121b5365768697cce30074b9097cccecced51feb5f991d89574cb8f0626c4804

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
10/05/2024, 07:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Credit confirmation.xls
Size

457KB
MD5

03b89a4337a09bc5d200b16ef43c8ec6
SHA1

e8154021f60ce06b321259df461e9bbfa468f345
SHA256

121b5365768697cce30074b9097cccecced51feb5f991d89574cb8f0626c4804
SHA512

337a96b68af23dbb07a0a22b82733f07a2b024ef4250326ed043528ea4b4ede82d9e1d873943487d73c185e5d47d6540a920682cfbbe8bd0c5ce7106b55e0b2d
SSDEEP

6144:ZZ+RwPONXoRjDhIcp0fDlavx+W26nAamxDun9zvCp4sJgXDHBMixiMK6G+ZFrTe2:kxu9bCfgXjpozwjTyYviDGnlQBs9zek

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4740	EXCEL.EXE
3172	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeAuditPrivilege	3172	WINWORD.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
4740	EXCEL.EXE
4740	EXCEL.EXE
4740	EXCEL.EXE
4740	EXCEL.EXE
4740	EXCEL.EXE
4740	EXCEL.EXE
4740	EXCEL.EXE
4740	EXCEL.EXE
4740	EXCEL.EXE
4740	EXCEL.EXE
4740	EXCEL.EXE
4740	EXCEL.EXE
3172	WINWORD.EXE
3172	WINWORD.EXE
3172	WINWORD.EXE
3172	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3172 wrote to memory of 1088	3172	WINWORD.EXE	94
PID 3172 wrote to memory of 1088	3172	WINWORD.EXE	94

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Credit confirmation.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4740

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3172
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1088

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:4800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
fca8af0dc8436b9952fdf961f8c7f401

SHA1
ac194f887a84a4538985ece94daf59cea48fe65b

SHA256
477645c7b83bbde8bdcf6d066f0de596d5b02fd47c223f89dde7d86903338cf9

SHA512
ba0d8f654216d9530bec83aa011a3433cea27873be327ac60eb1244997995489db76e25077dead09fcd43009b05deda51fd37b30a33fff01c94ba3927e1c21d5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

Filesize
471B

MD5
e3a155d1094a3474cbb652f673ded47d

SHA1
7feb2dec2e720aa9afcb9e1a94f51752748f4fc5

SHA256
f94aa625c9914e002267ac4398282b6aba530acd05ca44b8c93da7b4ed3bb49d

SHA512
021144934b328ad4edb4ba7ded3caaff6f491371c3d4eb1ceb0297a506e9dc9833b1db26b008ce3dcae90a9f8c78aedbed2f921b84dfa4e4ae77551c819a5034

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
f22c4d8269f5c82c08f15dbbbb9cc83b

SHA1
5b7498d18e6c315ba28267734abd6bb0210680bf

SHA256
4847ec473217322902c54930768ccd69e98dc586dfb2e495466b908ec9dba937

SHA512
a33f80054b735608af1debb7987f5ad74a3b62343337da98c644d8c33d03d44350d87f9644883b5b02b3220c5ba18afddf008b955663581f569224b222049b8e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
392B

MD5
c2580d451625c8c10f0cb221c3cc8846

SHA1
3305c0c36bbfdc067727c20d05ed2e03a807281c

SHA256
06a730707074fb60d23197045f367df340fec9b99f2ea447fc020ad90b82d3bb

SHA512
38f25822100f40824d1feaf9dad6ca310ad062fc45beef0793da4f27b651d11571f848c0580163433d529b6dc223bbb93bd493e7f90d8e4f9af7cc9693734602

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

Filesize
420B

MD5
ae55bdddeb2ffcbc5dbf26d4777262db

SHA1
81f06d7b08aee5ff71b59f45af640c779674ff34

SHA256
ec9f8ca805e0fee9e7c67e15da740235886173a2d83476c648e48308a1663c23

SHA512
4f849865dd5d92b7408a663064a0f62492ad85c6723c63628f4c4cd891a4a2ca0629f5fca2d880352db4ac68b691d5cd02fdb8f235c4827dbcd350c9847cadc4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\A74E9D28-683B-4FA1-BB36-83D62618C9DE

Filesize
160KB

MD5
2d93824a30b3f780e2c8f7cc9f07b8ec

SHA1
83a9d90e1184dc3dcb33c8967abc3eb45f99e8bb

SHA256
5dfe0af66dcd3cf8df4b0cac92756d3cb49f1dc85a5cf6d38a756534c97f9691

SHA512
a5610c7b0bbfc766f1297c828c43d49ea9d7b02e9078e4b8fb50b7b03821d88229b92027534abcb5d056c94fb6a4b0b708f73bc5e0db0c2ced4fbd848623662d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

Filesize
21KB

MD5
55e1ce7dd1436fb88ee4fc65ec55ed63

SHA1
3a93d597d42962e7470e4d2a567575cb2fbf2fe1

SHA256
6971b953e65d3b49ae096d90430c52d2ff4bd16d3d30ec5d96350c0264d9fe4d

SHA512
40b3a31b828b1c01ab40ebc5d1325742acbd45aab76f71c6edbfd5d55d7d8adc1b428840796bdfac794ee04784e12e1891f13be06356c76e631ce5544b3a314a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
4f86c731fa07613f28ba179de4573773

SHA1
a70e0c6ad505364705b1ed496d91419a71bb5e85

SHA256
4753485653b8a087673a321aad33e7dd0b910dcae4363b7f710699b70cad2bce

SHA512
79dbc81d98c7bf00672484365dce3f53b34c588d368c3d8946772d30ebec41414f36456e2d1a0937fb2971ec0c8768d7a88da83529489406f3a0d2b55e613826

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
6d4a75d2e87e2f1cb324a685391c9c94

SHA1
04a01281a1d49775b12d19c75548ae910bfa63ff

SHA256
37d268b50713b85b0e47fc13f98f647201e4c679312882abace8e3e68cb10441

SHA512
c73497d0335038e2922e78f355b1a6879e7131af3755d90cb3d56e351fa744bcbdfdc566dace93b5c667ed8847f6edc37d463868f4481772d465bef4def32ccc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\TF1TYUIH\beautifulgirlreturntotheearthwithbeautifulthingstounderstandhowmuchshelovedmealwaysheismy___mygirlfriendmyheart[1].doc

Filesize
71KB

MD5
c8cf329159df0a375269f965aa181019

SHA1
c3f91d8cbac1083694922a9cf74c3cca27572372

SHA256
55b4b2b98e0d66e97dd11c53fc65cd29ad0ba3c0cca5582a57720855471e771a

SHA512
17aa78dacb7fe249b96685b3b277f41880e401e8e667edfed47db42e0cdf62f5f15baa5866c1bef7f9dfef2a532619e5db3eff0496dee6f556da98eadd796f1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCD9CBF.tmp\sist02.xsl

Filesize
245KB

MD5
f883b260a8d67082ea895c14bf56dd56

SHA1
7954565c1f243d46ad3b1e2f1baf3281451fc14b

SHA256
ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

SHA512
d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
229B

MD5
265d91e2416dbe7c7caf928b74b62edc

SHA1
5d4a93ee1ccf5e8cc2069cfa39c90664daf45f6b

SHA256
3bd8d80fe8bd286553381d4d6d21798a207fce61fee1130d4cb1eb5c8268b2b0

SHA512
60e1bfdacba1ccbdee85f42ec98f769e24cf1625f83c428198089dc949fec33e68853d1f630fbea268788aa5695484112f9e7c0d1494637675f6d537a3cdf607

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
291a70253e0ab955a5669914ac9c612c

SHA1
fb21202acb75c715c8cd6b491eabb357505008ae

SHA256
b1232ed213984cb92b8fa8650bed2adcaa5311d5b6c589d81b29d165cda2ab83

SHA512
723069731cf7b4e6a00cc1477fee61a422457bc808c85562d4a116cd118e1f3151f0eeac55c17527e49ecb9acd468de41f11e50136db471d4dfd4524f6a1de0b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
5KB

MD5
32c5566c75ed11a6b736d831e24115b7

SHA1
b938aa6664f9e4a608d230f5fdae5d85f07ffbab

SHA256
061de04200f9db1797b1c34984eb413cc54d1a155f623b98e8387b94416f3f05

SHA512
a931c8a5ed17d5c25672c78cf4cd08980a17dc989542c0f0e35f05ebaaa810d97cb467c18c7dfccd211eccfbd7c405cb7ad4962344fbbcdc1df01fe8df530efb

Download Submit
memory/3172-50-0x00007FFAF1130000-0x00007FFAF1325000-memory.dmp

Filesize
2.0MB

Download
memory/3172-53-0x00007FFAF1130000-0x00007FFAF1325000-memory.dmp

Filesize
2.0MB

Download
memory/3172-413-0x00007FFAF1130000-0x00007FFAF1325000-memory.dmp

Filesize
2.0MB

Download
memory/3172-48-0x00007FFAF1130000-0x00007FFAF1325000-memory.dmp

Filesize
2.0MB

Download
memory/3172-49-0x00007FFAF1130000-0x00007FFAF1325000-memory.dmp

Filesize
2.0MB

Download
memory/3172-51-0x00007FFAF1130000-0x00007FFAF1325000-memory.dmp

Filesize
2.0MB

Download
memory/3172-52-0x00007FFAF1130000-0x00007FFAF1325000-memory.dmp

Filesize
2.0MB

Download
memory/3172-54-0x00007FFAF1130000-0x00007FFAF1325000-memory.dmp

Filesize
2.0MB

Download
memory/4740-19-0x00007FFAF1130000-0x00007FFAF1325000-memory.dmp

Filesize
2.0MB

Download
memory/4740-20-0x00007FFAF1130000-0x00007FFAF1325000-memory.dmp

Filesize
2.0MB

Download
memory/4740-0-0x00007FFAB11B0000-0x00007FFAB11C0000-memory.dmp

Filesize
64KB

Download
memory/4740-1-0x00007FFAB11B0000-0x00007FFAB11C0000-memory.dmp

Filesize
64KB

Download
memory/4740-2-0x00007FFAB11B0000-0x00007FFAB11C0000-memory.dmp

Filesize
64KB

Download
memory/4740-6-0x00007FFAF1130000-0x00007FFAF1325000-memory.dmp

Filesize
2.0MB

Download
memory/4740-12-0x00007FFAF1130000-0x00007FFAF1325000-memory.dmp

Filesize
2.0MB

Download
memory/4740-18-0x00007FFAF1130000-0x00007FFAF1325000-memory.dmp

Filesize
2.0MB

Download
memory/4740-13-0x00007FFAAEC70000-0x00007FFAAEC80000-memory.dmp

Filesize
64KB

Download
memory/4740-17-0x00007FFAF1130000-0x00007FFAF1325000-memory.dmp

Filesize
2.0MB

Download
memory/4740-23-0x00007FFAAEC70000-0x00007FFAAEC80000-memory.dmp

Filesize
64KB

Download
memory/4740-22-0x00007FFAF1130000-0x00007FFAF1325000-memory.dmp

Filesize
2.0MB

Download
memory/4740-21-0x00007FFAF1130000-0x00007FFAF1325000-memory.dmp

Filesize
2.0MB

Download
memory/4740-4-0x00007FFAB11B0000-0x00007FFAB11C0000-memory.dmp

Filesize
64KB

Download
memory/4740-16-0x00007FFAF1130000-0x00007FFAF1325000-memory.dmp

Filesize
2.0MB

Download
memory/4740-14-0x00007FFAF1130000-0x00007FFAF1325000-memory.dmp

Filesize
2.0MB

Download
memory/4740-8-0x00007FFAF1130000-0x00007FFAF1325000-memory.dmp

Filesize
2.0MB

Download
memory/4740-9-0x00007FFAF1130000-0x00007FFAF1325000-memory.dmp

Filesize
2.0MB

Download
memory/4740-10-0x00007FFAF1130000-0x00007FFAF1325000-memory.dmp

Filesize
2.0MB

Download
memory/4740-11-0x00007FFAF1130000-0x00007FFAF1325000-memory.dmp

Filesize
2.0MB

Download
memory/4740-7-0x00007FFAF1130000-0x00007FFAF1325000-memory.dmp

Filesize
2.0MB

Download
memory/4740-5-0x00007FFAB11B0000-0x00007FFAB11C0000-memory.dmp

Filesize
64KB

Download
memory/4740-106-0x00007FFAF1130000-0x00007FFAF1325000-memory.dmp

Filesize
2.0MB

Download
memory/4740-3-0x00007FFAF11CD000-0x00007FFAF11CE000-memory.dmp

Filesize
4KB

Download
memory/4740-15-0x00007FFAF1130000-0x00007FFAF1325000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads