e6be399576b6bc96254e00a8743115604bf1dff765789d3483d3650575de6129

Analysis

max time kernel
594s
max time network
571s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
17/04/2024, 09:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

x (2).xls
Size

323KB
MD5

2be86255d5c58c9d1452c9cf39a6a66d
SHA1

058d72f3e45476408ffaca4ce9f7b39a05ed3405
SHA256

e6be399576b6bc96254e00a8743115604bf1dff765789d3483d3650575de6129
SHA512

7d00f8f3f4d7d287b3731cf7c6631824255066b1aae4adaa641837e258f34be7aa50ea3b42b2b9d4822fb10a9ef3ee0507851c6dedb36ed2fc98cd975c5e9d41
SSDEEP

6144:cuunJ1qZ+RwPONXoRjDhIcp0fDlavx+fgLt0d6oivSbVjHyNI89GQ8PYZMm/wOGP:cvJ1J3bVjyNI89f8P4wTUoIEn

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3752	EXCEL.EXE
2404	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeAuditPrivilege	2404	WINWORD.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
3752	EXCEL.EXE
3752	EXCEL.EXE
3752	EXCEL.EXE
3752	EXCEL.EXE
3752	EXCEL.EXE
3752	EXCEL.EXE
3752	EXCEL.EXE
3752	EXCEL.EXE
3752	EXCEL.EXE
3752	EXCEL.EXE
3752	EXCEL.EXE
3752	EXCEL.EXE
2404	WINWORD.EXE
2404	WINWORD.EXE
2404	WINWORD.EXE
2404	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2404 wrote to memory of 4916	2404	WINWORD.EXE	96
PID 2404 wrote to memory of 4916	2404	WINWORD.EXE	96

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\x (2).xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3752

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2404
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:4916

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\3D12C79D-0DA4-4C26-811C-C63C0483448B

Filesize
160KB

MD5
2ea2f2627c5d7466bcc288308834548d

SHA1
f1a0d35307b7dd21345dce5bdeb6fa524ba19c23

SHA256
2f8ba23b2d244f9aa2c69109735d6765bccef22f868c0be91da7376d0be62115

SHA512
ee07a3a97e266bd7b68f297c4467a0f554cf000accfbfe417344470ffb60732979d2427ad1c2b1f552244c7b27b3aca2c3a46c91c262914d9ef39c9fd22315bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

Filesize
21KB

MD5
b836cf062cdb9ceeb8cf5dbb8d901e76

SHA1
7d6e742741fca658069a0656720181dc3ff813ae

SHA256
bee92eece58b375e53129e0ad6669ee84a68acd9b44b6acc4f7a6cd9b684c3bb

SHA512
4ffc29f9cbee6ed03fcde974df3ad32532d8354a8c1237280fa2041575650cc8dee0add1e20d6a813ebe65a7686e58822df29638d3414124cd92e8ff55c670dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
377a433bf7c5de5000e1ace0367302e7

SHA1
bd528a6ebdc1590349ab02660eef3ebf6dc0878f

SHA256
e2377b21e8311e768a29befeb8f85f6f9651bb645c3b1d6e629c094977c0729b

SHA512
5527ed7ddeb143c1010555852717e294fb96a60efb608d68c1b7e1c3526712f18f40871fc8f98b895135c9255e82089969cd37e8e55e09417c5865f698eaace4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
d41dd7ee33d546bacd833a51ba05bd3b

SHA1
5b78d18725894fcd998cf13d54725f8389e2018a

SHA256
65cf01024c941d6fe84ca248ae0c302b53fd50d35a22868c1c2eb7d81215b376

SHA512
0fd2d34a445da33e7e7fe73f87ed67a96d3dfba91a5bd7225492b08281d3fb243d69caa2ba4d98ae06dcae8ba49f8e5dbb7dd19ba5da5093baf1e2570ec2589c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\SFG3KXO7\iwillkissherwithentirethingstodowithouthavinghistalenttokissherwithlotofloveitrulylovedherwithoutinformation___ireallywantotlovehertrulysheismy[1].doc

Filesize
78KB

MD5
ed096dddbfcf9b78a74e3f65f30c0352

SHA1
4e736672d662dce4d9f5ee13324c41caa13b6743

SHA256
f73be5ad393981cda5dcc30559f1a3c034540ffe13d03d6016d1bf3ccf03feb5

SHA512
22c6828e0ce9f193b680e577da2b2a02219aef64ee9e86c39b25a29b61b0079fd68d31ecf7282d29f7bc909804e761dbbe9b53f9c903918c4e3a37ab756b494f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCDD6AB.tmp\gb.xsl

Filesize
262KB

MD5
51d32ee5bc7ab811041f799652d26e04

SHA1
412193006aa3ef19e0a57e16acf86b830993024a

SHA256
6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97

SHA512
5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
229B

MD5
658ff462c010c0fa1eb0e3de8fc9bc3b

SHA1
24ad265f534c486f21b3de44a7b9f9a7ce2d01a7

SHA256
3aa0fbe288067fe4700a1eb15c5932b2bbf5f7b638ef2f404492df2d4bbf4fb6

SHA512
504c04bc5a1f754ca65695442ed741f0d76e0557b765e711bb7d676651f0ea9719b82133de5c13d03c9c66cbba8bc2db1ab7494c7479b3eeea5b15a514163dff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
5KB

MD5
cb45d942d0ea7b1718a85e2262e3459d

SHA1
6982feebecc1c6df004ba89456e7b62bb3fb2d00

SHA256
2cf976195e1275fafa3b834ce095480f7eaf91253b4c8b4b4c0099929d09ca1c

SHA512
1ad0cdb9d6a386023e09bf1066af54b9f1b8b0185f640e1c23bfbd4ebda0e8bc5a702c66811370a1be280eb840bcfea3de73e3c6e9bb39307db8b4e73acaf65b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
3b172aae9a353b7c46a487064efc8171

SHA1
a9ed7b98cc3438118564b5e36499dbbf1cb3c310

SHA256
b61e151589caa36bdee443e857c5a9ad6e6b71e4065b017972d909510fc16413

SHA512
c1f77d25f93d47319a1f053a8d520bd4c02474893cfcf209e90de7dd6df40afb28469381a5d07e8793ccce352274110ac272680e7c0248f287e763439cbd43ab

Download Submit
memory/2404-54-0x00007FFC55290000-0x00007FFC55485000-memory.dmp

Filesize
2.0MB

Download
memory/2404-56-0x00007FFC55290000-0x00007FFC55485000-memory.dmp

Filesize
2.0MB

Download
memory/2404-576-0x00007FFC55290000-0x00007FFC55485000-memory.dmp

Filesize
2.0MB

Download
memory/2404-575-0x00007FFC55290000-0x00007FFC55485000-memory.dmp

Filesize
2.0MB

Download
memory/2404-53-0x00007FFC55290000-0x00007FFC55485000-memory.dmp

Filesize
2.0MB

Download
memory/2404-51-0x00007FFC55290000-0x00007FFC55485000-memory.dmp

Filesize
2.0MB

Download
memory/2404-50-0x00007FFC55290000-0x00007FFC55485000-memory.dmp

Filesize
2.0MB

Download
memory/2404-49-0x00007FFC55290000-0x00007FFC55485000-memory.dmp

Filesize
2.0MB

Download
memory/2404-48-0x00007FFC55290000-0x00007FFC55485000-memory.dmp

Filesize
2.0MB

Download
memory/2404-47-0x00007FFC55290000-0x00007FFC55485000-memory.dmp

Filesize
2.0MB

Download
memory/2404-46-0x00007FFC55290000-0x00007FFC55485000-memory.dmp

Filesize
2.0MB

Download
memory/2404-44-0x00007FFC55290000-0x00007FFC55485000-memory.dmp

Filesize
2.0MB

Download
memory/2404-43-0x00007FFC55290000-0x00007FFC55485000-memory.dmp

Filesize
2.0MB

Download
memory/2404-42-0x00007FFC55290000-0x00007FFC55485000-memory.dmp

Filesize
2.0MB

Download
memory/2404-34-0x00007FFC55290000-0x00007FFC55485000-memory.dmp

Filesize
2.0MB

Download
memory/2404-36-0x00007FFC55290000-0x00007FFC55485000-memory.dmp

Filesize
2.0MB

Download
memory/2404-38-0x00007FFC55290000-0x00007FFC55485000-memory.dmp

Filesize
2.0MB

Download
memory/2404-39-0x00007FFC55290000-0x00007FFC55485000-memory.dmp

Filesize
2.0MB

Download
memory/2404-41-0x00007FFC55290000-0x00007FFC55485000-memory.dmp

Filesize
2.0MB

Download
memory/3752-10-0x00007FFC55290000-0x00007FFC55485000-memory.dmp

Filesize
2.0MB

Download
memory/3752-450-0x00007FFC55290000-0x00007FFC55485000-memory.dmp

Filesize
2.0MB

Download
memory/3752-20-0x00007FFC55290000-0x00007FFC55485000-memory.dmp

Filesize
2.0MB

Download
memory/3752-19-0x00007FFC55290000-0x00007FFC55485000-memory.dmp

Filesize
2.0MB

Download
memory/3752-18-0x00007FFC55290000-0x00007FFC55485000-memory.dmp

Filesize
2.0MB

Download
memory/3752-17-0x00007FFC55290000-0x00007FFC55485000-memory.dmp

Filesize
2.0MB

Download
memory/3752-14-0x00007FFC55290000-0x00007FFC55485000-memory.dmp

Filesize
2.0MB

Download
memory/3752-16-0x00007FFC55290000-0x00007FFC55485000-memory.dmp

Filesize
2.0MB

Download
memory/3752-15-0x00007FFC129B0000-0x00007FFC129C0000-memory.dmp

Filesize
64KB

Download
memory/3752-13-0x00007FFC55290000-0x00007FFC55485000-memory.dmp

Filesize
2.0MB

Download
memory/3752-9-0x00007FFC55290000-0x00007FFC55485000-memory.dmp

Filesize
2.0MB

Download
memory/3752-0-0x00007FFC15310000-0x00007FFC15320000-memory.dmp

Filesize
64KB

Download
memory/3752-21-0x00007FFC55290000-0x00007FFC55485000-memory.dmp

Filesize
2.0MB

Download
memory/3752-6-0x00007FFC15310000-0x00007FFC15320000-memory.dmp

Filesize
64KB

Download
memory/3752-22-0x00007FFC55290000-0x00007FFC55485000-memory.dmp

Filesize
2.0MB

Download
memory/3752-7-0x00007FFC55290000-0x00007FFC55485000-memory.dmp

Filesize
2.0MB

Download
memory/3752-8-0x00007FFC15310000-0x00007FFC15320000-memory.dmp

Filesize
64KB

Download
memory/3752-2-0x00007FFC15310000-0x00007FFC15320000-memory.dmp

Filesize
64KB

Download
memory/3752-4-0x00007FFC15310000-0x00007FFC15320000-memory.dmp

Filesize
64KB

Download
memory/3752-3-0x00007FFC55290000-0x00007FFC55485000-memory.dmp

Filesize
2.0MB

Download
memory/3752-1-0x00007FFC55290000-0x00007FFC55485000-memory.dmp

Filesize
2.0MB

Download
memory/3752-5-0x00007FFC55290000-0x00007FFC55485000-memory.dmp

Filesize
2.0MB

Download
memory/3752-574-0x00007FFC55290000-0x00007FFC55485000-memory.dmp

Filesize
2.0MB

Download
memory/3752-12-0x00007FFC55290000-0x00007FFC55485000-memory.dmp

Filesize
2.0MB

Download
memory/3752-11-0x00007FFC129B0000-0x00007FFC129C0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads