114ea93681433aaf40289d58407cb4b570748645aca682ddae3052b6f428b3f7

Analysis

max time kernel
149s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14/05/2024, 01:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Order2354.xls
Size

654KB
MD5

0ea2f1e95f1c8a1917bb34a722cf78e8
SHA1

4721806e7503fcb6a630697bc348e53074a22fa2
SHA256

114ea93681433aaf40289d58407cb4b570748645aca682ddae3052b6f428b3f7
SHA512

9a5b836d188bf1bc8f210560492475017f2f23577a708acd82af3f0ada2446690653e4e08c1f0908306aaabd5a53f741f8987ed76bcbc00f4786784c6f5d9de8
SSDEEP

12288:/kTCQ5HK3hrUP/qPQZR8MxAm/S/xQE1A73DbFWgc4zkiVhPkLyH8gq1N:OCQ5HKRrUP/mMxCaE1GFWgJkChkqPK

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3604	EXCEL.EXE
4628	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeAuditPrivilege	4628	WINWORD.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
3604	EXCEL.EXE
3604	EXCEL.EXE
3604	EXCEL.EXE
3604	EXCEL.EXE
3604	EXCEL.EXE
3604	EXCEL.EXE
3604	EXCEL.EXE
3604	EXCEL.EXE
3604	EXCEL.EXE
3604	EXCEL.EXE
3604	EXCEL.EXE
3604	EXCEL.EXE
4628	WINWORD.EXE
4628	WINWORD.EXE
4628	WINWORD.EXE
4628	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4628 wrote to memory of 1844	4628	WINWORD.EXE	92
PID 4628 wrote to memory of 1844	4628	WINWORD.EXE	92

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Order2354.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3604

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4628
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1844

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:1976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
e911d5250fd2c67530801b2c146e56ad

SHA1
c5452baaee6e85d4129c0f35f5d4182fa3b225f8

SHA256
c27edf2fc78bb8ea82d5bca8f2aa9a6ba9a7a62f8e75c9f1af92dec7bfcb229d

SHA512
0eb3e6a4bffe7eca9f3c62e89c71f92b2e4527cd240cfd0743a5abf492e44f7c22128c402c02b34177f34ae83f06fa24cf22fbabab58ecc4fc4935e342f56b1d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187

Filesize
471B

MD5
8a8e0321e01b962638ef3628ae2e7de7

SHA1
c039b26811f149f4d9922a8f0b2e10c3b506f0f9

SHA256
e6e226aa365274c07a4413a06bb3362d46af81cc7cac9928242d622e890ec41e

SHA512
ee6f841c88ddb16bae5087906eab0f0b6081af9604748d378316964b19eb6a32562580298fe4735fd83d7ca7e88a350f580221826eb42574285dbe610c28d1a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
1e616f9b15bc1e7faa4776c5ab312357

SHA1
5eb6eb3526fb8cd448ef447b5db0edd084c75bc6

SHA256
32ed642a6f980684a278577160eda743f88c8fe41df53a14f1f89cc5c29f11f6

SHA512
8afe0eac6feb7e7a406b09f67742ec80be12625d6ff8398c29ba51d5c6bd0d0d094c6d3a25cdbd8b694932cfeaae4f6d8acf3afdb5a4f279ad58a4465d867d24

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
392B

MD5
df047878aabade0d90b949939a2ae3f9

SHA1
058c5b3b0cc05116f03054d416b4f475ab784c8b

SHA256
084cd0a2f8062debb49b4acdba0a03d446aac260851cc60a8fee3b05d123a713

SHA512
b94cf7e0ab9e601a254fb43bbb655b599e08e85f0aebcb6e254dc9fc9c63277d5180a015b699b05d4c64b408f59d90e8a69b2cd0111c6ac06215452891e4aa7f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187

Filesize
412B

MD5
c5ad48a2f1d3b597290523bd060fdcc5

SHA1
a5ef0ab7239f194d25c1c88a93d0738becb7096e

SHA256
a25f1462b8c45b9c4756f5f5e87e89121b311c740e82ca5769ddb64f44742333

SHA512
0c9edf5fe71b30afb82094b2c332027cd1e2071dfe75bd5f0a55e81b3e3757dbf4b58a27716bd36663f7cf0d26db72501801f5f5bc20f77415d5de3dd9234bb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\769DF7CC-3388-498D-A3AF-8E25C8C10D12

Filesize
160KB

MD5
b49e1f4f8628641836279ecd867aceef

SHA1
b85a1b021cd85b0edc3aab8bcee39032a98e1eac

SHA256
1b19954b69d7c2daf774ffd3f170334b21776b236ca8b126ee954e49d464556e

SHA512
bbd7a7f7db162bc1dc5729dbc6decd60cc96c5c05735ed069b76312cf1469d0c4e5dfe93f985a6975df345045ad965d9b410250f957bc24121f7799efcda52d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

Filesize
21KB

MD5
8d5ef0a0d4744822f0c16e577131998e

SHA1
77bda1b79176c915fac0850c28980e0b9b3ba3ae

SHA256
e28b2c6d4f490fdfe48abef2d8d05e3082de54f2cca2e9ae339ea699d5809769

SHA512
5b7c2bb89cc6e7f9ad77a783d17de309dcbd133f16525244dc4028eb8c7a4fd7b3a62bd0ac4aaf903d4d718911d917397f4a051662fa960d491ab03baab3102a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
32d001c5c63cdbe6ed36058ee70389ce

SHA1
6b17639bb9ea617f8b74ddfc00293ee1a502b9cf

SHA256
dd4881e00258eb3750f0d83c64ca6e16cd9bbf1ef57eca76c607c7eaa5ccfee4

SHA512
4f03ce0ca7144556cc4227fa80d6fcefa89c7c7b81ff2c416c2fb0f065e10787292dff2abb170e4026c39a52c19c56db5f4a3d49c4a7845e4eb19fc814daa661

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
beef05ef38cc265b7f27632b633dafd4

SHA1
6bf28eb47f258ea4cce25ac4b953ab4de96e218e

SHA256
4996713af3de43400f656335cd33cf7ae64034014afe83e06a1f6c5f64fd370a

SHA512
a13b374eae48f5d1919138362dd8207812a3c030dc8f38af05b79b644c1ae1a6264148f7f66613d2d3ad40ade6f4483bad3d1eae68140941e760f9a7af46991f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\CMPDKH9Q\beautifulroseflowerwanttogetinhandbecauseitsgreatthingshandbeautiuflthingshappenedtogetback___beautiuflflowers[1].doc

Filesize
63KB

MD5
7a7b11bbe3d337c74805c519c22601c0

SHA1
4b680f33a5d1f26934429bb7dff11b8b3f6ea0f8

SHA256
3f6bd3440b27d64b41ff2902d7b35c1105b7dc026e834755a1b44f63b5da965e

SHA512
c637d681ff8f7e00c74291bf38835ada5d4c074d62f9d5a12ceed7b4ec540f21e05dc89469664af08d7a68040e5d0646e1f13669ddec965812ce9eeb78975302

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCDAD02.tmp\sist02.xsl

Filesize
245KB

MD5
f883b260a8d67082ea895c14bf56dd56

SHA1
7954565c1f243d46ad3b1e2f1baf3281451fc14b

SHA256
ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

SHA512
d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
229B

MD5
5db91e83608ae891debab17c5f65f6f2

SHA1
d016ab90b358325483f8afe4173071094b858f4c

SHA256
f88360415fd97c4df31fcf259e9264b138fc825d7a4e68e25e1cf3b3b018f8c2

SHA512
6801e217d58c24674bbaddb15f3d1da28f21c19191e16aae2c3a33ef634c8a65c9370d55f1542c8567aafd975fc4f6775a1d39eba49ec104d5d79601ff0330db

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
d59b584f7e536cc32daac35e8c113def

SHA1
1b72cfcbbdf0fe896550fd1be65039966f666c7f

SHA256
692a43802cdc411fe042de3bc67ec5e96582d6628f356183f29a48db8413f306

SHA512
4046d1aa4ed531d0733b26cab0f9064b45f3b886a8d5be6eed23bd4b2a21a1ab839ce37794df302ed0a4537792c2f79faf38eeeede7094bfd1c418a0d8ff3def

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
5KB

MD5
656d977ba9aef81bbf1962fe69fe47ae

SHA1
043e69b1f9551c99aa747f7c5f2e079481deb4ed

SHA256
b4687e9d510262695512bc7542b90ea46d99ce01151cf3120479ffbc41978e19

SHA512
644c415205a10164e4880cdbea660dcd01b361c27f98951885b82bdb49cb08e8c7e6c2f227d87a0956e74012be52bd7a71eb8dd4091d434cd86b973f4956c20a

Download Submit
memory/3604-9-0x00007FF81D780000-0x00007FF81D790000-memory.dmp

Filesize
64KB

Download
memory/3604-0-0x00007FF81FEF0000-0x00007FF81FF00000-memory.dmp

Filesize
64KB

Download
memory/3604-1-0x00007FF85FF0D000-0x00007FF85FF0E000-memory.dmp

Filesize
4KB

Download
memory/3604-3-0x00007FF81FEF0000-0x00007FF81FF00000-memory.dmp

Filesize
64KB

Download
memory/3604-5-0x00007FF81FEF0000-0x00007FF81FF00000-memory.dmp

Filesize
64KB

Download
memory/3604-15-0x00007FF85FE70000-0x00007FF860065000-memory.dmp

Filesize
2.0MB

Download
memory/3604-10-0x00007FF85FE70000-0x00007FF860065000-memory.dmp

Filesize
2.0MB

Download
memory/3604-14-0x00007FF81D780000-0x00007FF81D790000-memory.dmp

Filesize
64KB

Download
memory/3604-13-0x00007FF85FE70000-0x00007FF860065000-memory.dmp

Filesize
2.0MB

Download
memory/3604-12-0x00007FF85FE70000-0x00007FF860065000-memory.dmp

Filesize
2.0MB

Download
memory/3604-11-0x00007FF85FE70000-0x00007FF860065000-memory.dmp

Filesize
2.0MB

Download
memory/3604-79-0x00007FF85FF0D000-0x00007FF85FF0E000-memory.dmp

Filesize
4KB

Download
memory/3604-6-0x00007FF85FE70000-0x00007FF860065000-memory.dmp

Filesize
2.0MB

Download
memory/3604-7-0x00007FF85FE70000-0x00007FF860065000-memory.dmp

Filesize
2.0MB

Download
memory/3604-8-0x00007FF85FE70000-0x00007FF860065000-memory.dmp

Filesize
2.0MB

Download
memory/3604-2-0x00007FF81FEF0000-0x00007FF81FF00000-memory.dmp

Filesize
64KB

Download
memory/3604-4-0x00007FF81FEF0000-0x00007FF81FF00000-memory.dmp

Filesize
64KB

Download
memory/3604-78-0x00007FF85FE70000-0x00007FF860065000-memory.dmp

Filesize
2.0MB

Download
memory/3604-80-0x00007FF85FE70000-0x00007FF860065000-memory.dmp

Filesize
2.0MB

Download
memory/4628-35-0x00007FF85FE70000-0x00007FF860065000-memory.dmp

Filesize
2.0MB

Download
memory/4628-40-0x00007FF85FE70000-0x00007FF860065000-memory.dmp

Filesize
2.0MB

Download
memory/4628-39-0x00007FF85FE70000-0x00007FF860065000-memory.dmp

Filesize
2.0MB

Download
memory/4628-38-0x00007FF85FE70000-0x00007FF860065000-memory.dmp

Filesize
2.0MB

Download
memory/4628-572-0x00007FF85FE70000-0x00007FF860065000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads