5d09b001c18384a9d5e8b31b9c4ee5ed77082e0a9b8783c34b3916b1534d2c21

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
16-04-2024 15:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

P.O.109961.xls
Size

318KB
MD5

2244bc077c05fd2f5a67fa7ef72559ff
SHA1

a5e42c663a4eaf0468b903ca7aa1f264edba32fc
SHA256

5d09b001c18384a9d5e8b31b9c4ee5ed77082e0a9b8783c34b3916b1534d2c21
SHA512

361d5c5bded8994c672a3a40b0e959cae6c7e9f24a279ba663b968b9f8fc1d0332c2aef3df921d4148c9da0e3101090e012f45b72859f5e609b9efb46c3fbd08
SSDEEP

6144:FuunJRXmY35qAOJl/YrLYz+WrNhZF+E+fgL+0dD8ivSbVM9MI248sD69qlDl5bpI:FvJRX/3bVM9MI5N64lDjihGu

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEEXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEWINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid process

3748 EXCEL.EXE
1004 WINWORD.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WINWORD.EXE

description pid process

Token: SeAuditPrivilege 1004 WINWORD.EXE

description	pid	process
Token: SeAuditPrivilege	1004	WINWORD.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid	process
3748	EXCEL.EXE
3748	EXCEL.EXE
3748	EXCEL.EXE
3748	EXCEL.EXE
3748	EXCEL.EXE
3748	EXCEL.EXE
3748	EXCEL.EXE
3748	EXCEL.EXE
3748	EXCEL.EXE
3748	EXCEL.EXE
3748	EXCEL.EXE
3748	EXCEL.EXE
1004	WINWORD.EXE
1004	WINWORD.EXE
1004	WINWORD.EXE
1004	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 1004 wrote to memory of 3772	1004	WINWORD.EXE	splwow64.exe
PID 1004 wrote to memory of 3772	1004	WINWORD.EXE	splwow64.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\P.O.109961.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3748

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1004

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:3772

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:640

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
1KB

MD5
8a19e2f05bb9c727f7fb24ef7e6541e7

SHA1
fc4e212ec0c090fffc2c1b9c70fe5cb6c77592db

SHA256
7eb17f03f49ad906d62f715fe4e81e9341f8e7e900e429bc83d0787340dfa42f

SHA512
82b40631302b2338d74c48aaf0b848435020936eb99a1945a6a5397e123a6107eb5681d458595af641d4078383de41370afc882d94aec89e4c65f51e86c4c0d4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9
Filesize
471B

MD5
3cabbca97ed1718c22c3c0b309b84520

SHA1
3926669b1cd588fbbcc7fcec88ed90c53bb72414

SHA256
f4e7f905cdb969c21101fdbce0f28c82fcb4c576cc2bf7168767067ecb64e207

SHA512
8e673785c0fd590eb213f105172b82de5f616349bb26060deeb452c769b1fd3a31ff11bf66dffcac82a062f8bd02480e43817373bc4547aa47518a583443af5f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
410B

MD5
5138bae0b4f3a966989128ba2c0ff172

SHA1
f195d16500e4c8e380cc4bb38f659ee5b78a7b3e

SHA256
ce443741655cca0469af7b3c53185fb790797289772d4acdfc0cc545452fdfcc

SHA512
d56ed91164ab2be3b304317f1bc1421c1d27edd0a63aabfbede916804c972ce8189f85aa09adaf9458c991680dafffd1043450e56ed63c12fd07c788475eab4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
392B

MD5
32a376cf7cdb036c789bf067643445a3

SHA1
9fd054dc6dfb5e9b872c0ec816e8342120be2a5e

SHA256
8cd6f7fd645a8e0e9440c3c9301f0799a4e4c877017372818114210a4c9ac074

SHA512
cd14a77da1ebc45ca5610d04864ca81cc38b3e12f9b66445b3123324e6a7fa140b103491841c77bbda8ef12b1b7357ac9b1097e95e55af8746e9a9ab7e2557fd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9
Filesize
420B

MD5
fc6233dc3c10430341782df7aa93115e

SHA1
efa76934e79ce8466d3f33249938969b99146dfc

SHA256
9192f5622e245825ecbb2c3e54c656ff89c4324d6ba7f390c6a27e20cb33bb82

SHA512
27be944643db98a0b5557cd5708ac735e53cfddf3839751cc60212578b139692fdaf722621e0890ca2f39fac428b651b56b29acf210777daf7b41bc84ea305f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\37A83BF6-B2A1-41BB-B1AA-B34F08707A85
Filesize
160KB

MD5
cd2756dda0dd4354aafd93c91f33c4d2

SHA1
f55c6de925376e00661f7f704f4d638c4db7390d

SHA256
0a72cc141b78e8e17078f7ce1a9a67d3b25954aeec2512ee2a5b6ff62e2ab7f0

SHA512
e0ea275c1f37464a23b1b06dbdfb3610853bd68c2b655f7516a90a57a22fc5a9aa2096c0e9978dc02dcd25a44a09aa19a64ad66668463bdc053c302f1bc4687f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog
Filesize
21KB

MD5
1c94ad23581d38593e2f5f7207b6b059

SHA1
4508f7935ab13c1d1560807b070cf844ce1f0546

SHA256
aba3a18a8eb77e8a21467c8e9f045229b9b7d04075304d017eb08c8a2a6eebdf

SHA512
b6fff32150013ea0e04efc444aab17a3a6f01ffb19f26a1771d44da0cd7f9c7b926b1d9b2ff665ef6102c5455b4c19f49ce6f4615b2ede5970b22309a290a23f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize
2KB

MD5
7e2e3302d2fdf2a578aa6aefde889480

SHA1
9713c852a4a2ad1e1d4a8e4decfe11bf24c42821

SHA256
43062cb5bc387b797832b76e2b02e23379515290e12bb9a6ec9dda03ffe44f03

SHA512
e6f57e577ce382084e4ee43b7c21c0bd5077b2e88a26d3edf77a99b1ec336bb7d325ce99061429b63ab130e497ac0bfeda43ab311f32125fa7790b2554a57a79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize
2KB

MD5
8913bb05dd9a6ced9552590a79605b4e

SHA1
8d69d98f5908a762a2f845bb40ca245dc5c62de7

SHA256
1af9a0fe781b1acfbe605b74868364dfc85c0aaffeb6c66d45050653b2cdea24

SHA512
f1b50e0d61994e78e2d6c6c94aba6de33c54c50232fbb786a1217fdd406aff951bf25cda3091408965c4162644531a96cdbe83dbe37bc115a6091fd66eb19eb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\Z8NKIUZO\wegendideaofloverstogetbackinthelinetounderstandhowmuchilikeyoumorethanallseeher____youmygirlialwayslove[1].doc
Filesize
70KB

MD5
002863a1610420fbdd33527b235ae720

SHA1
0e954b555b08faf3dae04019947ab06f751dddb0

SHA256
92a8482b9e7ca1ad4d86c76cab2ed363fa995cdfa50c919a3714c28c7016020c

SHA512
ea957090b43430f044006f08616a3a4b4fb71817c7abc03b8a0b702a1ffca37e0e62877e46bd6197b82b1460b36691365f49d9f001506b3bb610aa93853e514e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCDCA31.tmp\gb.xsl
Filesize
262KB

MD5
51d32ee5bc7ab811041f799652d26e04

SHA1
412193006aa3ef19e0a57e16acf86b830993024a

SHA256
6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97

SHA512
5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
Filesize
230B

MD5
78ab89cb60eba2cfae87ddae815c25b1

SHA1
88652c960ee8fe99dde944149a3ecca5d3f030ea

SHA256
bceee994584222d84c0d8b360d79470dcbec1c0f99fe63c5bf0d32d82e54f3b4

SHA512
8a8c7bfd4c78b99727b9bd14dab9db80b7fe5df154ac1909497190ceb6407b8d991508a49f1da4a97204d10ae6e06d6107ef00c5e595189325af2f1072028099

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize
5KB

MD5
95fee2c3f13eabe2a0eb692916a4680b

SHA1
0d51c37fa14c13f3bd1dab0a5041aa3831d799fe

SHA256
80b45d14c84a5a44a5ce1cd9b02175552d1f75c2208579df4761646962f39d35

SHA512
4799cf4c94c5243814cf150cde391da4bad89afcaa8251d245da912ced221cb00364eab6dc946640932e7b4163e163f52c4f90f798de50a9df2bd6cc194dd5d0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize
3KB

MD5
9ee26c4a89ad85f6a7b5a4bcca774f93

SHA1
bb70cc9a1850a0d174d97c9870bf4b6aa85ecb7e

SHA256
dbe2b38c1a9d79a547e94b88d9df08acad3884657136f12a64d059f8726d06ba

SHA512
5cfc1ee06b8beef9b2576327137f1724ccb22bafb79b66e2eb574fddeabdcb0c60dba33525d74387559c3229955e009f143e9dec08a0fed92de8e5f4cb70db6c

Download Submit
memory/1004-47-0x00007FF831350000-0x00007FF831545000-memory.dmp

Filesize
2.0MB

Download
memory/1004-57-0x00007FF831350000-0x00007FF831545000-memory.dmp

Filesize
2.0MB

Download
memory/1004-587-0x00007FF831350000-0x00007FF831545000-memory.dmp

Filesize
2.0MB

Download
memory/1004-58-0x00007FF831350000-0x00007FF831545000-memory.dmp

Filesize
2.0MB

Download
memory/1004-55-0x00007FF831350000-0x00007FF831545000-memory.dmp

Filesize
2.0MB

Download
memory/1004-54-0x00007FF831350000-0x00007FF831545000-memory.dmp

Filesize
2.0MB

Download
memory/1004-53-0x00007FF831350000-0x00007FF831545000-memory.dmp

Filesize
2.0MB

Download
memory/1004-41-0x00007FF831350000-0x00007FF831545000-memory.dmp

Filesize
2.0MB

Download
memory/1004-42-0x00007FF831350000-0x00007FF831545000-memory.dmp

Filesize
2.0MB

Download
memory/1004-44-0x00007FF831350000-0x00007FF831545000-memory.dmp

Filesize
2.0MB

Download
memory/1004-46-0x00007FF831350000-0x00007FF831545000-memory.dmp

Filesize
2.0MB

Download
memory/1004-51-0x00007FF831350000-0x00007FF831545000-memory.dmp

Filesize
2.0MB

Download
memory/1004-48-0x00007FF831350000-0x00007FF831545000-memory.dmp

Filesize
2.0MB

Download
memory/1004-49-0x00007FF831350000-0x00007FF831545000-memory.dmp

Filesize
2.0MB

Download
memory/1004-50-0x00007FF831350000-0x00007FF831545000-memory.dmp

Filesize
2.0MB

Download
memory/3748-9-0x00007FF831350000-0x00007FF831545000-memory.dmp

Filesize
2.0MB

Download
memory/3748-585-0x00007FF831350000-0x00007FF831545000-memory.dmp

Filesize
2.0MB

Download
memory/3748-20-0x00007FF831350000-0x00007FF831545000-memory.dmp

Filesize
2.0MB

Download
memory/3748-19-0x00007FF831350000-0x00007FF831545000-memory.dmp

Filesize
2.0MB

Download
memory/3748-16-0x00007FF831350000-0x00007FF831545000-memory.dmp

Filesize
2.0MB

Download
memory/3748-17-0x00007FF831350000-0x00007FF831545000-memory.dmp

Filesize
2.0MB

Download
memory/3748-15-0x00007FF7EEA70000-0x00007FF7EEA80000-memory.dmp

Filesize
64KB

Download
memory/3748-14-0x00007FF831350000-0x00007FF831545000-memory.dmp

Filesize
2.0MB

Download
memory/3748-13-0x00007FF7EEA70000-0x00007FF7EEA80000-memory.dmp

Filesize
64KB

Download
memory/3748-12-0x00007FF831350000-0x00007FF831545000-memory.dmp

Filesize
2.0MB

Download
memory/3748-18-0x00007FF831350000-0x00007FF831545000-memory.dmp

Filesize
2.0MB

Download
memory/3748-21-0x00007FF831350000-0x00007FF831545000-memory.dmp

Filesize
2.0MB

Download
memory/3748-6-0x00007FF831350000-0x00007FF831545000-memory.dmp

Filesize
2.0MB

Download
memory/3748-8-0x00007FF831350000-0x00007FF831545000-memory.dmp

Filesize
2.0MB

Download
memory/3748-0-0x00007FF7F13D0000-0x00007FF7F13E0000-memory.dmp

Filesize
64KB

Download
memory/3748-4-0x00007FF7F13D0000-0x00007FF7F13E0000-memory.dmp

Filesize
64KB

Download
memory/3748-7-0x00007FF7F13D0000-0x00007FF7F13E0000-memory.dmp

Filesize
64KB

Download
memory/3748-5-0x00007FF831350000-0x00007FF831545000-memory.dmp

Filesize
2.0MB

Download
memory/3748-3-0x00007FF7F13D0000-0x00007FF7F13E0000-memory.dmp

Filesize
64KB

Download
memory/3748-2-0x00007FF831350000-0x00007FF831545000-memory.dmp

Filesize
2.0MB

Download
memory/3748-1-0x00007FF7F13D0000-0x00007FF7F13E0000-memory.dmp

Filesize
64KB

Download
memory/3748-10-0x00007FF831350000-0x00007FF831545000-memory.dmp

Filesize
2.0MB

Download
memory/3748-586-0x00007FF831350000-0x00007FF831545000-memory.dmp

Filesize
2.0MB

Download
memory/3748-11-0x00007FF831350000-0x00007FF831545000-memory.dmp

Filesize
2.0MB

Download