Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
26-04-2024 01:24
Static task
static1
Behavioral task
behavioral1
Sample
8264a089a3600c557bbdc8e0a3e35dbb8b8fae37e4f430faf795bb3a4115ca02.xls
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
8264a089a3600c557bbdc8e0a3e35dbb8b8fae37e4f430faf795bb3a4115ca02.xls
Resource
win10v2004-20240412-en
General
-
Target
8264a089a3600c557bbdc8e0a3e35dbb8b8fae37e4f430faf795bb3a4115ca02.xls
-
Size
317KB
-
MD5
d8e148605f430bdfc7a4ce2635a1b886
-
SHA1
f678da501df28713fbecc6c54be2681169acffbd
-
SHA256
8264a089a3600c557bbdc8e0a3e35dbb8b8fae37e4f430faf795bb3a4115ca02
-
SHA512
e42e343b9d4330b778e2615314cd6a752040dfab2f190b1cbd84f8881c9faebc756a5d66cd9bb98249130b5147f0b22e3e06e8a29b17f648fa76e21f8e0ef4fe
-
SSDEEP
6144:6WunJ/qQY35qAOJl/YrLYz+WrNhZF+E+fgL+0dD8ivSbVwdMIG+e1Lj4c82rIGYW:6HJ/qN3bVwdMIG+e1Ac82W6+
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEEXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
EXCEL.EXEWINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
EXCEL.EXEWINWORD.EXEpid process 1032 EXCEL.EXE 2208 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WINWORD.EXEdescription pid process Token: SeAuditPrivilege 2208 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 16 IoCs
Processes:
EXCEL.EXEWINWORD.EXEpid process 1032 EXCEL.EXE 1032 EXCEL.EXE 1032 EXCEL.EXE 1032 EXCEL.EXE 1032 EXCEL.EXE 1032 EXCEL.EXE 1032 EXCEL.EXE 1032 EXCEL.EXE 1032 EXCEL.EXE 1032 EXCEL.EXE 1032 EXCEL.EXE 1032 EXCEL.EXE 2208 WINWORD.EXE 2208 WINWORD.EXE 2208 WINWORD.EXE 2208 WINWORD.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 2208 wrote to memory of 5520 2208 WINWORD.EXE splwow64.exe PID 2208 wrote to memory of 5520 2208 WINWORD.EXE splwow64.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\8264a089a3600c557bbdc8e0a3e35dbb8b8fae37e4f430faf795bb3a4115ca02.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1032
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:5520
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:3860
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5080DC7A65DB6A5960ECD874088F3328_862BA1770B2FEE013603D2FF9ABEAFDAFilesize
2KB
MD54cc53d0bea619024ccf5c2740365b5b3
SHA1940f27e9355c9555eeb00bac951a6a305c34fbb1
SHA256875a2fb7f539814bd7c8c3d6d0776f56b62cbf17e71850ac2a08b44df5b84046
SHA5127e077a858b4224a171aeacabaeb5108c9ed71fda82a3ae9056338c293af9c449634c40ec9d341c6f67d159637999996ace7549ec4c60c5eee64c2ac23123aea0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_2DBE917624E9880FE0C7C5570D56E691Filesize
1KB
MD5b4c83a60a69ba5090fe915f176c59f01
SHA1a4315ceae6ed19cb5bf726916ee336f19b97d8a9
SHA256bf9e3ce6701a0de63357cca39d426f32bf03184db74e85291ce3d0bf1d7c1738
SHA512fb54ffc038c3e872dc32cf7e4e39928cf6e503a9bdffbe9b9f6afdd853137c98925dae002b978205a501df1d2b8c52368e113605ff8fb848681aa033bf433121
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187Filesize
471B
MD5498b8db25f6e15d4aaf1b86ca3762325
SHA1056fc18ec6a26e9867d2c534482eb0c52da197de
SHA25644f123b065f2c2e399252dfd2128fb7143dd292daa22bbafc351246b8cbf4602
SHA5125c32bf507bfe369d164b717bf3786efc9e86785f1556c652b4e9d428b021194395e55aba41df61454bd54614163d79816a52f3b63bb6de0dc001f7d98a866de5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5080DC7A65DB6A5960ECD874088F3328_862BA1770B2FEE013603D2FF9ABEAFDAFilesize
482B
MD50e6348c4c9d93e2ce4e6389e85da156c
SHA176947c2a348810adb94b9a93d345db70619d6d8d
SHA256c4bf01b79c34d8386161496cf58fc899fba8ef2a69d143431072291842ba4b5b
SHA512cf8444de4cbf95cabecd4e215aceacd7e5ca3bfc8f98ac76b50427288928e2ba7dbef024f8b77ded746f61cdcaa6dad522d748f697772618d8bb99e3ca4d1dd1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_2DBE917624E9880FE0C7C5570D56E691Filesize
486B
MD545ddd33872fdcbab8faccd679a839479
SHA1582bc9be9972391eaae6caa41625e6c199acad6f
SHA25635fd61377409acc43b55eda2c4c8a43b26a7337e5054eff964b5ae1313586efb
SHA512a57df39fa929347524299c708b57aea9b5825636031883ff522bcfa22d38e96642006d0cf7e6478e3cfe97fa9ffd916a78eeac899901905113d0f57832064645
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187Filesize
412B
MD5005bbe054467d9c4d883bf47496de4eb
SHA1185fd99f2f17ca773b79c23b5257055217ccad01
SHA25648656f9786e27cfcfe8c18cead76242c079c9ee647e3fd330d7532c51a764649
SHA51220259a36106a3663fc25e5a2078da865294545a991e53be829eda4c84be629a03bc81f71f30a84f4f91b471453406869e17fc480d602dbc8862ac44bbe524f43
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\03239376-1961-4F7E-80F9-F3100FE1193DFilesize
160KB
MD542a159f6103169b32bedc37ae1d1c587
SHA138d6d87a914ee85ada8e4751a88493c50767428f
SHA25611916f8bb47587df17f2ffbd2634ac541b2795582e253d1c9067326be7f1b67e
SHA512c6ec7be0ac48f0af1b91379bc2aabf3085c57a8215badfa21489a5301f0a2a9ffe9436bc6c83020e2ce9b02677a41764d66725ed46a4b6aea6b0a477d5d1b4c5
-
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplogFilesize
21KB
MD5a1884e23de10407bcf3956a827b225c0
SHA1843fa5d24c2b877ea61ba6a2eb5dee69c5e2eb74
SHA256a21add2a955b17aa1f6afa7d784a8251875985f25ddb98c7b34ad3097853c7d9
SHA512ad24126f3f70c4b363ca5b1f16f36e49e0eff2b654badcc8117aa9f67637bb6e47f29dc2f5cd2831dad8f5534c880c3fd9563d2d1c79b369e5eba42f41accb65
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbresFilesize
2KB
MD51b296afe9dc498b04e5d8e1383250549
SHA111eee1a49ce0eecd78326929b1e3f613d41deb12
SHA2566caaeab9d43668f08cb560002120594b4399cd7214f91a32d16a6ee1baea0676
SHA51255a3ca449343e15509e8d96d2483602b0ec8c640a7e67f2861e19e7c8fc181ef793c8d6ba03cf742e047e9c281297af303f474dc1538d10cfb26462fcc2c1650
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbresFilesize
2KB
MD53da39e2a5435b109cd5560c17cbeb630
SHA1e4b4274749153e2a13f806fbaeece5a4883bddbb
SHA2563c3b44f104311c3c2f45b370eab12f9a6010919338796e2673ba903ce38cd591
SHA5120d3f519c8a5090178dc097ab76f376d2b41ae80f8945aee52105aa365ae04ff4a383975f265d295b90952cd4a2ee81cf6ea2092899a4655e9aad2f67d483447c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\M6O2ZN5Q\wemadeentiemonkeykingprocesstounderstandhowmuchitsgoodforyoubutunluckysheneverundersandnothingbecause___shemisunderstandloverkiss[1].docFilesize
39KB
MD54986c7f004f15f6d2a6a09206292b1db
SHA1e861d80f9a7fb383039a34a4adab2a45dc5973e1
SHA256eb2b566c94331f5769045ee94794c3a287b79e7b9805179ff2b900b8adfc36e8
SHA51276d51fe3a59179c3ad2e34f0954f90e3733651a5f544dbe3273d3dcf9da4ec6908ad48abe3d8852748764dbd05596b36a74b3fbb43e1e2dcd1f773f27820b56b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.datFilesize
229B
MD5bf84b4f6ac2091b4208eb9b7476113c4
SHA1e6650f464ee66d33db605af6d911c660d0ff6c9b
SHA256c81fe90fdf7106444ea11a6c854a1ecd1e51775a3b6224fbfe4e5e26b794c726
SHA5124c03203cd16c139f041c07b5b85f057e1aca5cf6293091d0fdb4845f7c7e6617631ad0cad0cec9da1b3f532ed9376c0721b8e93b927442e4d66518f455d9ab05
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851223[[fn=iso690]].xslFilesize
263KB
MD5ff0e07eff1333cdf9fc2523d323dd654
SHA177a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA2563f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
5KB
MD5a4a2155e91ef176ca08a1e63ca2def5b
SHA1e9219e35388f9c101cf913e3d7b5932be7c6264e
SHA256d44c70fa52b3481e0883242b7cc9dc3660a178273583cf4c9121ab395adf0163
SHA51268d2297fe4ab58277e863847d25acc79a148f6fe71b7dcefa357f7e2ff9c7d55154ccb4ade347bda213b846cba1f3b6f19ea31c243ee7d9e07d0bcb871f23024
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
3KB
MD5771ecd61781fcf30b8f20be3350ccf38
SHA1a6ed144bd90073d5813a226ebeeec4da27f46690
SHA2566f9da220905d65b2736ce81b30bb7489df514772fefa2ebaa2dc3ffc5b81cd48
SHA51203045fa42e5865c524b71d5ce5abc61c15e4692ec87c8fb3d0eff41f1653afb0fd100c694a6c44cf58310c779b9f50fa8deabc140cb2e76eacdd5c0b1b014cf6
-
memory/1032-12-0x00007FF9FBC10000-0x00007FF9FBE05000-memory.dmpFilesize
2.0MB
-
memory/1032-86-0x00007FF9FBC10000-0x00007FF9FBE05000-memory.dmpFilesize
2.0MB
-
memory/1032-509-0x00007FF9FBC10000-0x00007FF9FBE05000-memory.dmpFilesize
2.0MB
-
memory/1032-2-0x00007FF9BBC90000-0x00007FF9BBCA0000-memory.dmpFilesize
64KB
-
memory/1032-1-0x00007FF9BBC90000-0x00007FF9BBCA0000-memory.dmpFilesize
64KB
-
memory/1032-4-0x00007FF9BBC90000-0x00007FF9BBCA0000-memory.dmpFilesize
64KB
-
memory/1032-87-0x00007FF9FBC10000-0x00007FF9FBE05000-memory.dmpFilesize
2.0MB
-
memory/1032-16-0x00007FF9FBC10000-0x00007FF9FBE05000-memory.dmpFilesize
2.0MB
-
memory/1032-5-0x00007FF9FBC10000-0x00007FF9FBE05000-memory.dmpFilesize
2.0MB
-
memory/1032-3-0x00007FF9FBC10000-0x00007FF9FBE05000-memory.dmpFilesize
2.0MB
-
memory/1032-15-0x00007FF9FBC10000-0x00007FF9FBE05000-memory.dmpFilesize
2.0MB
-
memory/1032-14-0x00007FF9B9900000-0x00007FF9B9910000-memory.dmpFilesize
64KB
-
memory/1032-13-0x00007FF9FBC10000-0x00007FF9FBE05000-memory.dmpFilesize
2.0MB
-
memory/1032-11-0x00007FF9B9900000-0x00007FF9B9910000-memory.dmpFilesize
64KB
-
memory/1032-0-0x00007FF9BBC90000-0x00007FF9BBCA0000-memory.dmpFilesize
64KB
-
memory/1032-10-0x00007FF9FBC10000-0x00007FF9FBE05000-memory.dmpFilesize
2.0MB
-
memory/1032-8-0x00007FF9FBC10000-0x00007FF9FBE05000-memory.dmpFilesize
2.0MB
-
memory/1032-9-0x00007FF9FBC10000-0x00007FF9FBE05000-memory.dmpFilesize
2.0MB
-
memory/1032-7-0x00007FF9BBC90000-0x00007FF9BBCA0000-memory.dmpFilesize
64KB
-
memory/1032-6-0x00007FF9FBC10000-0x00007FF9FBE05000-memory.dmpFilesize
2.0MB
-
memory/2208-49-0x00007FF9FBC10000-0x00007FF9FBE05000-memory.dmpFilesize
2.0MB
-
memory/2208-47-0x00007FF9FBC10000-0x00007FF9FBE05000-memory.dmpFilesize
2.0MB
-
memory/2208-45-0x00007FF9FBC10000-0x00007FF9FBE05000-memory.dmpFilesize
2.0MB
-
memory/2208-46-0x00007FF9FBC10000-0x00007FF9FBE05000-memory.dmpFilesize
2.0MB
-
memory/2208-44-0x00007FF9FBC10000-0x00007FF9FBE05000-memory.dmpFilesize
2.0MB
-
memory/2208-43-0x00007FF9FBC10000-0x00007FF9FBE05000-memory.dmpFilesize
2.0MB
-
memory/2208-40-0x00007FF9FBC10000-0x00007FF9FBE05000-memory.dmpFilesize
2.0MB
-
memory/2208-38-0x00007FF9FBC10000-0x00007FF9FBE05000-memory.dmpFilesize
2.0MB
-
memory/2208-580-0x00007FF9FBC10000-0x00007FF9FBE05000-memory.dmpFilesize
2.0MB
-
memory/2208-581-0x00007FF9FBC10000-0x00007FF9FBE05000-memory.dmpFilesize
2.0MB
-
memory/2208-582-0x00007FF9FBC10000-0x00007FF9FBE05000-memory.dmpFilesize
2.0MB