe17375138c6a32699c61bf170e18ffecd6ebd55237

SHA512
dd8d1208f1954b24f5d2becfafa0ae27824a449486e946e6500a04c23c671a2ebb633b4c6808881003164aec027bd40801093d2b82e8e70f82408be5a2929847

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCDAD95.tmp\iso690.xsl
Filesize
263KB

MD5
ff0e07eff1333cdf9fc2523d323dd654

SHA1
77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

SHA256
3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

SHA512
b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
Filesize
230B

MD5
3b09edea5d16783576adfdb56cd26a63

SHA1
682336d3558728c43a923ad306082521f1aa48c9

SHA256
db4f3c9b12648f8f583091de8ba5fa920085f192ce5f85c36c0eafae7d7d6860

SHA512
e5b9bb31a5981ba95199a1a653b268c550a73a3a581b770fefc5fad77a59e7cdca5618dc8bc55d574b708266f4c94f6ab89203c8cad370560b749f12688993ec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize
5KB

MD5
a42ad4eff79dfb03d1f833ee4c8d45d9

SHA1
4c7e79001b123ff014f34fd884096dbf4e2021a3

SHA256
1bed1dff03950db37aee5b61c8964b65224d7f86a1c09521babeabef887e0fc3

SHA512
9d73614340c23667f831c515e3104ec91088b1ab25b052fe279ff5f814b077c9d688bad839a6265c77fa7d944cec8ed5ead31d9ff61c8b69ca738965cc850fa5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize
3KB

MD5
fb53846e035763b5e3833154dc90652d

SHA1
8c101edf843abc94deb041c95b5c8dbf808a1fda

SHA256
901c47cc6e74e7669afcc296a0227dc202d2a0d12d16e7b77e5da210d5b41a86

SHA512
9bd8b5cd87b7bea7cf9a3e2631d7d7cc9ab6ebbe9dda2f2411d193fd3ff32574febbe6a355620fbdae89c483aafd36859025adc307c366b2df0854770e6c0582

Download Submit
memory/228-13-0x00007FFE2E830000-0x00007FFE2EA25000-memory.dmp

Filesize
2.0MB

Download
memory/228-7-0x00007FFDEE8B0000-0x00007FFDEE8C0000-memory.dmp

Filesize
64KB

Download
memory/228-15-0x00007FFE2E830000-0x00007FFE2EA25000-memory.dmp

Filesize
2.0MB

Download
memory/228-16-0x00007FFE2E830000-0x00007FFE2EA25000-memory.dmp

Filesize
2.0MB

Download
memory/228-17-0x00007FFE2E830000-0x00007FFE2EA25000-memory.dmp

Filesize
2.0MB

Download
memory/228-19-0x00007FFE2E830000-0x00007FFE2EA25000-memory.dmp

Filesize
2.0MB

Download
memory/228-20-0x00007FFE2E830000-0x00007FFE2EA25000-memory.dmp

Filesize
2.0MB

Download
memory/228-18-0x00007FFDEC040000-0x00007FFDEC050000-memory.dmp

Filesize
64KB

Download
memory/228-21-0x00007FFE2E830000-0x00007FFE2EA25000-memory.dmp

Filesize
2.0MB

Download
memory/228-22-0x00007FFE2E830000-0x00007FFE2EA25000-memory.dmp

Filesize
2.0MB

Download
memory/228-23-0x00007FFE2E830000-0x00007FFE2EA25000-memory.dmp

Filesize
2.0MB

Download
memory/228-580-0x00007FFE2E830000-0x00007FFE2EA25000-memory.dmp

Filesize
2.0MB

Download
memory/228-2-0x00007FFDEE8B0000-0x00007FFDEE8C0000-memory.dmp

Filesize
64KB

Download
memory/228-3-0x00007FFE2E830000-0x00007FFE2EA25000-memory.dmp

Filesize
2.0MB

Download
memory/228-395-0x00007FFE2E830000-0x00007FFE2EA25000-memory.dmp

Filesize
2.0MB

Download
memory/228-1-0x00007FFDEE8B0000-0x00007FFDEE8C0000-memory.dmp

Filesize
64KB

Download
memory/228-5-0x00007FFE2E830000-0x00007FFE2EA25000-memory.dmp

Filesize
2.0MB

Download
memory/228-4-0x00007FFDEE8B0000-0x00007FFDEE8C0000-memory.dmp

Filesize
64KB

Download
memory/228-6-0x00007FFE2E830000-0x00007FFE2EA25000-memory.dmp

Filesize
2.0MB

Download
memory/228-14-0x00007FFE2E830000-0x00007FFE2EA25000-memory.dmp

Filesize
2.0MB

Download
memory/228-8-0x00007FFE2E830000-0x00007FFE2EA25000-memory.dmp

Filesize
2.0MB

Download
memory/228-9-0x00007FFE2E830000-0x00007FFE2EA25000-memory.dmp

Filesize
2.0MB

Download
memory/228-0-0x00007FFDEE8B0000-0x00007FFDEE8C0000-memory.dmp

Filesize
64KB

Download
memory/228-12-0x00007FFDEC040000-0x00007FFDEC050000-memory.dmp

Filesize
64KB

Download
memory/228-11-0x00007FFE2E830000-0x00007FFE2EA25000-memory.dmp

Filesize
2.0MB

Download
memory/228-10-0x00007FFE2E830000-0x00007FFE2EA25000-memory.dmp

Filesize
2.0MB

Download
memory/3812-49-0x00007FFE2E830000-0x00007FFE2EA25000-memory.dmp

Filesize
2.0MB

Download
memory/3812-53-0x00007FFE2E830000-0x00007FFE2EA25000-memory.dmp

Filesize
2.0MB

Download
memory/3812-54-0x00007FFE2E830000-0x00007FFE2EA25000-memory.dmp

Filesize
2.0MB

Download
memory/3812-52-0x00007FFE2E830000-0x00007FFE2EA25000-memory.dmp

Filesize
2.0MB

Download
memory/3812-51-0x00007FFE2E830000-0x00007FFE2EA25000-memory.dmp

Filesize
2.0MB

Download
memory/3812-50-0x00007FFE2E830000-0x00007FFE2EA25000-memory.dmp

Filesize
2.0MB

Download
memory/3812-56-0x00007FFE2E830000-0x00007FFE2EA25000-memory.dmp

Filesize
2.0MB

Download
memory/3812-47-0x00007FFE2E830000-0x00007FFE2EA25000-memory.dmp

Filesize
2.0MB

Download
memory/3812-45-0x00007FFE2E830000-0x00007FFE2EA25000-memory.dmp

Filesize
2.0MB

Download
memory/3812-44-0x00007FFE2E830000-0x00007FFE2EA25000-memory.dmp

Filesize
2.0MB

Download
memory/3812-41-0x00007FFE2E830000-0x00007FFE2EA25000-memory.dmp

Filesize
2.0MB

Download
memory/3812-581-0x00007FFE2E830000-0x00007FFE2EA25000-memory.dmp

Filesize
2.0MB

Download
memory/3812-582-0x00007FFE2E830000-0x00007FFE2EA25000-memory.dmp

Filesize
2.0MB

Download