8264a089a3600c557bbdc8e0a3e35dbb8b8fae37e4f430faf795bb3a4115ca02

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
26-04-2024 01:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8264a089a3600c557bbdc8e0a3e35dbb8b8fae37e4f430faf795bb3a4115ca02.xls
Size

317KB
MD5

d8e148605f430bdfc7a4ce2635a1b886
SHA1

f678da501df28713fbecc6c54be2681169acffbd
SHA256

8264a089a3600c557bbdc8e0a3e35dbb8b8fae37e4f430faf795bb3a4115ca02
SHA512

e42e343b9d4330b778e2615314cd6a752040dfab2f190b1cbd84f8881c9faebc756a5d66cd9bb98249130b5147f0b22e3e06e8a29b17f648fa76e21f8e0ef4fe
SSDEEP

6144:6WunJ/qQY35qAOJl/YrLYz+WrNhZF+E+fgL+0dD8ivSbVwdMIG+e1Lj4c82rIGYW:6HJ/qN3bVwdMIG+e1Ac82W6+

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEEXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEWINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid process

1032 EXCEL.EXE
2208 WINWORD.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WINWORD.EXE

description pid process

Token: SeAuditPrivilege 2208 WINWORD.EXE

description	pid	process
Token: SeAuditPrivilege	2208	WINWORD.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid	process
1032	EXCEL.EXE
1032	EXCEL.EXE
1032	EXCEL.EXE
1032	EXCEL.EXE
1032	EXCEL.EXE
1032	EXCEL.EXE
1032	EXCEL.EXE
1032	EXCEL.EXE
1032	EXCEL.EXE
1032	EXCEL.EXE
1032	EXCEL.EXE
1032	EXCEL.EXE
2208	WINWORD.EXE
2208	WINWORD.EXE
2208	WINWORD.EXE
2208	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 2208 wrote to memory of 5520	2208	WINWORD.EXE	splwow64.exe
PID 2208 wrote to memory of 5520	2208	WINWORD.EXE	splwow64.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\8264a089a3600c557bbdc8e0a3e35dbb8b8fae37e4f430faf795bb3a4115ca02.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1032

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2208

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:5520

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:3860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5080DC7A65DB6A5960ECD874088F3328_862BA1770B2FEE013603D2FF9ABEAFDA
Filesize
2KB

MD5
4cc53d0bea619024ccf5c2740365b5b3

SHA1
940f27e9355c9555eeb00bac951a6a305c34fbb1

SHA256
875a2fb7f539814bd7c8c3d6d0776f56b62cbf17e71850ac2a08b44df5b84046

SHA512
7e077a858b4224a171aeacabaeb5108c9ed71fda82a3ae9056338c293af9c449634c40ec9d341c6f67d159637999996ace7549ec4c60c5eee64c2ac23123aea0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_2DBE917624E9880FE0C7C5570D56E691
Filesize
1KB

MD5
b4c83a60a69ba5090fe915f176c59f01

SHA1
a4315ceae6ed19cb5bf726916ee336f19b97d8a9

SHA256
bf9e3ce6701a0de63357cca39d426f32bf03184db74e85291ce3d0bf1d7c1738

SHA512
fb54ffc038c3e872dc32cf7e4e39928cf6e503a9bdffbe9b9f6afdd853137c98925dae002b978205a501df1d2b8c52368e113605ff8fb848681aa033bf433121

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187
Filesize
471B

MD5
498b8db25f6e15d4aaf1b86ca3762325

SHA1
056fc18ec6a26e9867d2c534482eb0c52da197de

SHA256
44f123b065f2c2e399252dfd2128fb7143dd292daa22bbafc351246b8cbf4602

SHA512
5c32bf507bfe369d164b717bf3786efc9e86785f1556c652b4e9d428b021194395e55aba41df61454bd54614163d79816a52f3b63bb6de0dc001f7d98a866de5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5080DC7A65DB6A5960ECD874088F3328_862BA1770B2FEE013603D2FF9ABEAFDA
Filesize
482B

MD5
0e6348c4c9d93e2ce4e6389e85da156c

SHA1
76947c2a348810adb94b9a93d345db70619d6d8d

SHA256
c4bf01b79c34d8386161496cf58fc899fba8ef2a69d143431072291842ba4b5b

SHA512
cf8444de4cbf95cabecd4e215aceacd7e5ca3bfc8f98ac76b50427288928e2ba7dbef024f8b77ded746f61cdcaa6dad522d748f697772618d8bb99e3ca4d1dd1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_2DBE917624E9880FE0C7C5570D56E691
Filesize
486B

MD5
45ddd33872fdcbab8faccd679a839479

SHA1
582bc9be9972391eaae6caa41625e6c199acad6f

SHA256
35fd61377409acc43b55eda2c4c8a43b26a7337e5054eff964b5ae1313586efb

SHA512
a57df39fa929347524299c708b57aea9b5825636031883ff522bcfa22d38e96642006d0cf7e6478e3cfe97fa9ffd916a78eeac899901905113d0f57832064645

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187
Filesize
412B

MD5
005bbe054467d9c4d883bf47496de4eb

SHA1
185fd99f2f17ca773b79c23b5257055217ccad01

SHA256
48656f9786e27cfcfe8c18cead76242c079c9ee647e3fd330d7532c51a764649

SHA512
20259a36106a3663fc25e5a2078da865294545a991e53be829eda4c84be629a03bc81f71f30a84f4f91b471453406869e17fc480d602dbc8862ac44bbe524f43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\03239376-1961-4F7E-80F9-F3100FE1193D
Filesize
160KB

MD5
42a159f6103169b32bedc37ae1d1c587

SHA1
38d6d87a914ee85ada8e4751a88493c50767428f

SHA256
11916f8bb47587df17f2ffbd2634ac541b2795582e253d1c9067326be7f1b67e

SHA512
c6ec7be0ac48f0af1b91379bc2aabf3085c57a8215badfa21489a5301f0a2a9ffe9436bc6c83020e2ce9b02677a41764d66725ed46a4b6aea6b0a477d5d1b4c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog
Filesize
21KB

MD5
a1884e23de10407bcf3956a827b225c0

SHA1
843fa5d24c2b877ea61ba6a2eb5dee69c5e2eb74

SHA256
a21add2a955b17aa1f6afa7d784a8251875985f25ddb98c7b34ad3097853c7d9

SHA512
ad24126f3f70c4b363ca5b1f16f36e49e0eff2b654badcc8117aa9f67637bb6e47f29dc2f5cd2831dad8f5534c880c3fd9563d2d1c79b369e5eba42f41accb65

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize
2KB

MD5
1b296afe9dc498b04e5d8e1383250549

SHA1
11eee1a49ce0eecd78326929b1e3f613d41deb12

SHA256
6caaeab9d43668f08cb560002120594b4399cd7214f91a32d16a6ee1baea0676

SHA512
55a3ca449343e15509e8d96d2483602b0ec8c640a7e67f2861e19e7c8fc181ef793c8d6ba03cf742e047e9c281297af303f474dc1538d10cfb26462fcc2c1650

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize
2KB

MD5
3da39e2a5435b109cd5560c17cbeb630

SHA1
e4b4274749153e2a13f806fbaeece5a4883bddbb

SHA256
3c3b44f104311c3c2f45b370eab12f9a6010919338796e2673ba903ce38cd591

SHA512
0d3f519c8a5090178dc097ab76f376d2b41ae80f8945aee52105aa365ae04ff4a383975f265d295b90952cd4a2ee81cf6ea2092899a4655e9aad2f67d483447c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\M6O2ZN5Q\wemadeentiemonkeykingprocesstounderstandhowmuchitsgoodforyoubutunluckysheneverundersandnothingbecause___shemisunderstandloverkiss[1].doc
Filesize
39KB

MD5
4986c7f004f15f6d2a6a09206292b1db

SHA1
e861d80f9a7fb383039a34a4adab2a45dc5973e1

SHA256
eb2b566c94331f5769045ee94794c3a287b79e7b9805179ff2b900b8adfc36e8

SHA512
76d51fe3a59179c3ad2e34f0954f90e3733651a5f544dbe3273d3dcf9da4ec6908ad48abe3d8852748764dbd05596b36a74b3fbb43e1e2dcd1f773f27820b56b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
Filesize
229B

MD5
bf84b4f6ac2091b4208eb9b7476113c4

SHA1
e6650f464ee66d33db605af6d911c660d0ff6c9b

SHA256
c81fe90fdf7106444ea11a6c854a1ecd1e51775a3b6224fbfe4e5e26b794c726

SHA512
4c03203cd16c139f041c07b5b85f057e1aca5cf6293091d0fdb4845f7c7e6617631ad0cad0cec9da1b3f532ed9376c0721b8e93b927442e4d66518f455d9ab05

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851223[[fn=iso690]].xsl
Filesize
263KB

MD5
ff0e07eff1333cdf9fc2523d323dd654

SHA1
77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

SHA256
3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

SHA512
b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize
5KB

MD5
a4a2155e91ef176ca08a1e63ca2def5b

SHA1
e9219e35388f9c101cf913e3d7b5932be7c6264e

SHA256
d44c70fa52b3481e0883242b7cc9dc3660a178273583cf4c9121ab395adf0163

SHA512
68d2297fe4ab58277e863847d25acc79a148f6fe71b7dcefa357f7e2ff9c7d55154ccb4ade347bda213b846cba1f3b6f19ea31c243ee7d9e07d0bcb871f23024

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize
3KB

MD5
771ecd61781fcf30b8f20be3350ccf38

SHA1
a6ed144bd90073d5813a226ebeeec4da27f46690

SHA256
6f9da220905d65b2736ce81b30bb7489df514772fefa2ebaa2dc3ffc5b81cd48

SHA512
03045fa42e5865c524b71d5ce5abc61c15e4692ec87c8fb3d0eff41f1653afb0fd100c694a6c44cf58310c779b9f50fa8deabc140cb2e76eacdd5c0b1b014cf6

Download Submit
memory/1032-12-0x00007FF9FBC10000-0x00007FF9FBE05000-memory.dmp

Filesize
2.0MB

Download
memory/1032-86-0x00007FF9FBC10000-0x00007FF9FBE05000-memory.dmp

Filesize
2.0MB

Download
memory/1032-509-0x00007FF9FBC10000-0x00007FF9FBE05000-memory.dmp

Filesize
2.0MB

Download
memory/1032-2-0x00007FF9BBC90000-0x00007FF9BBCA0000-memory.dmp

Filesize
64KB

Download
memory/1032-1-0x00007FF9BBC90000-0x00007FF9BBCA0000-memory.dmp

Filesize
64KB

Download
memory/1032-4-0x00007FF9BBC90000-0x00007FF9BBCA0000-memory.dmp

Filesize
64KB

Download
memory/1032-87-0x00007FF9FBC10000-0x00007FF9FBE05000-memory.dmp

Filesize
2.0MB

Download
memory/1032-16-0x00007FF9FBC10000-0x00007FF9FBE05000-memory.dmp

Filesize
2.0MB

Download
memory/1032-5-0x00007FF9FBC10000-0x00007FF9FBE05000-memory.dmp

Filesize
2.0MB

Download
memory/1032-3-0x00007FF9FBC10000-0x00007FF9FBE05000-memory.dmp

Filesize
2.0MB

Download
memory/1032-15-0x00007FF9FBC10000-0x00007FF9FBE05000-memory.dmp

Filesize
2.0MB

Download
memory/1032-14-0x00007FF9B9900000-0x00007FF9B9910000-memory.dmp

Filesize
64KB

Download
memory/1032-13-0x00007FF9FBC10000-0x00007FF9FBE05000-memory.dmp

Filesize
2.0MB

Download
memory/1032-11-0x00007FF9B9900000-0x00007FF9B9910000-memory.dmp

Filesize
64KB

Download
memory/1032-0-0x00007FF9BBC90000-0x00007FF9BBCA0000-memory.dmp

Filesize
64KB

Download
memory/1032-10-0x00007FF9FBC10000-0x00007FF9FBE05000-memory.dmp

Filesize
2.0MB

Download
memory/1032-8-0x00007FF9FBC10000-0x00007FF9FBE05000-memory.dmp

Filesize
2.0MB

Download
memory/1032-9-0x00007FF9FBC10000-0x00007FF9FBE05000-memory.dmp

Filesize
2.0MB

Download
memory/1032-7-0x00007FF9BBC90000-0x00007FF9BBCA0000-memory.dmp

Filesize
64KB

Download
memory/1032-6-0x00007FF9FBC10000-0x00007FF9FBE05000-memory.dmp

Filesize
2.0MB

Download
memory/2208-49-0x00007FF9FBC10000-0x00007FF9FBE05000-memory.dmp

Filesize
2.0MB

Download
memory/2208-47-0x00007FF9FBC10000-0x00007FF9FBE05000-memory.dmp

Filesize
2.0MB

Download
memory/2208-45-0x00007FF9FBC10000-0x00007FF9FBE05000-memory.dmp

Filesize
2.0MB

Download
memory/2208-46-0x00007FF9FBC10000-0x00007FF9FBE05000-memory.dmp

Filesize
2.0MB

Download
memory/2208-44-0x00007FF9FBC10000-0x00007FF9FBE05000-memory.dmp

Filesize
2.0MB

Download
memory/2208-43-0x00007FF9FBC10000-0x00007FF9FBE05000-memory.dmp

Filesize
2.0MB

Download
memory/2208-40-0x00007FF9FBC10000-0x00007FF9FBE05000-memory.dmp

Filesize
2.0MB

Download
memory/2208-38-0x00007FF9FBC10000-0x00007FF9FBE05000-memory.dmp

Filesize
2.0MB

Download
memory/2208-580-0x00007FF9FBC10000-0x00007FF9FBE05000-memory.dmp

Filesize
2.0MB

Download
memory/2208-581-0x00007FF9FBC10000-0x00007FF9FBE05000-memory.dmp

Filesize
2.0MB

Download
memory/2208-582-0x00007FF9FBC10000-0x00007FF9FBE05000-memory.dmp

Filesize
2.0MB

Download