b2eaab79de659373164eb6ac758c8140547bf4d7e193e979dce2467cb3c6ace1

Analysis

max time kernel
143s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
15/05/2024, 01:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b2eaab79de659373164eb6ac758c8140547bf4d7e193e979dce2467cb3c6ace1.xls
Size

654KB
MD5

e9d2512f562571e95e8a30b9feeda6a0
SHA1

55005d3f55531701ed75c02e837d1550716324ae
SHA256

b2eaab79de659373164eb6ac758c8140547bf4d7e193e979dce2467cb3c6ace1
SHA512

25c48a7def0f32882d58f811ec2cc3665c103654509a1837308d3e96fad942143203ccf20f9abe37a63c4b8b7ef2d425442cec98817cd9f1b8195bc02ff9f9c9
SSDEEP

12288:3kTCQ5HK3hrUP/qPQZR8MxAm/SXOhJEcNxLX9lm0XN6WbxxPpFcwF:GCQ5HKRrUP/mMxSOXEc9hXN6gpFh

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3144	EXCEL.EXE
4508	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeAuditPrivilege	4508	WINWORD.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
3144	EXCEL.EXE
3144	EXCEL.EXE
3144	EXCEL.EXE
3144	EXCEL.EXE
3144	EXCEL.EXE
3144	EXCEL.EXE
3144	EXCEL.EXE
3144	EXCEL.EXE
3144	EXCEL.EXE
3144	EXCEL.EXE
3144	EXCEL.EXE
3144	EXCEL.EXE
4508	WINWORD.EXE
4508	WINWORD.EXE
4508	WINWORD.EXE
4508	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4508 wrote to memory of 3652	4508	WINWORD.EXE	98
PID 4508 wrote to memory of 3652	4508	WINWORD.EXE	98

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\b2eaab79de659373164eb6ac758c8140547bf4d7e193e979dce2467cb3c6ace1.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3144

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4508
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:3652

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
b3da7ba05a9182c567209d501275b1e4

SHA1
530c1a66087fc6b80e4f0ea9fcd86d0a514fd794

SHA256
200f8737d95e4825bc0a41101f6f385fe8264f18d59535e2fd033dced394414c

SHA512
eb5916e11b97c78be9c06d28d53e735513aed16af57513e33d758ba7244e3b3cea55fd52175e52caa4c67beb38b268a62ffaeff495467ee9f69ed1097db193da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Filesize
471B

MD5
41283f1c4f88d9d25680dad31c420f38

SHA1
d2fc7d7ac9a18ce9626f222e9eca1b8b87b10163

SHA256
3fd0d171d9e80dd358b1fece0d182ce87ca28c80c4c5c3e7fa16d310ea0fd04f

SHA512
678113a04a7dd8491c5b289ec04bee9b3817e58d7032d332ba46460062534ad17eb6b5a5fa7daf2edcac6854b33b89b5ec4c5f73fcf419a1f7a639c886f9fd44

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
90e1dc419ba23e56175a5be155f46115

SHA1
a4124f294dd85f2463a65299787789cc0ef6a1fb

SHA256
bdb2202617e639589b2f3ecf7a09fac41d551f73c280d7789b0d5abe01511883

SHA512
298e47f6abe047bcc7ba5eb3a0d68a1d5c3bbecb96c3054278e0a3b75cc13b46e3e271c077c46292dc549a8c8eb48b54f8ac45207b9421e28479ae4c7ca0cad4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
392B

MD5
949d990463016d93be29951acfacb03b

SHA1
f9a13355014ed1662d826bb00f9da5cc73aa438e

SHA256
6e065c411ee9f30508978fb2764772d148805de03fe028774869c639ca7ba636

SHA512
d193302689377f8389cccf5c83eae4c9f8bc21833fee4c7c070acfb76ff8a3201a472db4556aaa6899cfe5d327575361787b7748b277dca0c166317b7508c8ba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Filesize
412B

MD5
38a44e38287c46714a14eb05c073616a

SHA1
69bed550a1202bd5e4510d0ae7f1a9ed12c6b5fb

SHA256
d0fd48fc602212a6d252aa31439e01d8839dfa9ee131fa2f323693a775b304fc

SHA512
2235a0179a9ea5d7985d861867b3847bb929202d53bb8876427070872b29146b0405f4befbbe2e2b0debf31e6e9b230ac0e3f137d2868092d0235f13363cd412

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\733273E9-707E-4DFE-B5BE-322BE146055A

Filesize
160KB

MD5
f2915188bbd71604c77c1698d61d4219

SHA1
523728b43e3f33eeee98c66b6ae5d548aacab2f2

SHA256
37eb1b34ecb6817f6c50cb9b0fa75f31b67e00bb7d890d2c004934c3ce0fa293

SHA512
6d38777c35b64d7e9ed72afbe45681f26d27916dfa353ad7e92b15489d7552227c05881cf9a53ffc83bc90c07e2d5440eead48a8e6a76af0bdd338a44d9238c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

Filesize
21KB

MD5
81533f62ca948b40be0d778392c39a7d

SHA1
1cefbef66c7ee966f3fb31e80dda2d216b5d5858

SHA256
48a798f9579618ba01704a4faf61ce2edabd9a2d6330085e6370d150699180d4

SHA512
97de751c48cea3c267a89bc71cdaed3d3612d4e54633c211487a69055e97bbbae0d182e9eb1f194455a52b49442126f28767eaba9dacafea2584c00a5cdc4218

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
6a407d999f65b0fbb3603844ddd22ba6

SHA1
583593a7b95378845e8f910d9c76418b8509cdfe

SHA256
366a3290fe2c9d0297f5768fa7aaaf54a4fbb6498da8c9841251fbacbea3ec30

SHA512
32a66680e27fdf2c74bcd67b0192dcf7cfe9064e62f4bf1a6b419342d8b04e83c8cee59969656b01900f90a89f529fba1e1c8da29beca2b7e298883b03c2033c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
87bf19888f6ffda3fd96cb1ac7344b39

SHA1
11b01dd4abe23fc0c60c4a35245ea4f27523edfa

SHA256
b0b8e7892865a1207288aabbe6e493e74597ac3d6855631b73d46ff8c0bb5c18

SHA512
53034bc7a97225018ccff602e889cde1239320db4992a056e3380902b47e4e3224eb68f392753355777e29ab6e046064e4f24ad5e21f95353105fffafb495380

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6SQF6WJH\beautifulthingstohappenedeverypointofviewtounderstandsheisgreatandbeautifultounderstandsheisgreatgirl___ireallyloveflowers[1].doc

Filesize
66KB

MD5
faf0cacc6b11e438c4bfec5aff2e4927

SHA1
5cf83a1bab6d3c0c21b79df80727adc7eb39f61e

SHA256
b97cade97346326830f1da704b1f861ac4fb79c0243dce2156518e235b350904

SHA512
4ee2d9e5988de6624d4c097d548213bf88e8caa5bb9233f9557648c701cd90bd87580b65b1e4bb91cf92a13642f4c468a9375e37eca46878f726fd906d397f07

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCD999A.tmp\gb.xsl

Filesize
262KB

MD5
51d32ee5bc7ab811041f799652d26e04

SHA1
412193006aa3ef19e0a57e16acf86b830993024a

SHA256
6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97

SHA512
5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
229B

MD5
bb2a5ebc78e212a2c3b41abb073801e1

SHA1
9af34d83d33d06d3f8b47c9d52cdf4edf29dc9f2

SHA256
4c5b5dae17cb7912f3cce9cb3e722e0b91afa1da50c0c4c11627e64450c50f9f

SHA512
add5f7d86e595b992fd95f4d5ac239ee0c908e6c1ce291aeec6ffacfbacab4a3ec84ccf2450d485042c04dcc4877da34933c92aafb4d2e7fa980da9b0cd5d17c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
9fc0c17809b8c336ddb8bb9f1553b23a

SHA1
a17b80f44dc79836e44660a378f7006dd31e54ac

SHA256
b86126f44a5e43c4c1e2bc0da7ab031cf43cf80ea30661f5c081b5d3d99e5e3d

SHA512
e15ddaa335b9c17d48574d7d9ba6bebc00bdf52338c3d6a67aa98639ab6468128df6964eba9ff6cb1e3c2967f133359d0b9fa045d0cd4e945f6a2ed2ce2e3f94

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
5KB

MD5
ca9f40c447d8be87c17152419fbf4f68

SHA1
b6eda460076e59995ae33a94e4d39d6bc996d6e2

SHA256
257cb40bb38178f7389eac1fdb4852d6f331a8fbc6992dfaf6da3273be4705d6

SHA512
f2f118ffd55042137a26606fd54c4c5f4907513fa340875e106e53d8c9d6929824fb79dbdc6cac918e4c605634bc8e4e2c26928f4f4fdea292280d46c067d945

Download Submit
memory/3144-9-0x00007FF820100000-0x00007FF820110000-memory.dmp

Filesize
64KB

Download
memory/3144-6-0x00007FF8626F0000-0x00007FF8628E5000-memory.dmp

Filesize
2.0MB

Download
memory/3144-2-0x00007FF822770000-0x00007FF822780000-memory.dmp

Filesize
64KB

Download
memory/3144-94-0x00007FF8626F0000-0x00007FF8628E5000-memory.dmp

Filesize
2.0MB

Download
memory/3144-1-0x00007FF822770000-0x00007FF822780000-memory.dmp

Filesize
64KB

Download
memory/3144-3-0x00007FF822770000-0x00007FF822780000-memory.dmp

Filesize
64KB

Download
memory/3144-4-0x00007FF86278D000-0x00007FF86278E000-memory.dmp

Filesize
4KB

Download
memory/3144-14-0x00007FF820100000-0x00007FF820110000-memory.dmp

Filesize
64KB

Download
memory/3144-11-0x00007FF8626F0000-0x00007FF8628E5000-memory.dmp

Filesize
2.0MB

Download
memory/3144-13-0x00007FF8626F0000-0x00007FF8628E5000-memory.dmp

Filesize
2.0MB

Download
memory/3144-12-0x00007FF8626F0000-0x00007FF8628E5000-memory.dmp

Filesize
2.0MB

Download
memory/3144-10-0x00007FF8626F0000-0x00007FF8628E5000-memory.dmp

Filesize
2.0MB

Download
memory/3144-0-0x00007FF822770000-0x00007FF822780000-memory.dmp

Filesize
64KB

Download
memory/3144-7-0x00007FF8626F0000-0x00007FF8628E5000-memory.dmp

Filesize
2.0MB

Download
memory/3144-8-0x00007FF8626F0000-0x00007FF8628E5000-memory.dmp

Filesize
2.0MB

Download
memory/3144-5-0x00007FF822770000-0x00007FF822780000-memory.dmp

Filesize
64KB

Download
memory/4508-41-0x00007FF8626F0000-0x00007FF8628E5000-memory.dmp

Filesize
2.0MB

Download
memory/4508-39-0x00007FF8626F0000-0x00007FF8628E5000-memory.dmp

Filesize
2.0MB

Download
memory/4508-42-0x00007FF8626F0000-0x00007FF8628E5000-memory.dmp

Filesize
2.0MB

Download
memory/4508-44-0x00007FF8626F0000-0x00007FF8628E5000-memory.dmp

Filesize
2.0MB

Download
memory/4508-43-0x00007FF8626F0000-0x00007FF8628E5000-memory.dmp

Filesize
2.0MB

Download
memory/4508-40-0x00007FF8626F0000-0x00007FF8628E5000-memory.dmp

Filesize
2.0MB

Download
memory/4508-574-0x00007FF8626F0000-0x00007FF8628E5000-memory.dmp

Filesize
2.0MB

Download
memory/4508-575-0x00007FF8626F0000-0x00007FF8628E5000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads