8693450758e0567cf6601fbfda993b77c44cc206d0cc9f7141fbb0ccb2ff5f4f

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
14/05/2024, 07:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RFQ_83747384738757384754837483.xls
Size

420KB
MD5

e9212f8698d52e5edd37af6269efedb9
SHA1

26d0d3a31988fb4196acbb7d870ef322e48f1905
SHA256

8693450758e0567cf6601fbfda993b77c44cc206d0cc9f7141fbb0ccb2ff5f4f
SHA512

0a6eb41f063302aeafc604f7506275bae941a4a30935d6f1438bf4b9bea53f31f2fe867ed2a9083cd6711fe1d75d0748c7765e22ece65d02a5ae2cbe027de6fe
SSDEEP

6144:0Z+RwPONXoRjDhIcp0fDlavx+W26nAzKQunPSHBMixiMK6G+ZFrTUvCp4sJgLzXE:0pPQpozwjTqCfgLnt2MoZiBFyzX

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3808	EXCEL.EXE
2056	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeAuditPrivilege	2056	WINWORD.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
3808	EXCEL.EXE
3808	EXCEL.EXE
3808	EXCEL.EXE
3808	EXCEL.EXE
3808	EXCEL.EXE
3808	EXCEL.EXE
3808	EXCEL.EXE
3808	EXCEL.EXE
3808	EXCEL.EXE
3808	EXCEL.EXE
3808	EXCEL.EXE
3808	EXCEL.EXE
2056	WINWORD.EXE
2056	WINWORD.EXE
2056	WINWORD.EXE
2056	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2056 wrote to memory of 2740	2056	WINWORD.EXE	95
PID 2056 wrote to memory of 2740	2056	WINWORD.EXE	95

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\RFQ_83747384738757384754837483.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3808

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2056
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2740

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
7c0669e6df38dff7b7019bb4eed41e99

SHA1
72e3db82fcbf67d6c421455de61df7b51f65dcb8

SHA256
1ac809efcd227440a10b4842e2ea1765f85dc8042b41f4e0de29b7cfa5197992

SHA512
e1a6e93fe372925d238cf1f487efe094d2c4a254faa432551ee4ee49b96a07a6a2ba257b698c103dbd08d4d9133d1ef24eb55dbb9c7adbbb048836e4d794dd2b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

Filesize
471B

MD5
18919a6ff07d3887f2118bada5d4b5a0

SHA1
b2d5e4cfbf807b6af75fe8dae6ed6ba4267a5e84

SHA256
d08d325bd1ad7f1b19858d1d4a531e83a4818b6e3f7f50dfc409726dd4278abf

SHA512
1c145454c0c30f11875cdc4d4de0547c3606920cc97025023481e499b45debd5e1fade543da1d6e1d3b6c8fcc5c874f6c79f64a47403e9e850b12f381a29f49b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
9e21bd914a0d523cd3803b892c3be0d6

SHA1
b8455cf87abfaafaed23eb1028d1fd86a47197ab

SHA256
c22d73d8f11ea6d6d83e66bdd93b85cfb177ee5ad06a699c3427dafa3c64a832

SHA512
24e34017ca1634e7238555ee7038f5706442290d6b43748551f39530f9ca7dd5d99b4a612d4b9a33c5b625988d0b5ce20de3d2203269d916cbeb814489748223

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
392B

MD5
89447230e21e4e495424b131e91a7970

SHA1
cf93134a14248cd4eb3b5882926d5549b2494aa8

SHA256
b25f0c14badc21d407d687f75358837058d1cae8f67e77735cb064b7b75f94e7

SHA512
ca18dcebb3c4e9ba8bd578f7199f6638869ca1bcf4c1ff8239200dee620e2bec192ca28a710cdf964fe83c1a861830c0a0eccc0dfb38c1fbeee16548ac3bc322

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

Filesize
420B

MD5
e300ea68dd0d416bc75968c2bd3706c6

SHA1
a470b736a178730c23e96929b64a79a33eda0aa0

SHA256
334fdd0dbd8b90ce76b4d9a4f215c3fe4f79dfd177d422be70cfecdc5b7f46ab

SHA512
4bf924b996a5c885c4b595584550d0551a0688fe843fb70607733007c8552730b119b60e4f049e1baabaee0f7b14219604f6b72f55940427bd470b0e61e3029c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\E7081641-536D-4DD9-91E9-ADCE24981B94

Filesize
160KB

MD5
5d2c6da084ec9c8c765c05b6eba1973d

SHA1
1336cab21573699fa14e3d5ae8a53194faaecc2b

SHA256
db13720cf1a4cb9f72bea5ee7903978e2b63abf1bc4a5c3743ca54d3c44f0325

SHA512
95ffa8959acda8ebd7efc3625599f0b2823df8fb34249c7da267d1f5a23fbb1d70a817d0f2ce39889ff4f6be48485df73d1232a988899e2208faddf05b0983b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

Filesize
21KB

MD5
bf9e42cafd76fac0c8a2f312cd285a2f

SHA1
917b3359668b14c12d7947837e8f87f791425199

SHA256
cd9ed7a75b288025e9e1421d8ef71fdf0443523b3a69e69608c0cb31ccb20626

SHA512
47e77d52dfa82b15cd94f6a9ea70e464937be6075d71099f10424d06108400de025198b2e8526b62cfb9e385b771cde67f1bb5fc48e8a68e3a908ae4c0fffb98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
0be9842afccf77c9ac43cb9ece4d6d0e

SHA1
83729a9dd43e5ec2f705cb58a2633b9b8ee38e69

SHA256
60d8f0a2870e43849dc5e54eca99620ed6969d7c1449777a6bdabf62eea38aaf

SHA512
54692473f3d60cc6caf1bfd4a1ad2ee95641a107e39ccf70f81e3c7d3c2338cb76ac206a2ea801dce35fdf97af23278c85820243a0101b517072c52b6693537e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
4d2f52a37cfd1f9a46e971a393c8ddea

SHA1
d9cf2e600902643e9b98a1fabdd3a8f86fef0d51

SHA256
8474b8f1a1b1667873697530cb89c374e01df1376360f2c89e091a38c9e59d7b

SHA512
888427925c4d1d8acd6d5a639546ff8f1280563a9cc2dfdace4b4f1e61ce5b8137aa177f7870e4753507543c2b80e567a4453402a720d0ae3c9cedbe31d77966

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\TF1TYUIH\everythinggoingfineandgreatwithbeautiuflthingstounderstandhowmuchsheisbeautiufleverytimeiwanthatgirltobeonline___reallyamazingbeautiuflgirl[1].doc

Filesize
70KB

MD5
b62da88f447201beef3ced60b101f1ec

SHA1
faefa0e076669a0aa38de3093c3cd46889e2b50f

SHA256
d6366d99252a9447bfff659e915bd596f4beba61c96ed9b0e9eaf4c20280118c

SHA512
c5b3667466fc07330e11e43ec48e258367deee2ac46d30f8f728af1459aa2cc0a139d59691a99c14ec97cca10bb329f9f0efd99d03d2d1979f3f581305c25f33

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCD87AD.tmp\gb.xsl

Filesize
262KB

MD5
51d32ee5bc7ab811041f799652d26e04

SHA1
412193006aa3ef19e0a57e16acf86b830993024a

SHA256
6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97

SHA512
5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
229B

MD5
0799aa1240532a4f0d591cdf5c2ef0f6

SHA1
6ed783626cc6ac437bc749205046ba2130b55dc1

SHA256
bcbfa7a8de52f35bca467a25fe0c4fb8fab26c519f45d43940c3074b106be1aa

SHA512
67e908eab30bb5d92b15e57b52d3811f44b9dca5933a5a4053875f4e0de92ddb78d00be02609a088d7bf34b8aa53db20b331dfe416164e964b2b08a2ce5904ad

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
757000dbe96e76cfd05a2da5b5cac904

SHA1
dd2f34c1e02b2d90075d271b73b135736be07640

SHA256
5f2577903cf4638a5c8ca5bc3487082f5c7680862d5e7bebdd377c9305893dd6

SHA512
53067ceea2eab5fde9072243d11566d6099244e239526c419c917bb768f5765f618e7953fd57d174df9512d37c05688e789564a7a6b52f9ba3fa4fbf0a92c3a9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
5KB

MD5
ef812c89ca13c801ed9d559f6aeeb4ba

SHA1
69ddb758757e6e862e76eeb65b7ac8d06e9a5b1b

SHA256
07257368a85a27b71d1a82aca1631d3987c6692e793e93b6babc852ba4273b01

SHA512
2608054a826ee21fd6131113fe38c4fdd5c7e0999d6e95dd3b9e1b4fa550ac95eb2e72b379c4d16bf1af8356ff45f881433a84c3f4a2effd62c784f105e620d5

Download Submit
memory/2056-42-0x00007FFA6E990000-0x00007FFA6EB85000-memory.dmp

Filesize
2.0MB

Download
memory/2056-44-0x00007FFA6E990000-0x00007FFA6EB85000-memory.dmp

Filesize
2.0MB

Download
memory/2056-577-0x00007FFA6E990000-0x00007FFA6EB85000-memory.dmp

Filesize
2.0MB

Download
memory/2056-46-0x00007FFA6E990000-0x00007FFA6EB85000-memory.dmp

Filesize
2.0MB

Download
memory/2056-47-0x00007FFA6E990000-0x00007FFA6EB85000-memory.dmp

Filesize
2.0MB

Download
memory/3808-14-0x00007FFA6E990000-0x00007FFA6EB85000-memory.dmp

Filesize
2.0MB

Download
memory/3808-8-0x00007FFA6E990000-0x00007FFA6EB85000-memory.dmp

Filesize
2.0MB

Download
memory/3808-16-0x00007FFA2C9B0000-0x00007FFA2C9C0000-memory.dmp

Filesize
64KB

Download
memory/3808-17-0x00007FFA6E990000-0x00007FFA6EB85000-memory.dmp

Filesize
2.0MB

Download
memory/3808-11-0x00007FFA2C9B0000-0x00007FFA2C9C0000-memory.dmp

Filesize
64KB

Download
memory/3808-15-0x00007FFA6E990000-0x00007FFA6EB85000-memory.dmp

Filesize
2.0MB

Download
memory/3808-12-0x00007FFA6E990000-0x00007FFA6EB85000-memory.dmp

Filesize
2.0MB

Download
memory/3808-13-0x00007FFA6E990000-0x00007FFA6EB85000-memory.dmp

Filesize
2.0MB

Download
memory/3808-18-0x00007FFA6E990000-0x00007FFA6EB85000-memory.dmp

Filesize
2.0MB

Download
memory/3808-10-0x00007FFA6E990000-0x00007FFA6EB85000-memory.dmp

Filesize
2.0MB

Download
memory/3808-7-0x00007FFA6E990000-0x00007FFA6EB85000-memory.dmp

Filesize
2.0MB

Download
memory/3808-0-0x00007FFA2EA10000-0x00007FFA2EA20000-memory.dmp

Filesize
64KB

Download
memory/3808-9-0x00007FFA6E990000-0x00007FFA6EB85000-memory.dmp

Filesize
2.0MB

Download
memory/3808-5-0x00007FFA2EA10000-0x00007FFA2EA20000-memory.dmp

Filesize
64KB

Download
memory/3808-6-0x00007FFA6E990000-0x00007FFA6EB85000-memory.dmp

Filesize
2.0MB

Download
memory/3808-2-0x00007FFA2EA10000-0x00007FFA2EA20000-memory.dmp

Filesize
64KB

Download
memory/3808-4-0x00007FFA2EA10000-0x00007FFA2EA20000-memory.dmp

Filesize
64KB

Download
memory/3808-3-0x00007FFA6EA2D000-0x00007FFA6EA2E000-memory.dmp

Filesize
4KB

Download
memory/3808-1-0x00007FFA2EA10000-0x00007FFA2EA20000-memory.dmp

Filesize
64KB

Download
memory/3808-565-0x00007FFA6E990000-0x00007FFA6EB85000-memory.dmp

Filesize
2.0MB

Download
memory/3808-19-0x00007FFA6E990000-0x00007FFA6EB85000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads