Analysis
-
max time kernel
142s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07-05-2024 07:40
Static task
static1
Behavioral task
behavioral1
Sample
Order4500318042.xls
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Order4500318042.xls
Resource
win10v2004-20240226-en
General
-
Target
Order4500318042.xls
-
Size
229KB
-
MD5
ef04a12bc8c36b451d4b9da3cd9d36d6
-
SHA1
cf13b2aedb7a44209a7d8bbe4694150834fc50e0
-
SHA256
c4266d2a1d05270a41a4959ab0143f13655790c4c9fc189088b46302a367567a
-
SHA512
cc9901d0ef11be9a8e7d79fd7b5c744637afa376a50990259d303f2c0448f5fd18e8c8691daadc92a8c1203d820eaa86db45ca165f572be01ffd2df37dbb25fa
-
SSDEEP
6144:6d4UcLe0JOqPQZR8MDdATCR3tSv0W83l0MUl73/aLKMml:9UP/qPQZR8MxAm/S8W83lObaLK
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEWINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
WINWORD.EXEEXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
EXCEL.EXEWINWORD.EXEpid process 3540 EXCEL.EXE 4924 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WINWORD.EXEdescription pid process Token: SeAuditPrivilege 4924 WINWORD.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
EXCEL.EXEpid process 3540 EXCEL.EXE 3540 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 16 IoCs
Processes:
EXCEL.EXEWINWORD.EXEpid process 3540 EXCEL.EXE 3540 EXCEL.EXE 3540 EXCEL.EXE 3540 EXCEL.EXE 3540 EXCEL.EXE 3540 EXCEL.EXE 3540 EXCEL.EXE 3540 EXCEL.EXE 3540 EXCEL.EXE 3540 EXCEL.EXE 3540 EXCEL.EXE 3540 EXCEL.EXE 4924 WINWORD.EXE 4924 WINWORD.EXE 4924 WINWORD.EXE 4924 WINWORD.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 4924 wrote to memory of 4912 4924 WINWORD.EXE splwow64.exe PID 4924 wrote to memory of 4912 4924 WINWORD.EXE splwow64.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Order4500318042.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3540
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4924 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:4912
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:4184
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5348 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:81⤵PID:1128
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\A0BE7F14-15B4-4200-91F4-5FCD1CF7A518
Filesize160KB
MD5d9197381e71f45ae22feb283fe8f8614
SHA1acab585e87c91141f57113bb12679d71ce0176b0
SHA256da99f9291f1d625c7746942dfca256b3c953f54dcc8b2e26f8e66d1974df71db
SHA512642ac6f9edd1d2902226cbd8c683aaa4e81d053eab01a2d94eb2103c3fb5915be78798304f57a3fed35fb5722f5aef9948dea78f1dcce8c2714407f91605d95e
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize2KB
MD5f638eac0da3ba4894021d791ad020502
SHA11ac22d1def61d20cffe2150bbeb04fb2a9a4e753
SHA2568e71234689a1012fa1837a41da955bfb05be637b08d77f1727b1ad5ed9bc3ed1
SHA5127c4529d606bf5e5b10c4b68b07114a7651b8bb883537becd6954571a89434936e4362a68b9bb28fd951c350aa299c53b5b8d1b30695316951a0a3242da616cf4
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize2KB
MD54dd5cdbcdc63e32f09b484717eb7423b
SHA1ce6257eb685bcf488df7ea80109e7c45bd00b1b4
SHA256f9fa6685d341cf55e1af1d97ebf510b835c989d2be30d858b014ef6772f49364
SHA512fe3f1a80ea78d581c665644cf8be55a1788c6964351a0363c7351341102b9d380c85e7b7dd5f37c90b3206d8c93ba0bb0df0cc7612787bbe35d9756e9b455ae6
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8ZO46T3J\dayisagooddaytoheargoodnewfromthegodwholovegodtrulyfromthehearttheyhearinggoodnews__godisgreatforentier[1].doc
Filesize81KB
MD51aa76ce00f01882d5cd3d712b8052bc2
SHA1b0cb1b9a8ada2812a013469ff5cf736b0f8da933
SHA2569ae7ad0d29ba6a855eec28c8dca1b7b43063677139463dc54640d4232489d029
SHA512ac7d9b0319aeab38a8bdea8c6094a4a73266d83ea4ee4974619bdc641197e58f1402089a9ab67a679df9920884214cfd5b69a4dcc9d8c3aa0d62165a67dcbdcb