1ccd3e2580b4e0de27bfeae3a92d638230c573704c66a06a0e11018224d176a0

Analysis

max time kernel
148s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14/05/2024, 01:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ccd3e2580b4e0de27bfeae3a92d638230c573704c66a06a0e11018224d176a0.xls
Size

420KB
MD5

65ae45789b58f1e03a4f8c3f178e6b30
SHA1

4eb87b3825da0d23d7f7091c2976e1e95cc40907
SHA256

1ccd3e2580b4e0de27bfeae3a92d638230c573704c66a06a0e11018224d176a0
SHA512

6d7da073e7280bf84612920a6371b19a1226fa50747587dbfe9fe10ed6bdf514ab8b171605d34a0a090d5f9ee3dbe4ec5e6fa379a73dc4675c8f4e46e359e864
SSDEEP

6144:NZ+RwPONXoRjDhIcp0fDlavx+W26nAHu8uniSHBMixiMK6G+ZFrTUvCp4sJgpQMD:31iQpozwjTqCfgdhd/+Z4uCz2BFmDiP

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2516	EXCEL.EXE
3984	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeAuditPrivilege	3984	WINWORD.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
2516	EXCEL.EXE
2516	EXCEL.EXE
2516	EXCEL.EXE
2516	EXCEL.EXE
2516	EXCEL.EXE
2516	EXCEL.EXE
2516	EXCEL.EXE
2516	EXCEL.EXE
2516	EXCEL.EXE
2516	EXCEL.EXE
2516	EXCEL.EXE
2516	EXCEL.EXE
3984	WINWORD.EXE
3984	WINWORD.EXE
3984	WINWORD.EXE
3984	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3984 wrote to memory of 1912	3984	WINWORD.EXE	90
PID 3984 wrote to memory of 1912	3984	WINWORD.EXE	90

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\1ccd3e2580b4e0de27bfeae3a92d638230c573704c66a06a0e11018224d176a0.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2516

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3984
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1912

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:3512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
e911d5250fd2c67530801b2c146e56ad

SHA1
c5452baaee6e85d4129c0f35f5d4182fa3b225f8

SHA256
c27edf2fc78bb8ea82d5bca8f2aa9a6ba9a7a62f8e75c9f1af92dec7bfcb229d

SHA512
0eb3e6a4bffe7eca9f3c62e89c71f92b2e4527cd240cfd0743a5abf492e44f7c22128c402c02b34177f34ae83f06fa24cf22fbabab58ecc4fc4935e342f56b1d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
746100ab0a1dcd9927c49dfa99f2ceb8

SHA1
0235d8436fb96e3c93a4b126be352106c0652c4d

SHA256
ed6ea5ca103d2465cc4ece749640e6dc04d0301968740747123cbedc619e7696

SHA512
fb96521f750eec9fc18493d095d4d15645d346c0061866368dd5575a23a4a26e95e3a3385add0f7897226b989534dbdad46696579ab84377ab03511a56f438d9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
392B

MD5
79a17e9a5d9cc73d2f617501b2ab544f

SHA1
9a6437dd68319e9d42592e9a9a2deccec97e0c12

SHA256
1373f769ac2ae17e884a2d224820318b67146ffb22d99d4e5a3dbedf6d8391f1

SHA512
5180a568eb9cc962c599b25e23d31c9c17d65ea239788942fd776f657424bf227517087eb72a7e2674604604ee6a8b4e2c4b299af5c62b4d07156a1df45964d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\37AA3F0D-1B3A-4421-8D8E-E518CF1AE2C1

Filesize
160KB

MD5
62f3afe6303cc356ceb369da4fefa0ec

SHA1
0e0cf390a93ad169567d4658e20d90d41e77f44f

SHA256
01ae6284f05eeb4909898fc124e9b903e6ada8116bd6b181fab1b406431e7265

SHA512
7fdee7a711d9c22e69655e0798eeabb46a32865c8e17bb8565f3303bd4a9c352405ec51a1c9a22a36965594758bf4d9b9c8de21dd599434fd4e58f67c42426fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

Filesize
21KB

MD5
5b4427f4c08c523e6315bf170845c636

SHA1
d499ee9708cbea71c9a80f3824c4edc40f9eaec3

SHA256
fb89df226c1f3a70415b90e8f02555296bfbfa740ec65caf9b2dde8e22e7e042

SHA512
21a66587380ce86c4b79594cadeaad774234d0e5b983a7d63dc98c005a6918d2e82e451e3fd22e5fdb1912089430f126bc90a0a8805073d6b40801f22a7488c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
6955d597592f384c06f23758b8913b81

SHA1
185d3e591d08b0a17c140cc83f8e6795de1e692a

SHA256
758ae12bfa3792c019fca1ff323c71397e73398e830486f64b46ca04a12ed391

SHA512
f986328fbbb5b1ab3b0cc6666dbdc014705cb0f8ce6a5cf07d0890690ba2d13ff0292305704b28d873ac849ddba37f86143cfb18d4da0f6801a40e21e3f5e7b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
78b438aca8db0555db01ce1710c040eb

SHA1
fa5c57d045b86c2beb9ae0d87b29717236da74ab

SHA256
ba233af5020fbad0ab067929e66291e2c916ebc7ee2d0d0bef5d62a54d645538

SHA512
dbba7a8222e84d6dfa07f1bed80dedf5b2b8d9c6ad32e919a847d2c2406c8c871d3a9a25cfac565310ddb855de7d2dc6650d4bebadbf8ef919abfb00e364d048

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DKWDYRX8\everythinggoingfineandgreatwithbeautiuflthingstounderstandhowmuchsheisbeautiufleverytimeiwanthatgirltobeonline___reallyamazingbeautiuflgirl[1].doc

Filesize
62KB

MD5
92f0065ee050a8dcd89fc59eddb048c7

SHA1
7cba72ead525aa1bdfd345932c482d75c466c038

SHA256
e68d3b5df02784a45bd0292c8526942e01c2817cb45dbbee9ef76face03e9830

SHA512
9c930fb53ac1e2dc37d680eecc4777a66ce7016279a37afb097c886fac2031ace81065d06073208bb9f23c842661fb063c6fe2275bc9cfb0b5246f228336d20f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCDAACE.tmp\gb.xsl

Filesize
262KB

MD5
51d32ee5bc7ab811041f799652d26e04

SHA1
412193006aa3ef19e0a57e16acf86b830993024a

SHA256
6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97

SHA512
5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
229B

MD5
c644ce6bf3c01a51b615227a2d11d69d

SHA1
9c480b8330926e8ea6e0587a6a333674037d98bd

SHA256
63a57c455db25d4e679932522cb15387b8c2cac23d83c13d34cbc4be1e3d1bcb

SHA512
7fbe65e47c896ec7f2b0063ec1b01649c4334814ea6abfba4158e877939a17b795fee3608aaf440fedeef718e6649a719554fc96e0d83bec7d239a7c853e0a37

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
79716070347bb0b2ee2762c13f346bdb

SHA1
85232d777cd5072c8d785144cadc873670ae45cc

SHA256
82afb217ee22011869838d41c35665cd83a4851f84d5dd3c7bf4821baaf656b0

SHA512
2dd750624afe8a8d1719b44e41f6742318872c3486f682673e0f4818383b1fe128a2e533bf86d0d49e6faecb9c89f05d2d8ed541b9ed2be012cc73d1b68d87c7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
5KB

MD5
2301408fe53b22fe72bf0eff3228ee3e

SHA1
1b243ee34c65c71dd4732bf539b839980f44a535

SHA256
d0908b70974ff5529c17175fc03dd26b3a482d51740f1afb2e5f6a4df6ea5f16

SHA512
f9d908d4b060158c2060b57244088082049183a49319fb5add98fabca0fd3bb462942a6342039f5be2f4ca4b1c27a53818ebf5fee81232288fd89261dab5e509

Download Submit
memory/2516-11-0x00007FFFE5F50000-0x00007FFFE6145000-memory.dmp

Filesize
2.0MB

Download
memory/2516-80-0x00007FFFE5F50000-0x00007FFFE6145000-memory.dmp

Filesize
2.0MB

Download
memory/2516-19-0x00007FFFA3670000-0x00007FFFA3680000-memory.dmp

Filesize
64KB

Download
memory/2516-16-0x00007FFFE5F50000-0x00007FFFE6145000-memory.dmp

Filesize
2.0MB

Download
memory/2516-15-0x00007FFFE5F50000-0x00007FFFE6145000-memory.dmp

Filesize
2.0MB

Download
memory/2516-14-0x00007FFFE5F50000-0x00007FFFE6145000-memory.dmp

Filesize
2.0MB

Download
memory/2516-9-0x00007FFFA3670000-0x00007FFFA3680000-memory.dmp

Filesize
64KB

Download
memory/2516-571-0x00007FFFE5F50000-0x00007FFFE6145000-memory.dmp

Filesize
2.0MB

Download
memory/2516-282-0x00007FFFE5FED000-0x00007FFFE5FEE000-memory.dmp

Filesize
4KB

Download
memory/2516-1-0x00007FFFE5FED000-0x00007FFFE5FEE000-memory.dmp

Filesize
4KB

Download
memory/2516-3-0x00007FFFA5FD0000-0x00007FFFA5FE0000-memory.dmp

Filesize
64KB

Download
memory/2516-4-0x00007FFFA5FD0000-0x00007FFFA5FE0000-memory.dmp

Filesize
64KB

Download
memory/2516-17-0x00007FFFE5F50000-0x00007FFFE6145000-memory.dmp

Filesize
2.0MB

Download
memory/2516-13-0x00007FFFE5F50000-0x00007FFFE6145000-memory.dmp

Filesize
2.0MB

Download
memory/2516-12-0x00007FFFE5F50000-0x00007FFFE6145000-memory.dmp

Filesize
2.0MB

Download
memory/2516-0-0x00007FFFA5FD0000-0x00007FFFA5FE0000-memory.dmp

Filesize
64KB

Download
memory/2516-10-0x00007FFFE5F50000-0x00007FFFE6145000-memory.dmp

Filesize
2.0MB

Download
memory/2516-8-0x00007FFFE5F50000-0x00007FFFE6145000-memory.dmp

Filesize
2.0MB

Download
memory/2516-7-0x00007FFFE5F50000-0x00007FFFE6145000-memory.dmp

Filesize
2.0MB

Download
memory/2516-6-0x00007FFFE5F50000-0x00007FFFE6145000-memory.dmp

Filesize
2.0MB

Download
memory/2516-2-0x00007FFFA5FD0000-0x00007FFFA5FE0000-memory.dmp

Filesize
64KB

Download
memory/2516-5-0x00007FFFA5FD0000-0x00007FFFA5FE0000-memory.dmp

Filesize
64KB

Download
memory/2516-18-0x00007FFFE5F50000-0x00007FFFE6145000-memory.dmp

Filesize
2.0MB

Download
memory/3984-47-0x00007FFFE5F50000-0x00007FFFE6145000-memory.dmp

Filesize
2.0MB

Download
memory/3984-46-0x00007FFFE5F50000-0x00007FFFE6145000-memory.dmp

Filesize
2.0MB

Download
memory/3984-45-0x00007FFFE5F50000-0x00007FFFE6145000-memory.dmp

Filesize
2.0MB

Download
memory/3984-44-0x00007FFFE5F50000-0x00007FFFE6145000-memory.dmp

Filesize
2.0MB

Download
memory/3984-42-0x00007FFFE5F50000-0x00007FFFE6145000-memory.dmp

Filesize
2.0MB

Download
memory/3984-574-0x00007FFFE5F50000-0x00007FFFE6145000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads