093511e7607bc5b0eecd6b3d345cebef5be94687529b62c80c8cb50b93581623

Resubmissions

16/05/2024, 11:19

240516-nevzfaad73 1

16/05/2024, 10:12

240516-l8hj4aff2v 6

Analysis

max time kernel
148s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
16/05/2024, 11:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Enquiry List.xls
Size

245KB
MD5

6c6308cfc88f76a7204f6138904bd1b0
SHA1

e60465358aac52aeadf5051b5d83c0557f15b081
SHA256

093511e7607bc5b0eecd6b3d345cebef5be94687529b62c80c8cb50b93581623
SHA512

77ee18b0d9a8b06e1a9a42e2e36dc7b0c241ef2bcec36c6c12cc3ef5be40d90c49a67df1412d5c3d7d64fd32256fa218e485ed5e9ab080c1fba1838ddd5152ea
SSDEEP

6144:We4UcLe0JOqPQZR8MDdATCR3tScAtwvE6EsBmMqUPI8IU:cUP/qPQZR8MxAm/Sbtws67BNp1I

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1404	EXCEL.EXE
4680	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeAuditPrivilege	4680	WINWORD.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
1404	EXCEL.EXE
1404	EXCEL.EXE
1404	EXCEL.EXE
1404	EXCEL.EXE
1404	EXCEL.EXE
1404	EXCEL.EXE
1404	EXCEL.EXE
1404	EXCEL.EXE
1404	EXCEL.EXE
1404	EXCEL.EXE
1404	EXCEL.EXE
1404	EXCEL.EXE
4680	WINWORD.EXE
4680	WINWORD.EXE
4680	WINWORD.EXE
4680	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4680 wrote to memory of 2396	4680	WINWORD.EXE	93
PID 4680 wrote to memory of 2396	4680	WINWORD.EXE	93

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Enquiry List.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1404

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4680
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2396

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:4896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\96DD3FB36E520A44B4555F9239BEA849_7AD40A119A879D58C851A8D377F4BDC2

Filesize
727B

MD5
a28ef7dedf5c7f4bc98c799d9737d3b8

SHA1
131cb8ca5db3ebe991a062f6b81376277a0759da

SHA256
eba91f4c9e52281a28ec4bebc5f967f97dc74a106dae6fb301a294c1bf3b71c8

SHA512
834741d12cbe9445e72ff99a7e0a4ab0a48b80861c26f79ea14c4e103800ec39bf6feff5a717755150a17a5e2bf463053cf1ba593ead97603cbaddc7edd1c610

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_9F6005AF34C7906F717D420F892FD6D0

Filesize
471B

MD5
58ff2fb1a45e48a5730720c85cc60b29

SHA1
9d3e624d93acbe37856b7fb8800935ff41312bd5

SHA256
8a16bd29ce43032bb60e0e0643811fa837d19ccd15eae0ab833d0c229952013a

SHA512
7604e81aaa2dcf69d281077595da9bfe800ff4ac2f817da383324d740b628cb4c920bd094d27e58bf2cff552be2f6d44e77866d4d465a569b337a3a80dfc9085

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Filesize
471B

MD5
1662d587754054618a8ec44f1ecc4f85

SHA1
2ba9a3726ed4e9b27a012540d006b6302f043596

SHA256
147c793c84dc454c2e1f2c977458fc7c38bb37e8b4732ad09beff5a8bc415cb9

SHA512
d2775af1fda774d26a093917e2b90344e85f8763ff2ef09afda165099eebed7055823440b87d245c4adc2cfb148cdf3e841dacc454c26f818ad9f7dc561798ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\96DD3FB36E520A44B4555F9239BEA849_7AD40A119A879D58C851A8D377F4BDC2

Filesize
400B

MD5
4ce433e0abacb04b9607dd533a8cf097

SHA1
42d3ae79bf3c5f580dd638e25c4ad86f9ffc9f0f

SHA256
04cef94eeb313fb802b2d077ed62270ac1706421293d55f0265a917190386972

SHA512
a5f5df1da8ee45baf93911d31da944ea1a1d9c35a20d7c78bb526e556cb6aed5e9c6209791ffa482012d010de7673519d4b8242234b571a6fc0ed805877c0ed0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_9F6005AF34C7906F717D420F892FD6D0

Filesize
400B

MD5
dec53c1fc83c01adc1ec7565f6a5d7ce

SHA1
c2468978132d29afaa3027f169cb445a4220c7c6

SHA256
c3cfa6dd5ac4d061092c46e570d6c0946a3c0b78e38b74c092c2c980c424be74

SHA512
0a2ba7aa3afc642a8d8a6d3b11022129b4dceabddd048296d0709e6092750a5a187ad679fea443ab2fd8d001b8839805540212d384ce91ac44ab970450b807e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Filesize
412B

MD5
0147163b6f7ea021dee4acc7460f0746

SHA1
553b2c3ddb1c359e456f69d2ea0c471596805a05

SHA256
b45cc3d87ad8edae848cab123f7e543a82fb3fe391613753c165d91f43aa320b

SHA512
da3f250e4072fdfb530e73ce159383672605820c3f2204c79a8700f73628e6494d548f18d6e2fe9bd843c83f5efa980a727376f367edee579cff0b6403126437

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\49F6DACE-1873-48D0-87DF-4E4723A3FEC9

Filesize
160KB

MD5
bbaf6907fa20c30fcdf6ee9582ab4eaa

SHA1
c1d3a1e80906d63ea0d4bac323e2b69315338743

SHA256
8016fa016502a9461a84a98e468474481a12019b3845069dbdecdcc4f9f57a78

SHA512
56383d0209667cd0b0e7ff8f005abbc7795a08db64fa794e6118d4ecefb431fc354fc3c4c7da5c05aa71c2d5b23a10dc9869e0a9ea1c52031c920835d7539cb1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

Filesize
21KB

MD5
83401dcc510b2e01dde3c6eb05bc16a4

SHA1
13f9cc1b18df3a4e86bb696f591b5c43d0c36ad8

SHA256
2ca6b7b1e1af778652f0717f5fd1a0836ad593f937f1359f8bed0b6fd627007b

SHA512
cba49d24e0683aa288607eec2a4feaae07791321a209f47c1f2bc13e27980bdda9578b61a5cd19de3978a976dc9155ece32a89e07022f993e893551684fc50d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
aa9ae39c415c6df086b57774d78fc4a6

SHA1
d5933d80edd474e63185ba226b6e236e38e5e9ed

SHA256
ad41cf19abd34d93b546f4abd03991682eb69677bb48334237b3aad60b3c6114

SHA512
fcfff505cf24b2c98adc868bad2bb38d9e444cdd9df24af435f232de5cb7c220bc1694a5eea31734e2f09f1260b63b390feb736fa1c513c513385be92a05f85e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
a3e153229317f8329eb4b9b29c70aeba

SHA1
9b56a12c2aa713c1b9647bf93605188a62e76974

SHA256
87bf1404f23aed7a26e7488e7dd80b275862a91a891efb81371e40f6efd37482

SHA512
2db1ca798773c4f89e19579eaeedacaa96bf1e29d4818ac1513553bd2096a72e6a58c1e78d66f0099f18ae7d64092ef39868fb93f2ea60c2b78d79a71f8a9b48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\2PB2KMGY\weneverneedtokissflowersbeausetheyarebeautifulandverybeautifulforentirethingswhenisawtheflowersfromtheheartitscuteverypuppy__lovingflowersbeauty[1].doc

Filesize
36KB

MD5
4f3983c99751f41c7d1639fccbee0491

SHA1
2f09fd71a555b8c1a58a357f4fa0d492b7a7e2fe

SHA256
235b0b646f485fe018965123e177b515f212e00f4c0f751e9bafa77601e4d118

SHA512
f65959cad82c5210f25a665ed41027eb2a846a3f0c7664bf6c4168c85286c9513d621204c28c9f47e63d6ad8758c55a777b1afad0f8049942f2a07142a55f492

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCD80BF.tmp\sist02.xsl

Filesize
245KB

MD5
f883b260a8d67082ea895c14bf56dd56

SHA1
7954565c1f243d46ad3b1e2f1baf3281451fc14b

SHA256
ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

SHA512
d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
227B

MD5
890dbcee2ac33162eccbbd6d209b2b23

SHA1
8b7581bdc58686795af0ca8905a8d7c98c733e17

SHA256
8edee37146fd3054900f866e31515531c36db7b6e96177ead210fc215ca2abfb

SHA512
60004398ad85b2a8233ca8f57db161dcd9a033a890908e5a382cf9ef1f11f709d14df8eacfdf289fcdb3fea26a4954a119568b2305c088f71b243c4e2425e93b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
5KB

MD5
ccfd4a0918ff5af38135f519a7e47b53

SHA1
a74508b33c44c82cf3625379b13b0a574591a80b

SHA256
e24b539a98a77f23a1b00875b65075ec7ce1b300b8d90e90d0eb1182b49d3e66

SHA512
a4153d8a9684982bd2cfab627b529e5b5a9270e152db1834eecaf1f1ee234d8157ec504cd23f98274ddfbab619c4832b5dfaf3a35a87df550897db36d0221df0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
7484c541ecfa7a35dc2f8621e69a9776

SHA1
4bbbf304704186a1ba42cf1840670a5ced398859

SHA256
e6f255acb4cbaf369a6a507d901d370d0ec9d13f2459e8758a63b84992cb5c35

SHA512
db227f251041d6701fa54fe26d6406b3ebe0de8b9577872f1178327386c38279ddfe6bf2e4ff155805f14d5fe4ea5aa8d06082d8d502aeacf62bc4ac2f5a62ad

Download Submit
memory/1404-11-0x00007FFD57560000-0x00007FFD57570000-memory.dmp

Filesize
64KB

Download
memory/1404-5-0x00007FFD99770000-0x00007FFD99965000-memory.dmp

Filesize
2.0MB

Download
memory/1404-17-0x00007FFD99770000-0x00007FFD99965000-memory.dmp

Filesize
2.0MB

Download
memory/1404-565-0x00007FFD99770000-0x00007FFD99965000-memory.dmp

Filesize
2.0MB

Download
memory/1404-546-0x00007FFD99770000-0x00007FFD99965000-memory.dmp

Filesize
2.0MB

Download
memory/1404-2-0x00007FFD597F0000-0x00007FFD59800000-memory.dmp

Filesize
64KB

Download
memory/1404-3-0x00007FFD597F0000-0x00007FFD59800000-memory.dmp

Filesize
64KB

Download
memory/1404-1-0x00007FFD9980D000-0x00007FFD9980E000-memory.dmp

Filesize
4KB

Download
memory/1404-15-0x00007FFD57560000-0x00007FFD57570000-memory.dmp

Filesize
64KB

Download
memory/1404-14-0x00007FFD99770000-0x00007FFD99965000-memory.dmp

Filesize
2.0MB

Download
memory/1404-12-0x00007FFD99770000-0x00007FFD99965000-memory.dmp

Filesize
2.0MB

Download
memory/1404-13-0x00007FFD99770000-0x00007FFD99965000-memory.dmp

Filesize
2.0MB

Download
memory/1404-4-0x00007FFD597F0000-0x00007FFD59800000-memory.dmp

Filesize
64KB

Download
memory/1404-0-0x00007FFD597F0000-0x00007FFD59800000-memory.dmp

Filesize
64KB

Download
memory/1404-7-0x00007FFD597F0000-0x00007FFD59800000-memory.dmp

Filesize
64KB

Download
memory/1404-10-0x00007FFD99770000-0x00007FFD99965000-memory.dmp

Filesize
2.0MB

Download
memory/1404-8-0x00007FFD99770000-0x00007FFD99965000-memory.dmp

Filesize
2.0MB

Download
memory/1404-9-0x00007FFD99770000-0x00007FFD99965000-memory.dmp

Filesize
2.0MB

Download
memory/1404-6-0x00007FFD99770000-0x00007FFD99965000-memory.dmp

Filesize
2.0MB

Download
memory/1404-16-0x00007FFD99770000-0x00007FFD99965000-memory.dmp

Filesize
2.0MB

Download
memory/1404-80-0x00007FFD9980D000-0x00007FFD9980E000-memory.dmp

Filesize
4KB

Download
memory/1404-81-0x00007FFD99770000-0x00007FFD99965000-memory.dmp

Filesize
2.0MB

Download
memory/4680-46-0x00007FFD99770000-0x00007FFD99965000-memory.dmp

Filesize
2.0MB

Download
memory/4680-44-0x00007FFD99770000-0x00007FFD99965000-memory.dmp

Filesize
2.0MB

Download
memory/4680-43-0x00007FFD99770000-0x00007FFD99965000-memory.dmp

Filesize
2.0MB

Download
memory/4680-41-0x00007FFD99770000-0x00007FFD99965000-memory.dmp

Filesize
2.0MB

Download
memory/4680-40-0x00007FFD99770000-0x00007FFD99965000-memory.dmp

Filesize
2.0MB

Download
memory/4680-575-0x00007FFD99770000-0x00007FFD99965000-memory.dmp

Filesize
2.0MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads