9bb53799bde0d349927aadb0ec2a52e0b783efb1d8520adeffc4222c36bff093

Analysis

max time kernel
148s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
16-05-2024 01:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9bb53799bde0d349927aadb0ec2a52e0b783efb1d8520adeffc4222c36bff093.xls
Size

654KB
MD5

eb36a60bcbb2ebc9589dfba194e0fe4e
SHA1

bb4d8cff5fb3d4a3c33f15f0591fa531599192c3
SHA256

9bb53799bde0d349927aadb0ec2a52e0b783efb1d8520adeffc4222c36bff093
SHA512

6cd8d5c009f6138a2ab97f3fcaac29be007483a64204454f0e89855c92167831710b39b167ccb8beb368e51cf1f89fbd9026ae29aed947f2949e46f4f1435e03
SSDEEP

12288:3kTCQ5HK3hrUP/qPQZR8MxAm/SzxQE1Rq+v1mzPs6eWfo/e36RvZFg:GCQ5HKRrUP/mMxqaE13sY6BA/e3

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2968	EXCEL.EXE
1788	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeAuditPrivilege	1788	WINWORD.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
2968	EXCEL.EXE
2968	EXCEL.EXE
2968	EXCEL.EXE
2968	EXCEL.EXE
2968	EXCEL.EXE
2968	EXCEL.EXE
2968	EXCEL.EXE
2968	EXCEL.EXE
2968	EXCEL.EXE
2968	EXCEL.EXE
2968	EXCEL.EXE
2968	EXCEL.EXE
1788	WINWORD.EXE
1788	WINWORD.EXE
1788	WINWORD.EXE
1788	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1788 wrote to memory of 1600	1788	WINWORD.EXE	91
PID 1788 wrote to memory of 1600	1788	WINWORD.EXE	91

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\9bb53799bde0d349927aadb0ec2a52e0b783efb1d8520adeffc4222c36bff093.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2968

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1788
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1600

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:3332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
32e84a8ac91a222e92faf4fb8bd7c62f

SHA1
79a50468dcb323c6e717801bd28ed6b92b715d78

SHA256
a9e7be8b876ac51708762297ea4662ef00393dfd7cd2dabd2c86ca8f4bd4a877

SHA512
bb0506e166f33a630abb0acb1ab6f793725b625eee44dda07815544a6082d5d26038b9783c2ddbc4cebb738abdc8cc71af02dce8b75f172930bc51f2fa2dfa6c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187

Filesize
471B

MD5
46a38601036720c21cac737b5359b734

SHA1
76f61e0473280243183c2af2d25e0a631aeb3d5d

SHA256
5018a25ffd17847bb63eb3165baf34320ebb7ebce2af3ab65875c141df765bd1

SHA512
3c66bc3d123e4a81bf8ce13343e6775c43ccb4341aafbae663c7536aae88febf8477eeda0235067df9970ebf623d3eaab82f40bf80e3c229f9150a2968143881

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
5d48ab94063f1c09cccee804e2e2165e

SHA1
8fc482896116ba02de33dd763225d7347f1c0f6c

SHA256
814a6363b94db846d631479875de5ee97dd850da3a213cbac69de64c1806a1a7

SHA512
b1d0099c59c9a006ae6309375eac062e99ce41dc4401870ec79368b8034adc3cce505d1c6522804f55736ce35b17ba56cb7cba616ed932dca88a6487371087ee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
392B

MD5
43b91451089cb3c5fadde6d67adfb22d

SHA1
7e474a71064833dd5d2ebe3ae8da2a74cddc4644

SHA256
152a5cb0496f43158516791645b80bb7fb5f3ba536d8056c837bdc56b0bf489d

SHA512
681c1761b398bf698451cf5ec00b052af0ab2ee07553f807ee6cee72f36741074deca325df24045e08653b39db7b3eedd8eca439c86d7a82041a4118b1468359

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187

Filesize
412B

MD5
07e98b0b721ee3bdd7559fa34a05b10a

SHA1
248fb761c9cbf96ce43c4bbf1310d73047dc30f4

SHA256
264c1c8b652ebfe00bea6d1e74b428bbd4adf8fa534d2e3789167180960a28c3

SHA512
68f633abcdfec7680010d38e5f2098cbac8ff06e5055db97d52bcdfa2b69ce49820d54a4378ef3d7e06b9ebc3dfca7e2dffcd15a0f49b027b46b2525c6c0af36

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\48244118-5F17-448B-81F0-BF1B83F8F130

Filesize
160KB

MD5
4c6dde8b977d7c01248258a081b6a1f6

SHA1
a31bda2912c3d4dcc10550b645ded30c5219361b

SHA256
4af32c76c199830d9820ea35000b656a8c4c2a073997d9062b5351fd6b449ed1

SHA512
4a9e23a90c6b9c636c7a7679d0a2017aefd0e461a02fd002d59f608d43b4274b2fdf0b1687630c6abc896d639ecedec7dd95b4056df183a1d25ce49d507128ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

Filesize
21KB

MD5
42bef7e9fa9b0c1a4bd2db50fdf8d647

SHA1
a0ae8f560ceb407ff8400e956eac5e49c415147a

SHA256
cb345f3210e54cb5fb624a5bd21735e162ae1bdfc4065f411d33b839b0ec5f19

SHA512
f64cddb3300ab272bf64334f1800cf81f97c7e455eb9700a8ced472372552b7aa6f9c2851e6666dc0c996655375494651680f0873e8c8a7029e0221b731ee712

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
f86286f10cd62e797dfb5f26167e48d3

SHA1
2a1e8be5708a324e15c2a5c304a6e66256b52a50

SHA256
8469727350e8f69a64ffa7e441adb7c119dbf133c9a4ad0f54dd7d26520d8a6d

SHA512
a9b6c5be12aca300a646b036610190c40d2d3aeaa1e832ed0f046dc433e8e14215f7c5a8b593301e4e222d70856e526d80ad871530e80c2892ba1bf2873f765b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
60f1f0f28ed3af6b2f48a02bfddea1b1

SHA1
576415fcee282b75f235aaf1a40c319a2a355661

SHA256
03ed08eae3dc6fa4d6029fc0bfe0b4d400dbd8a223078d0b73edbb6e2a6d7135

SHA512
0120c2b59243293a66cf118813f89cdf23aa008a8a9d937f78241fe79e583c492e7e36cd6d13c9bd8578be47f9b8fc2072a6fce8819dd0c19b1a4384c73be188

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZURVPW13\becauseofflowerwecantgivesuchamemorybecauseflowersareveryimporatntinffrontofloverwholikeyousheismygirl____ireallyloverhertruly[1].doc

Filesize
65KB

MD5
e050b72bd8f7f3c5a79af85cb1a1bd73

SHA1
4a43ef0eebc753a7bff961543cbcf441c9f1b4bd

SHA256
72dde2686b758581f880758d957458eb735cac9d0fcde2c5a50af2124d1ffc98

SHA512
e149d46f6ba561672e97dff8b681e807dafcc505b064144e73389d96835bcd110b13b651a9adcef1b7b59d290565d3cacfe29eb2d1d000b6589c763d74044208

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCD9944.tmp\iso690.xsl

Filesize
263KB

MD5
ff0e07eff1333cdf9fc2523d323dd654

SHA1
77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

SHA256
3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

SHA512
b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
229B

MD5
e14dac57bc5ccc51d5efa6277ba28b1a

SHA1
4e44895bd778f6dc8c82b3ccca91e024bee0fdc2

SHA256
c7751ebbc353cbc52a6e34ec1e64dad9dab48bea40faf4fcfa7140664fc38bd7

SHA512
59de9a33de42d4545e9b9d9dd594888d196b66634f39788d668a288e47cc58136202c4ee0afce515bf58893c064419c7ffa4313f54e57540216fd4cceea8b5f8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
ebddb0a78cada584e8931b80d0a9709a

SHA1
e4d0df3f4f2b91237f66d6626a6e75d29ae906e1

SHA256
7620f9be0e095516dff09f67b08ddbc9b911a1c314cb1c07d891a1c1538faa91

SHA512
c2d23ad6479af103de5a22cdecbc7972b025e17a3e8063daf965c4cdd3f2b1a894e330948e298bb99d26484168927bc99809640e189717256091e8985944ad5c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
5KB

MD5
3698662e020e604376ffd6b1915dfc9c

SHA1
b3bbd80ef1a4e095d7c30bf8a79531502357efd9

SHA256
d0e68999921f692a6b8f7b388cff7b85bcc526240981b84f9b745349fa15def1

SHA512
45b1dfb0fbffcbb9ad13cf2e36b27b563bb00b35a67c42d2ba2489059400e0bc4ac5e23b77f4c492cd2bb674a92affc3b0b57dc0eaa9d80058ecb4aba7e7a3c3

Download Submit
memory/1788-40-0x00007FFE32F70000-0x00007FFE33165000-memory.dmp

Filesize
2.0MB

Download
memory/1788-570-0x00007FFE32F70000-0x00007FFE33165000-memory.dmp

Filesize
2.0MB

Download
memory/1788-38-0x00007FFE32F70000-0x00007FFE33165000-memory.dmp

Filesize
2.0MB

Download
memory/2968-7-0x00007FFE32F70000-0x00007FFE33165000-memory.dmp

Filesize
2.0MB

Download
memory/2968-8-0x00007FFE32F70000-0x00007FFE33165000-memory.dmp

Filesize
2.0MB

Download
memory/2968-11-0x00007FFE32F70000-0x00007FFE33165000-memory.dmp

Filesize
2.0MB

Download
memory/2968-14-0x00007FFDF08A0000-0x00007FFDF08B0000-memory.dmp

Filesize
64KB

Download
memory/2968-13-0x00007FFE32F70000-0x00007FFE33165000-memory.dmp

Filesize
2.0MB

Download
memory/2968-12-0x00007FFE32F70000-0x00007FFE33165000-memory.dmp

Filesize
2.0MB

Download
memory/2968-10-0x00007FFE32F70000-0x00007FFE33165000-memory.dmp

Filesize
2.0MB

Download
memory/2968-9-0x00007FFDF08A0000-0x00007FFDF08B0000-memory.dmp

Filesize
64KB

Download
memory/2968-16-0x00007FFE32F70000-0x00007FFE33165000-memory.dmp

Filesize
2.0MB

Download
memory/2968-15-0x00007FFE32F70000-0x00007FFE33165000-memory.dmp

Filesize
2.0MB

Download
memory/2968-6-0x00007FFE32F70000-0x00007FFE33165000-memory.dmp

Filesize
2.0MB

Download
memory/2968-1-0x00007FFDF2FF0000-0x00007FFDF3000000-memory.dmp

Filesize
64KB

Download
memory/2968-4-0x00007FFDF2FF0000-0x00007FFDF3000000-memory.dmp

Filesize
64KB

Download
memory/2968-5-0x00007FFDF2FF0000-0x00007FFDF3000000-memory.dmp

Filesize
64KB

Download
memory/2968-2-0x00007FFDF2FF0000-0x00007FFDF3000000-memory.dmp

Filesize
64KB

Download
memory/2968-3-0x00007FFE3300D000-0x00007FFE3300E000-memory.dmp

Filesize
4KB

Download
memory/2968-567-0x00007FFE32F70000-0x00007FFE33165000-memory.dmp

Filesize
2.0MB

Download
memory/2968-0-0x00007FFDF2FF0000-0x00007FFDF3000000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads