430e4ffa3a8066bebba12c22e2a53810f2b5dc8eeedf8f783a8487016ab4ea22

Analysis

max time kernel
149s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
23-04-2024 05:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New order-Docs0374.xls
Size

317KB
MD5

a8a7919e3cb8e4856be6080fcc0e8ec3
SHA1

1655fdad453dcf6fade55a80de640deb72301266
SHA256

430e4ffa3a8066bebba12c22e2a53810f2b5dc8eeedf8f783a8487016ab4ea22
SHA512

13a1a16bac29f66eb7cd76b29315f2867ec28e284c75c977ef5ff223fcab3fc85f4149c9d27c36cf20aef54c1fea9694a93f1e24a0e56e123cd00bb6f1e123c3
SSDEEP

6144:5uunJtWY35qAOJl/YrLYz+WrNhZF+E+fgL+0dD8ivSbVUbMIXADuNaHUxDHDXZ6/:5vJtP3bVUbMI1JDHTZdpfTo

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEWINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEWINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid process

5100 EXCEL.EXE
4652 WINWORD.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WINWORD.EXE

description pid process

Token: SeAuditPrivilege 4652 WINWORD.EXE

description	pid	process
Token: SeAuditPrivilege	4652	WINWORD.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid	process
5100	EXCEL.EXE
5100	EXCEL.EXE
5100	EXCEL.EXE
5100	EXCEL.EXE
5100	EXCEL.EXE
5100	EXCEL.EXE
5100	EXCEL.EXE
5100	EXCEL.EXE
5100	EXCEL.EXE
5100	EXCEL.EXE
5100	EXCEL.EXE
5100	EXCEL.EXE
4652	WINWORD.EXE
4652	WINWORD.EXE
4652	WINWORD.EXE
4652	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 4652 wrote to memory of 2912	4652	WINWORD.EXE	splwow64.exe
PID 4652 wrote to memory of 2912	4652	WINWORD.EXE	splwow64.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\New order-Docs0374.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5100

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4652

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:2912

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:4868

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
1KB

MD5
ad5aefd69c456466e97a0aa256aaaa4f

SHA1
2c4e9fd8897a0c4f78cf3610334cb24a51ec18cd

SHA256
73ae9fec50a02b16ba846791482d056e0e1364f346d9bc2168c6836b4abec210

SHA512
f3be0bc26313215477431b6ed242990195e343608858ddfa398a05e99d033eefaa5f66bd4fb6a4e04ad6453062c87c8e49b92698c2a44f5145844597a9ca5a40

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04
Filesize
471B

MD5
e0a55759644b5e56522f0260e72ef4ec

SHA1
8c73a03959fc8a9a4cebf7594bf531dd6e398e6c

SHA256
186db6c745f6b1ca9a235d833ff6c9f74f1526f58b6fd14f72759c2e4c7c2d7e

SHA512
c18d3c2015f63cf2fdb0ec6a41e05a51a9192cc312518f7de4fda9a02bb4f3bd010edd1f761b6bf7d94fdfa0c7ecd1f0a3ca90668e88101e8d172874ab9bec8b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
410B

MD5
8dcf658864cbf4c99b69f51f96d23a1b

SHA1
8669ce809eb02b9e6ff48799379229b72350a403

SHA256
61506efa1db0cc9303837e268e391ac275a5c1fd9d6cd612ce782d820fa4ad6e

SHA512
55bbf682ded4af7ed2d00786592e6ee00d2a8fbcae036f5f0e05bd98b3aba63d8cffc157fa18920e81a91e78902c1baa6a7538a23250eb8a6a862932a68f54b1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
392B

MD5
5700c89028551182ec1c4eb4e1db24e3

SHA1
36b646b96beb60244969131aee04be3c0d919031

SHA256
27c34247a0d204c8f3d29dcbf8302965ef605a4a7cf845f2e4ec87cf289c8673

SHA512
d74e84c23911851880bc7a8fbb9c3b39c3e5911180cd8a27922ea33b26bbd932074a3d991a99a43468eda8e3299aacf873d6b93cdaf9ae3e7a7baa899e6bc968

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04
Filesize
412B

MD5
02335a44ddbff7f09ce558407a64d2d0

SHA1
fc30bf7e35d6a1dc45e1c1698dbc09f5b1151e02

SHA256
b0b3a2664e4e1189a3ba05201d2b7c39dbab629a68e09e8acf654f859f360018

SHA512
9371b582f7abfb0eb95263b6c0a595495a2d6d58c4acda21ef82c7c36aab760f5909d89462c4d9191bf9d716c6043dc701c3ac4e51d66393521783b24b5d3985

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\AC67B313-ADC0-4AB6-9111-3CFF605B6118
Filesize
160KB

MD5
04199ad523dcd1afc09f87e0404f72d6

SHA1
9d2f7e47c8648edb3d3713628661b2bad2c569f5

SHA256
2f155df1222d94973cb6e03a4f7443f0e6426e406ada13773a82779c867eee47

SHA512
1a6a4da9c7b0fa80fff70145a0948290a5c97d9e3bd5541575f176564fb0c336ffb7a2066a91395762e9c5edba41607ce578a9986a97663829cddcd29de2dd8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog
Filesize
21KB

MD5
2124909a55b2f4c2f8f46c4f59d38887

SHA1
b1e9fa516ef6098611c9f23f9410ff6066a53534

SHA256
fc694c69d6fdee8f4a6d95e8654efc621f173d761fb8911a8ecd49de0ad323bf

SHA512
1ba4ca0060c6a156fd99b5e2b342f0bb4389d935b898edae50e879e280c23f33928c0ce0454f685ee706a18d900f5c227cfa16652c40de4e08797842ede01010

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize
2KB

MD5
d4a223cfe1d28059a990a016eaa70037

SHA1
a3d0f3817d307299ff395800f6aa4aaf64f6cfd1

SHA256
53453b759a08cab6d9e945ec891f9b7a07fdf42a2ac885685934d9a22c740b74

SHA512
d8e478e68634a88fd244c18892a1f53e01e78e30ee9509e6dc23d952067ec0cd7e0c3bbec2384f2a724d42363d97e7b969a073a4fe021e5c4ca4acb4fa68cbfb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize
2KB

MD5
12b5033858f9bcff8d9a725f10c346b6

SHA1
05b904f170aaf4ea942d675edf42a3177d4b177b

SHA256
dc0461d1c5b5320798f16584663af742d49e4fcc7136c641519cc93f81030dcf

SHA512
a507afdf544b20fc235c084442ea8a02508f3a3e8ee20bac1db8f0df831a63856539eec5406e270050dce8f8ec21a32059ebde53597055960ec96d6d512d61f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\3A2IAT6Y\mydeargirlgetitbackwithentireprocesstogetmygirllovedsomeonetokissherlipswithlotoflove___shemygirlicanunderstandu[1].doc
Filesize
75KB

MD5
51a827ac1c0d46e97012b962ac8f6a69

SHA1
cd7fb58b65aa01f943cacbbf2980f731f7b48b99

SHA256
badb9e95bf360c6c0232afb593e62a4fd1930ec567b20385962b68cee4a5cab0

SHA512
b2ce7057fcf14dc47dd027662a883a22e76f7711e1e9bba61377e4b493d7c17667144f795e8f4f219ed6b0f03bff3d622beea9f5d251652d1bf4d9bd2bdec5e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCD7307.tmp\sist02.xsl
Filesize
245KB

MD5
f883b260a8d67082ea895c14bf56dd56

SHA1
7954565c1f243d46ad3b1e2f1baf3281451fc14b

SHA256
ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

SHA512
d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
Filesize
230B

MD5
19b39b3804a9160331cbb1396febacf3

SHA1
a1479701f2958a13bc88682d30c674c07ecf1651

SHA256
5a2f75699f06aa5549f23f8a35b1a0c2f2c875bdf7feeaf0f9508c6e0af83579

SHA512
3ddaf4283517e823acc4fa21505373c14861f934d585efea97acde588c4b912946355fb7f41a8db955940e22761cc7a44a346e0f4f919106dfe3a7320bc518a2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize
5KB

MD5
18ba8aeb4b746867e12d9b08785634a8

SHA1
c7a2830edac911403be1a6366142aad7076fc9ff

SHA256
ce950ef7f8af94e9775787398a973ebd9730d5b278d89030b0db8e146e75e67e

SHA512
c6e482b76338e697f2a06ed7493c66225d22e3a3a2b4475939e0112e68fc8e91983153b477af37804f051e9ec84c6f581eea441021940cb9c6f21b135129a5ca

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize
3KB

MD5
e2d4e5825d36fbb90c36adb369ebde19

SHA1
5f97ad1629cbb0746badeb003e194517d74d9bd0

SHA256
db356861f07a058564ea7c92c349c8df9bd486c915408807530ca785f4333545

SHA512
2baf1390bd94ddd62ebc809c2448783735ce6afd5368f6dbfbe6a9c8db3e9f7be2dec9fd1c80e5b9a2b6c487bd530393689d40dd83a937b38b64df935b59ff74

Download Submit
memory/4652-43-0x00007FF827050000-0x00007FF827245000-memory.dmp

Filesize
2.0MB

Download
memory/4652-40-0x00007FF827050000-0x00007FF827245000-memory.dmp

Filesize
2.0MB

Download
memory/4652-41-0x00007FF827050000-0x00007FF827245000-memory.dmp

Filesize
2.0MB

Download
memory/4652-574-0x00007FF827050000-0x00007FF827245000-memory.dmp

Filesize
2.0MB

Download
memory/4652-39-0x00007FF827050000-0x00007FF827245000-memory.dmp

Filesize
2.0MB

Download
memory/4652-37-0x00007FF827050000-0x00007FF827245000-memory.dmp

Filesize
2.0MB

Download
memory/4652-35-0x00007FF827050000-0x00007FF827245000-memory.dmp

Filesize
2.0MB

Download
memory/4652-33-0x00007FF827050000-0x00007FF827245000-memory.dmp

Filesize
2.0MB

Download
memory/4652-573-0x00007FF827050000-0x00007FF827245000-memory.dmp

Filesize
2.0MB

Download
memory/5100-9-0x00007FF827050000-0x00007FF827245000-memory.dmp

Filesize
2.0MB

Download
memory/5100-4-0x00007FF827050000-0x00007FF827245000-memory.dmp

Filesize
2.0MB

Download
memory/5100-10-0x00007FF7E4F10000-0x00007FF7E4F20000-memory.dmp

Filesize
64KB

Download
memory/5100-7-0x00007FF827050000-0x00007FF827245000-memory.dmp

Filesize
2.0MB

Download
memory/5100-5-0x00007FF7E70D0000-0x00007FF7E70E0000-memory.dmp

Filesize
64KB

Download
memory/5100-6-0x00007FF827050000-0x00007FF827245000-memory.dmp

Filesize
2.0MB

Download
memory/5100-3-0x00007FF7E70D0000-0x00007FF7E70E0000-memory.dmp

Filesize
64KB

Download
memory/5100-8-0x00007FF7E70D0000-0x00007FF7E70E0000-memory.dmp

Filesize
64KB

Download
memory/5100-1-0x00007FF827050000-0x00007FF827245000-memory.dmp

Filesize
2.0MB

Download
memory/5100-292-0x00007FF827050000-0x00007FF827245000-memory.dmp

Filesize
2.0MB

Download
memory/5100-2-0x00007FF7E70D0000-0x00007FF7E70E0000-memory.dmp

Filesize
64KB

Download
memory/5100-491-0x00007FF827050000-0x00007FF827245000-memory.dmp

Filesize
2.0MB

Download
memory/5100-11-0x00007FF7E4F10000-0x00007FF7E4F20000-memory.dmp

Filesize
64KB

Download
memory/5100-0-0x00007FF7E70D0000-0x00007FF7E70E0000-memory.dmp

Filesize
64KB

Download