Analysis
-
max time kernel
148s -
max time network
134s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
07-05-2024 07:40
Static task
static1
Behavioral task
behavioral1
Sample
Order4500318042.xls
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
Order4500318042.xls
Resource
win10v2004-20240419-en
General
-
Target
Order4500318042.xls
-
Size
229KB
-
MD5
ef04a12bc8c36b451d4b9da3cd9d36d6
-
SHA1
cf13b2aedb7a44209a7d8bbe4694150834fc50e0
-
SHA256
c4266d2a1d05270a41a4959ab0143f13655790c4c9fc189088b46302a367567a
-
SHA512
cc9901d0ef11be9a8e7d79fd7b5c744637afa376a50990259d303f2c0448f5fd18e8c8691daadc92a8c1203d820eaa86db45ca165f572be01ffd2df37dbb25fa
-
SSDEEP
6144:6d4UcLe0JOqPQZR8MDdATCR3tSv0W83l0MUl73/aLKMml:9UP/qPQZR8MxAm/S8W83lObaLK
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEEXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
WINWORD.EXEEXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
EXCEL.EXEWINWORD.EXEpid process 4720 EXCEL.EXE 2376 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WINWORD.EXEdescription pid process Token: SeAuditPrivilege 2376 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 16 IoCs
Processes:
EXCEL.EXEWINWORD.EXEpid process 4720 EXCEL.EXE 4720 EXCEL.EXE 4720 EXCEL.EXE 4720 EXCEL.EXE 4720 EXCEL.EXE 4720 EXCEL.EXE 4720 EXCEL.EXE 4720 EXCEL.EXE 4720 EXCEL.EXE 4720 EXCEL.EXE 4720 EXCEL.EXE 4720 EXCEL.EXE 2376 WINWORD.EXE 2376 WINWORD.EXE 2376 WINWORD.EXE 2376 WINWORD.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 2376 wrote to memory of 3300 2376 WINWORD.EXE splwow64.exe PID 2376 wrote to memory of 3300 2376 WINWORD.EXE splwow64.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Order4500318042.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4720
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:3300
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:1220
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
717B
MD5822467b728b7a66b081c91795373789a
SHA1d8f2f02e1eef62485a9feffd59ce837511749865
SHA256af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9
SHA512bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6
-
Filesize
299B
MD55ae8478af8dd6eec7ad4edf162dd3df1
SHA155670b9fd39da59a9d7d0bb0aecb52324cbacc5a
SHA256fe42ac92eae3b2850370b73c3691ccf394c23ab6133de39f1697a6ebac4bedca
SHA512a5ed33ecec5eecf5437c14eba7c65c84b6f8b08a42df7f18c8123ee37f6743b0cf8116f4359efa82338b244b28938a6e0c8895fcd7f7563bf5777b7d8ee86296
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04
Filesize471B
MD54ec86d57d2e9cf4f5480a4c11bf6118f
SHA1e15cbad504c7c59c1159d3072a583e812b6177ec
SHA256d1d681af0b64fcd22a8737f06ac66253b9050dcb69a4695216be1632be93568a
SHA512697ddc32840537423f10bcfaadd6251c615d47f1fbecbd4556604fd34b9bbdc3cbd36909c3e5e9efbe2b3bec007aa763705fb02ce4d82e2e8b1c00f8ee6db160
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
Filesize192B
MD5126052b377f8422f1e12481fb87b48ca
SHA17f73da5696b684a620e6e183817398f7d7d421d0
SHA2562279865653d021b61eba6ced5200206298072ff7f4d4c7d026e5baa4a06cd0ce
SHA512fea5bf000cba73c8bd661dfded2f2bbd9505b4a72c673c2bdd6d04382191c89fc4e63b914b1e61644f7798ee4e799624553a62172b08a7bb84d4f31ae85e5837
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1B1495DD322A24490E2BF2FAABAE1C61
Filesize192B
MD57bd0e401c05e0c10b6c5ce9374b2a789
SHA18b6498b01081cfe68fd014e23a44b096050964d8
SHA2568d7d2d8d12a412844f729110e52267f5c5de11b8cc09ae519730421d064f3e8a
SHA5120bb7f666e579125b63541d9c6f346d51090a73406e2b07f6c7daadbb538be1c787ca7151ab1aea14ede0d3d46791b4e83d4a35dab4e29dd6ce6ee6ff3ef04988
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04
Filesize412B
MD522e99242b3a4c061ca647eef07b00554
SHA1c4b83579afb9aa0e85da7c1744f874e4531fe59e
SHA2568118be35f82f39efee0c0a426ec5a525565afa270085a27a96320f4418b99686
SHA5125536646c0370b5705393f6e3812454476d3303b67ff3cb493368fb0577cd533aac538ac487714660530d06c0f32a275e9676d12a7002bef417c3a3134421398f
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\888963B1-0CB3-4F8A-A007-579F70DE9014
Filesize160KB
MD5d52fa3e5991c8f5d25f61e48a71e38c2
SHA1a8292ba3f813764ba0cccb6ea4cf6763c39be5cb
SHA256c55abad67e4ab3cbb7c410eb0303998464bb157edcc8f2a5d4cd694850020271
SHA512799cf70d87ac1a2a1d654aba4d4eccd797408f4bc733047eadaa625a8deaca9365c780d494765845f439c4ee6eeb3a1c442ad915bb729483ff86257f80929f0e
-
Filesize
21KB
MD5f6c81e504d372bccd188cd15a7353b4b
SHA1d874fa927abeaa58e3324b5a4c9ce40416eecae7
SHA2564614f4e25c78dac235a7aabc5cebd5d2337854bafe1118963fcccfc1880cab15
SHA51288547e84bd5ae719825b0d993e86fdfe101a962d00eb850aa21f94f6eb188ede3133bc3b104a970b357882f9f32f71c5d409ac8b17323c473764fd1fba98f807
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize2KB
MD5be48cfcb3428c259afdb89db6bc8196c
SHA1c2a81f4a1694e8aa8f3418a1e69e56013d8f829a
SHA2562c8b052488da020c89859c724c74fd7bd56035d696618e3805e509ebdcc2edf4
SHA512616fd661a8175c9f89bf2a0fbfbe2c4181629712d7d0bb13f5406de1c3bc6129bb52055958467a6c65dcecf91b4a0dea6a789d6d8895ac5c5d551f195578bf37
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize2KB
MD598dc710d6bb878f057397d1b852b7c9c
SHA1004d0259ac23ed490d77908888ec4b49895fc6a4
SHA256ee5ab6ce83bbcfe4deb65362e6501c8e6fba19d9262db0af849a74c6eabd5942
SHA512502858cfec7c854fcb4c17e01d10c5a6aff0faad1d60c13f08673eaf6a3ffb203423c6330ba42dba83dac2922da69ef7c70a967fbda44ef78b7710ee6805f233
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\LYH0CKVD\dayisagooddaytoheargoodnewfromthegodwholovegodtrulyfromthehearttheyhearinggoodnews__godisgreatforentier[1].doc
Filesize81KB
MD51aa76ce00f01882d5cd3d712b8052bc2
SHA1b0cb1b9a8ada2812a013469ff5cf736b0f8da933
SHA2569ae7ad0d29ba6a855eec28c8dca1b7b43063677139463dc54640d4232489d029
SHA512ac7d9b0319aeab38a8bdea8c6094a4a73266d83ea4ee4974619bdc641197e58f1402089a9ab67a679df9920884214cfd5b69a4dcc9d8c3aa0d62165a67dcbdcb
-
Filesize
263KB
MD5ff0e07eff1333cdf9fc2523d323dd654
SHA177a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA2563f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d
-
Filesize
231B
MD5ba76591ee8087994f80c3bafa2b13027
SHA1f2902f0a589e6dc46d1270d2514b1e64a6954cc3
SHA2563216f319c38c6c29691bad4118302477d4273b70d45eba403afd690f2ca163ed
SHA512b94cf21addda4dd7993aadc2cadb6154e339ac115cc07a58acddcaf0948fe266e0473d509acca2c112bf2c14425a75e08f2203c2f541bdd11eb97d9646efaa94
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize5KB
MD5646e0dcc756bdd91bedf3eedf482dfcd
SHA16c4503e76771816d0175e246ee70cae987cd301f
SHA2568d6a50ebd8670d482f5017fc9da375d9639234fe0aa76986e273aca39fd4a213
SHA5120655d4d67d9eb73b53062e30ebe2bca342929972d0bb35c3c491988f8d72aaac9e7e06e4c7a0c40efc723d752c0d7cf8cf957a5007d62aa0db22c4245f6f5692
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD56cb69df799c19666b89b9b1ba651b6b5
SHA1248637990ae43fba5fbd95c7bd75ab8d955e1466
SHA2568aa28943abcb62328bde6e2656ece7bd0d9ca446e172dd92664ae6d0a27f148e
SHA51222fa84e78798784b0ddb667a2a56e68c2f4b22ad95884f41fe4fe63703d0309ccac0e063731b6923fb8bbd037ac5a0cf3800fe03e7b0d068583f8229820086c2