65fad97c98ab775a18d96e3ddbfd291500d23f856bde32bdab3fb2417560dacc

Analysis

max time kernel
149s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
23/04/2024, 05:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

gmb.xls
Size

317KB
MD5

37d7ed40a42e26fbc230b8ba27f5e7a7
SHA1

e1bbcb647ab9a9997d5efcc1c9dccb0d6ae44fd2
SHA256

65fad97c98ab775a18d96e3ddbfd291500d23f856bde32bdab3fb2417560dacc
SHA512

3be9673b330b95c7c52d1328f50443821852f8e0471014338b066bbbedef302da7eaa7601d09ef507dd7e9d67ef7d8fd166f4e0c40b0f93942e46328237acfc3
SSDEEP

6144:EVunJE2uY35qAOJl/YrLYz+WrNhZF+E+fgL+0dD8ivSbVYjMIrSdsLks3Azpt6Tf:E4JE2n3bVYjMIrSkkt86KWriT

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	3788	1060	MsoSync.exe	90

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2424	EXCEL.EXE
1060	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeAuditPrivilege	1060	WINWORD.EXE

Suspicious use of SetWindowsHookEx 18 IoCs

pid	Process
2424	EXCEL.EXE
2424	EXCEL.EXE
2424	EXCEL.EXE
2424	EXCEL.EXE
2424	EXCEL.EXE
2424	EXCEL.EXE
2424	EXCEL.EXE
2424	EXCEL.EXE
2424	EXCEL.EXE
2424	EXCEL.EXE
2424	EXCEL.EXE
2424	EXCEL.EXE
1060	WINWORD.EXE
1060	WINWORD.EXE
1060	WINWORD.EXE
1060	WINWORD.EXE
2424	EXCEL.EXE
2424	EXCEL.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1060 wrote to memory of 4484	1060	WINWORD.EXE	92
PID 1060 wrote to memory of 4484	1060	WINWORD.EXE	92
PID 1060 wrote to memory of 3788	1060	WINWORD.EXE	95
PID 1060 wrote to memory of 3788	1060	WINWORD.EXE	95

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\gmb.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2424

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1060
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:4484
- C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe
  "C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe"
  2⤵
  - Process spawned unexpected child process
  PID:3788

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:2208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
ad5aefd69c456466e97a0aa256aaaa4f

SHA1
2c4e9fd8897a0c4f78cf3610334cb24a51ec18cd

SHA256
73ae9fec50a02b16ba846791482d056e0e1364f346d9bc2168c6836b4abec210

SHA512
f3be0bc26313215477431b6ed242990195e343608858ddfa398a05e99d033eefaa5f66bd4fb6a4e04ad6453062c87c8e49b92698c2a44f5145844597a9ca5a40

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187

Filesize
471B

MD5
c32573bbc470ca4b90e0a379f07d77b9

SHA1
4f4ef2bc3367fe4e00bad99e39b09f08477d1a0a

SHA256
cfed93a95891bb1254c125d8573eea655b87ea72a6eddd4e408e12d0d9902d40

SHA512
7e51463d428c11f49e7d7f820efcd27e39607cae5ca1ec7d93227219dbe54afd3a035278cb4518afc283bfea3fcbdd802fbdb6fb0f3efec43abc9f877feb1520

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
5233ca8057ade82b5275bb1020a1945a

SHA1
8d62387bc2ee9652e6f183b9a5096b2269f6f915

SHA256
9919d9f98d1d31258d6dfe1695868e065d6aca48a39b4d35fc0c50809706f3a0

SHA512
e133eb0532deafba13822ee9a0bb9bca3fcf32f97d226b47cfb00000cdc2154a78cc419dc62b517ee616c40ff68a6cecf1c3139f9d0563cc910c902ae5585d71

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
392B

MD5
76845622a4dd5718568628df849bdd4c

SHA1
d3b839347cea8e6ec775617485e4ec98cde2f5db

SHA256
68fb84d26e28cf8f4c755620b2623897bed88fbe3847d1b71000065ea5638727

SHA512
2b2d3f784e0afc5ad8d6a332be1972dc470ae04318bb29ff04fb257c6fa7faf1b1f5ff01fe8b09353fe7774d06e5b2343fbe9d81bacd56368a690dc892441a49

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187

Filesize
412B

MD5
11f02e4b4a4a212d040da1b0d95f27af

SHA1
8c039af75bfda3bca61e529003dd15911d5fdb71

SHA256
988196385806809e030d938b5d91ff920178cafbb4c495fc70349e827034fb83

SHA512
7bbab6b846d8d5fc225b0b62ebade76efc4d91a543386fc60736c5f42e2cc7fb4e9e85f6578d7ec798d9ab08aecfb34402debe310ed6de7bdd29eb766b615c9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

Filesize
21KB

MD5
aac21b4dc64b21d79a9721d58d09354a

SHA1
f735303394129715fd97538cb703b9a8559ad662

SHA256
e9f65a2acda4511791614e7352a489b9050f50fb8a3448380ae610f17f420551

SHA512
122dceb6d0a41bee67c8c743568bccd612fe38c3b28aa1effb39fddb0923649ebe6bea03dbcc40138af0024d7957f6a794c5fca3676d51fd9472fff3a809ea43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\BA0E4508.doc

Filesize
68KB

MD5
7a1d6c5ef0b63d38df276c570b23412f

SHA1
7dc88b0d1889f550f008b74fa7e543b1364b4523

SHA256
5272e9bd0cf7a0c6067b5480d1e49bb993ced502cbd430fe65b53ef9dd14c2bd

SHA512
5e25a28d033c0b8bbb3901c5c071529af4b5ddd438df30ab0928654de896884ca9b0a81f4ad462a212c5366627fc5ff3a7d142562d459165960d5f15de2e8ee2

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCD281F.tmp\gb.xsl

Filesize
262KB

MD5
51d32ee5bc7ab811041f799652d26e04

SHA1
412193006aa3ef19e0a57e16acf86b830993024a

SHA256
6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97

SHA512
5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
230B

MD5
0ce6e2d8b22d3709ecd9c5c4dfc4f5bd

SHA1
067e0430a3001d1af8303f3586509f01c8ce3b4f

SHA256
3bc3c6888f23e43ef7580dbdc60173a5542189ccd1c2fb9123ae76f531910b14

SHA512
03fd69667a8888939a9d3e279907133a3f502919c43a1807b44618f6d558ad3f6492046bbb855ce3793f96e002b822df674c8bbd79ce5b604972dcd3c9f10b12

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
5KB

MD5
a6715f2687ddeefc4596a4036bf08eb1

SHA1
7e8450140a8a85e621b2d2f1f494f294dbfeeea1

SHA256
47870ac4fdbf9ced54175d7041d5d61bfd9531e71c2a821a76474016b2fdecaf

SHA512
5626a144e55884715759f819392361cd4bb4581c6571f90e64acd8e7c2b73dbb0599c9ac93f52b745aa9b3e16ce0d4662a04e8a003f1d515cc7d201e29ada127

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
a27e36f6e594f90c57aae06c52289832

SHA1
912c574327943474b00495a2a17d43be863a4ffc

SHA256
bf1dfae7c72baaa36d3c8b6453a86708ca2d4932b8bdd0ea0f87bd7656a4768d

SHA512
f1a0ff661496d8593c7c675909c366a166f0ed58f672f0fa4f0db9b5ba44f86773765769c017dfb849b8ce0478669d6b5fd90fce51bdb9ee5c473b96a38523da

Download Submit
memory/1060-45-0x00007FF9656D0000-0x00007FF9658C5000-memory.dmp

Filesize
2.0MB

Download
memory/1060-52-0x00007FF9656D0000-0x00007FF9658C5000-memory.dmp

Filesize
2.0MB

Download
memory/1060-588-0x00007FF9656D0000-0x00007FF9658C5000-memory.dmp

Filesize
2.0MB

Download
memory/1060-54-0x00007FF9656D0000-0x00007FF9658C5000-memory.dmp

Filesize
2.0MB

Download
memory/1060-53-0x00007FF9656D0000-0x00007FF9658C5000-memory.dmp

Filesize
2.0MB

Download
memory/1060-51-0x00007FF9656D0000-0x00007FF9658C5000-memory.dmp

Filesize
2.0MB

Download
memory/1060-50-0x00007FF9656D0000-0x00007FF9658C5000-memory.dmp

Filesize
2.0MB

Download
memory/1060-49-0x00007FF9656D0000-0x00007FF9658C5000-memory.dmp

Filesize
2.0MB

Download
memory/1060-46-0x00007FF9656D0000-0x00007FF9658C5000-memory.dmp

Filesize
2.0MB

Download
memory/1060-37-0x00007FF9656D0000-0x00007FF9658C5000-memory.dmp

Filesize
2.0MB

Download
memory/1060-40-0x00007FF9656D0000-0x00007FF9658C5000-memory.dmp

Filesize
2.0MB

Download
memory/1060-38-0x00007FF9656D0000-0x00007FF9658C5000-memory.dmp

Filesize
2.0MB

Download
memory/1060-36-0x00007FF9656D0000-0x00007FF9658C5000-memory.dmp

Filesize
2.0MB

Download
memory/1060-41-0x00007FF9656D0000-0x00007FF9658C5000-memory.dmp

Filesize
2.0MB

Download
memory/1060-42-0x00007FF9656D0000-0x00007FF9658C5000-memory.dmp

Filesize
2.0MB

Download
memory/1060-44-0x00007FF9656D0000-0x00007FF9658C5000-memory.dmp

Filesize
2.0MB

Download
memory/1060-48-0x00007FF9656D0000-0x00007FF9658C5000-memory.dmp

Filesize
2.0MB

Download
memory/1060-43-0x00007FF9656D0000-0x00007FF9658C5000-memory.dmp

Filesize
2.0MB

Download
memory/2424-1-0x00007FF925750000-0x00007FF925760000-memory.dmp

Filesize
64KB

Download
memory/2424-4-0x00007FF9656D0000-0x00007FF9658C5000-memory.dmp

Filesize
2.0MB

Download
memory/2424-20-0x00007FF9656D0000-0x00007FF9658C5000-memory.dmp

Filesize
2.0MB

Download
memory/2424-18-0x00007FF9656D0000-0x00007FF9658C5000-memory.dmp

Filesize
2.0MB

Download
memory/2424-0-0x00007FF925750000-0x00007FF925760000-memory.dmp

Filesize
64KB

Download
memory/2424-13-0x00007FF9656D0000-0x00007FF9658C5000-memory.dmp

Filesize
2.0MB

Download
memory/2424-16-0x00007FF9656D0000-0x00007FF9658C5000-memory.dmp

Filesize
2.0MB

Download
memory/2424-15-0x00007FF9656D0000-0x00007FF9658C5000-memory.dmp

Filesize
2.0MB

Download
memory/2424-12-0x00007FF9656D0000-0x00007FF9658C5000-memory.dmp

Filesize
2.0MB

Download
memory/2424-10-0x00007FF922F00000-0x00007FF922F10000-memory.dmp

Filesize
64KB

Download
memory/2424-11-0x00007FF9656D0000-0x00007FF9658C5000-memory.dmp

Filesize
2.0MB

Download
memory/2424-9-0x00007FF9656D0000-0x00007FF9658C5000-memory.dmp

Filesize
2.0MB

Download
memory/2424-19-0x00007FF9656D0000-0x00007FF9658C5000-memory.dmp

Filesize
2.0MB

Download
memory/2424-7-0x00007FF925750000-0x00007FF925760000-memory.dmp

Filesize
64KB

Download
memory/2424-17-0x00007FF9656D0000-0x00007FF9658C5000-memory.dmp

Filesize
2.0MB

Download
memory/2424-14-0x00007FF922F00000-0x00007FF922F10000-memory.dmp

Filesize
64KB

Download
memory/2424-2-0x00007FF9656D0000-0x00007FF9658C5000-memory.dmp

Filesize
2.0MB

Download
memory/2424-110-0x00007FF9656D0000-0x00007FF9658C5000-memory.dmp

Filesize
2.0MB

Download
memory/2424-109-0x00007FF9656D0000-0x00007FF9658C5000-memory.dmp

Filesize
2.0MB

Download
memory/2424-8-0x00007FF9656D0000-0x00007FF9658C5000-memory.dmp

Filesize
2.0MB

Download
memory/2424-6-0x00007FF9656D0000-0x00007FF9658C5000-memory.dmp

Filesize
2.0MB

Download
memory/2424-3-0x00007FF925750000-0x00007FF925760000-memory.dmp

Filesize
64KB

Download
memory/2424-5-0x00007FF925750000-0x00007FF925760000-memory.dmp

Filesize
64KB

Download
memory/3788-92-0x00007FF9656D0000-0x00007FF9658C5000-memory.dmp

Filesize
2.0MB

Download
memory/3788-86-0x00007FF925750000-0x00007FF925760000-memory.dmp

Filesize
64KB

Download
memory/3788-85-0x00007FF9631D0000-0x00007FF963499000-memory.dmp

Filesize
2.8MB

Download
memory/3788-84-0x00007FF9656D0000-0x00007FF9658C5000-memory.dmp

Filesize
2.0MB

Download
memory/3788-83-0x00007FF9656D0000-0x00007FF9658C5000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads