c11fd5e849339af078eb9ff7344b4d45f8d86e45a11285142ecfe28fbd01b243

General

Target

c11fd5e849339af078eb9ff7344b4d45f8d86e45a11285142ecfe28fbd01b243.xls
Size

336KB
MD5

fc69aae977bd3c5a56d4acce831dbac2
SHA1

fb86b1fca4340e6ac163aeb638acd83dff4f52f5
SHA256

c11fd5e849339af078eb9ff7344b4d45f8d86e45a11285142ecfe28fbd01b243
SHA512

ea24470a046528a8649e64658f49a85543820e807437eb0ff79a1e92232641f2b215b46fc7fa2b57f4074ea3b9e3be42463c23ae832dbcaf1319cb91cf5dc4c5
SSDEEP

6144:2EXaFJkKXiDU7wI4wdY35qAOJl/YrLYz+WrNhZF+E+fgL+0dD8ivSbVy4MINAwKY:2AaFiKXKPwk3bVy4MIKwKBZ5QjKss

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEWINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEEXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid process

8 EXCEL.EXE
1160 WINWORD.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WINWORD.EXE

description pid process

Token: SeAuditPrivilege 1160 WINWORD.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

EXCEL.EXE

pid process

8 EXCEL.EXE
8 EXCEL.EXE

description	pid	process
Token: SeAuditPrivilege	1160	WINWORD.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid	process
8	EXCEL.EXE
8	EXCEL.EXE
8	EXCEL.EXE
8	EXCEL.EXE
8	EXCEL.EXE
8	EXCEL.EXE
8	EXCEL.EXE
8	EXCEL.EXE
8	EXCEL.EXE
8	EXCEL.EXE
8	EXCEL.EXE
8	EXCEL.EXE
1160	WINWORD.EXE
1160	WINWORD.EXE
1160	WINWORD.EXE
1160	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 1160 wrote to memory of 1268	1160	WINWORD.EXE	splwow64.exe
PID 1160 wrote to memory of 1268	1160	WINWORD.EXE	splwow64.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\c11fd5e849339af078eb9ff7344b4d45f8d86e45a11285142ecfe28fbd01b243.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:8

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1160

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1268

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:4996

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4252 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8
1⤵
PID:5016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04
Filesize
471B

MD5
5c70009a8f512b7f16db7cb17ed53977

SHA1
5299400d1582d8f07976af5278302d845a1cce86

SHA256
8c3e59a728cbd1bb851412cec6671a939bb08bb6c119881b5753b152509a0d1f

SHA512
13c97dd90aebd5f00a3d83bfa05a4863645d5ce5f2f6198acf3ab44ea2653cdcc51b68515cbfc4ff7bc90a9c4bb0424be095f7c9095d507a32d1293be60eba63

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04
Filesize
412B

MD5
b9d0d2939872aa4cf15096ebac52e90a

SHA1
402810dd22ff23a56498e0326071005512514b07

SHA256
0ea014b60f8c8afa9824d8a15bd7d0ff3fee62dd3012dad35fe140d26746789d

SHA512
a884d4c20f6b3aab281a54c4b3ba48726ab700876f6d4aa1a400c003314ca0ba228e6bec62a651c94ed6736431655fdbee03077faae0e91eae7ce815a4a826f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\5A635EF9-AC03-413E-A0E6-5BD14C5340A2
Filesize
160KB

MD5
4804225bdb39cece39540c960ffcc7c1

SHA1
188b35cea18b18a2dee1668475ecaae2eb2e7387

SHA256
7a8a2a1a6eede6214b61a4c935ce6bba703fdc40761bf88347477aad6dcb772b

SHA512
03adc180b40292c55f04056e089d16d57b56f2a1e85f8ccdb0776f5a306f637b3ee1b4d38e0968b2fbed981746eedcf4877e6ee8a889023efcdd60beabac2a90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize
2KB

MD5
dec9b07f03b4898f56fd2141c8052889

SHA1
e2e3bd8f6552acbbeef02a7884594ee7ebad9951

SHA256
2684c7ffe9b80b075fba343d6b75498613834e9f640e86e3957f30870b9c9772

SHA512
9b2ff57b33ce762f75ecd040179e3edf055bced4a5194fa3fd77f333d7ac22f233d95060183aa1d5dc008437a9a04825c0579af0dd8456996569b8d5132e704a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize
2KB

MD5
0dc06b40fa8b89e95d1bc50b85c8d992

SHA1
7de3ed6367a12471483d5f440c6c773b7e78d637

SHA256
b1c560eab34a88b0e61395d0ee25582cfc6b433a895575f53fd0b06c9c4a08fc

SHA512
f58e3c1ed5a08dd2894eae12b727936f91b958e45d2f278f0a0f51898edbd6cb9baca32fb6127ceec6999613efd905a75bca5dced15e2a813d04645059de8729

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BHC2O5WS\somethingismakingmecrybecauseitriedalotbutpeoplesarenotgoodaroundtolovethisgirlsheisbeautifulforme___shewasbeautifulgirlilikeme[1].doc
Filesize
80KB

MD5
936c418052b1b7ffb4d54f12f368755b

SHA1
020887b31d11545bb26da2f277bcb2e80139f2a4

SHA256
3fc654e7d6b273a61a952744b1dd1d6f40d3468bd8fa98802ba7e5de4a339fbf

SHA512
8e0908e03b53d0a8b31ae3fba62024157afe215b70c45b4fddb5f5a5d0c2550f38d986bf4183e23102ba376484a2de67caf236a99af98b78b321f59e3103d05c

Download Submit
memory/8-9-0x00007FFD54A60000-0x00007FFD54A70000-memory.dmp

Filesize
64KB

Download
memory/8-1-0x00007FFD57310000-0x00007FFD57320000-memory.dmp

Filesize
64KB

Download
memory/8-8-0x00007FFD97290000-0x00007FFD97485000-memory.dmp

Filesize
2.0MB

Download
memory/8-10-0x00007FFD97290000-0x00007FFD97485000-memory.dmp

Filesize
2.0MB

Download
memory/8-0-0x00007FFD57310000-0x00007FFD57320000-memory.dmp

Filesize
64KB

Download
memory/8-11-0x00007FFD97290000-0x00007FFD97485000-memory.dmp

Filesize
2.0MB

Download
memory/8-13-0x00007FFD97290000-0x00007FFD97485000-memory.dmp

Filesize
2.0MB

Download
memory/8-12-0x00007FFD97290000-0x00007FFD97485000-memory.dmp

Filesize
2.0MB

Download
memory/8-14-0x00007FFD97290000-0x00007FFD97485000-memory.dmp

Filesize
2.0MB

Download
memory/8-16-0x00007FFD97290000-0x00007FFD97485000-memory.dmp

Filesize
2.0MB

Download
memory/8-17-0x00007FFD97290000-0x00007FFD97485000-memory.dmp

Filesize
2.0MB

Download
memory/8-15-0x00007FFD97290000-0x00007FFD97485000-memory.dmp

Filesize
2.0MB

Download
memory/8-18-0x00007FFD54A60000-0x00007FFD54A70000-memory.dmp

Filesize
64KB

Download
memory/8-19-0x00007FFD97290000-0x00007FFD97485000-memory.dmp

Filesize
2.0MB

Download
memory/8-20-0x00007FFD97290000-0x00007FFD97485000-memory.dmp

Filesize
2.0MB

Download
memory/8-117-0x00007FFD97290000-0x00007FFD97485000-memory.dmp

Filesize
2.0MB

Download
memory/8-58-0x00007FFD97290000-0x00007FFD97485000-memory.dmp

Filesize
2.0MB

Download
memory/8-7-0x00007FFD97290000-0x00007FFD97485000-memory.dmp

Filesize
2.0MB

Download
memory/8-2-0x00007FFD57310000-0x00007FFD57320000-memory.dmp

Filesize
64KB

Download
memory/8-4-0x00007FFD97290000-0x00007FFD97485000-memory.dmp

Filesize
2.0MB

Download
memory/8-5-0x00007FFD97290000-0x00007FFD97485000-memory.dmp

Filesize
2.0MB

Download
memory/8-6-0x00007FFD57310000-0x00007FFD57320000-memory.dmp

Filesize
64KB

Download
memory/8-3-0x00007FFD57310000-0x00007FFD57320000-memory.dmp

Filesize
64KB

Download
memory/1160-37-0x00007FFD97290000-0x00007FFD97485000-memory.dmp

Filesize
2.0MB

Download
memory/1160-38-0x00007FFD97290000-0x00007FFD97485000-memory.dmp

Filesize
2.0MB

Download
memory/1160-36-0x00007FFD97290000-0x00007FFD97485000-memory.dmp

Filesize
2.0MB

Download
memory/1160-35-0x00007FFD97290000-0x00007FFD97485000-memory.dmp

Filesize
2.0MB

Download
memory/1160-63-0x00007FFD97290000-0x00007FFD97485000-memory.dmp

Filesize
2.0MB

Download
memory/1160-105-0x00007FFD57310000-0x00007FFD57320000-memory.dmp

Filesize
64KB

Download
memory/1160-106-0x00007FFD57310000-0x00007FFD57320000-memory.dmp

Filesize
64KB

Download
memory/1160-108-0x00007FFD57310000-0x00007FFD57320000-memory.dmp

Filesize
64KB

Download
memory/1160-107-0x00007FFD57310000-0x00007FFD57320000-memory.dmp

Filesize
64KB

Download
memory/1160-109-0x00007FFD97290000-0x00007FFD97485000-memory.dmp

Filesize
2.0MB

Download
memory/1160-34-0x00007FFD97290000-0x00007FFD97485000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads