1e860f3d149be5b67038f8cbf99fce42695860574f477dbab64d59da95f13b9b

Analysis

max time kernel
148s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
16/05/2024, 15:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

20088.xls
Size

245KB
MD5

c7c2222cfa5b8bed7d7436763b96b40f
SHA1

f76971cedfb8d4ec9d0a7ea1f685ae7b7c44d66b
SHA256

1e860f3d149be5b67038f8cbf99fce42695860574f477dbab64d59da95f13b9b
SHA512

b56fa68dfbcce0599505bec2ec47bae3d3fa062cf93c99a3f37a6a66b17a273be7529d086efd83e59e7b37c0f0217d5c41bb21128404b3d368678670a3bd1213
SSDEEP

6144:ue4UcLe0JOqPQZR8MDdATCR3tStwgKnRNvd30tOwU5kFZ4a:EUP/qPQZR8MxAm/S+FRNl3p06

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2732	EXCEL.EXE
4848	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeAuditPrivilege	4848	WINWORD.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
2732	EXCEL.EXE
2732	EXCEL.EXE
2732	EXCEL.EXE
2732	EXCEL.EXE
2732	EXCEL.EXE
2732	EXCEL.EXE
2732	EXCEL.EXE
2732	EXCEL.EXE
2732	EXCEL.EXE
2732	EXCEL.EXE
2732	EXCEL.EXE
2732	EXCEL.EXE
4848	WINWORD.EXE
4848	WINWORD.EXE
4848	WINWORD.EXE
4848	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4848 wrote to memory of 3448	4848	WINWORD.EXE	103
PID 4848 wrote to memory of 3448	4848	WINWORD.EXE	103

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\20088.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2732

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4848
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:3448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4612,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=4444 /prefetch:8
1⤵
PID:1884

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:3860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\96DD3FB36E520A44B4555F9239BEA849_7AD40A119A879D58C851A8D377F4BDC2

Filesize
727B

MD5
a28ef7dedf5c7f4bc98c799d9737d3b8

SHA1
131cb8ca5db3ebe991a062f6b81376277a0759da

SHA256
eba91f4c9e52281a28ec4bebc5f967f97dc74a106dae6fb301a294c1bf3b71c8

SHA512
834741d12cbe9445e72ff99a7e0a4ab0a48b80861c26f79ea14c4e103800ec39bf6feff5a717755150a17a5e2bf463053cf1ba593ead97603cbaddc7edd1c610

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_9F6005AF34C7906F717D420F892FD6D0

Filesize
471B

MD5
58ff2fb1a45e48a5730720c85cc60b29

SHA1
9d3e624d93acbe37856b7fb8800935ff41312bd5

SHA256
8a16bd29ce43032bb60e0e0643811fa837d19ccd15eae0ab833d0c229952013a

SHA512
7604e81aaa2dcf69d281077595da9bfe800ff4ac2f817da383324d740b628cb4c920bd094d27e58bf2cff552be2f6d44e77866d4d465a569b337a3a80dfc9085

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Filesize
471B

MD5
bce8ddd51997974e4f19dfc60b544190

SHA1
1636fec66a3acb073be9b60c0a9eabc2c862b22e

SHA256
bb80c2ff162bc0d113aca8a597e3d7447a755b2f293668dcf1a34d2959b253c0

SHA512
10915de8ce73b1cf5c7d8822deb2e57a32701a416ee70f5c580c76c02255aa36bc8f2dbe0f80ec43b1f59f81a64d3e5b26f55845d240d3bb8f8328f500850a8e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\96DD3FB36E520A44B4555F9239BEA849_7AD40A119A879D58C851A8D377F4BDC2

Filesize
400B

MD5
5ada3e7fe5c5ec31e113c71cb741c319

SHA1
d186f71fc7f0d23725fa60d1a35bf52678420946

SHA256
addb94e50f9608634a5e5a67d05f13bdb3e148272e3074757b8edae2a2833446

SHA512
65226d7cf3d401314a5752690f3636e8e42aa0ccaa52e5f1d22871b9cd46c55f719ce2813ec5784c593d1bb76bed2ec684d72756ab9a600348221ac3ea84f230

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_9F6005AF34C7906F717D420F892FD6D0

Filesize
400B

MD5
89610b032adcc9cf0c89e4ae6e41597a

SHA1
1c7e68f0c80abdeeeac12588c1ef0e4c435428c3

SHA256
6077cc0767f0b9c565fa1484bcf0bdcce644187eeaafeb67d18bc960253fa6ca

SHA512
817ec1ca98b93fd46c6665b00f8d2e3d278d73b026f81967182b2df305b5073d493b73b52450092c3fc42ecca6e00358989c4c4527c9d55c172ef7c0c50e0d31

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Filesize
412B

MD5
f6f82564435ad89965c33b4b03d84a46

SHA1
d02f64e88be26bca73f702827d0ec5e3d2e2cda3

SHA256
3f020e8b9b94ed154b119cdd2601088eeec6d94980704e2a662e07644bfb57e3

SHA512
5c29ed7d0673f9700860848f87d2c8bbec6d49b9e29fd4277d5482b25d81c91efd4d9b1816ebfaa48b8ea1d993524127058988d54edbafee871d6fb4375be66c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\3E32F1CD-735A-4B0C-A15C-538F4622F51E

Filesize
160KB

MD5
fc12f87157ff096aec5bd4dfcbda8216

SHA1
c9011d85b467e1862813e24231a177f4fb357e99

SHA256
bd5771eeebf6819d863e57d757e1538f8e0f11002990ca2e12b0bdacb66a8188

SHA512
e07df938afe8fdee84648de6abd60aeb4f9f074fa64853f9a9001209abe741358a817b29ea9e9a722f51940763e13b18e2fbe504e00673dcb43d9874eff4fc4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

Filesize
21KB

MD5
671f2d67442ecc981831f836e25e0846

SHA1
3701ccac3f2454e3220d724739cf1c7f7d79440d

SHA256
3130e8bafadb24e0d3133120233a6a6c2139532932a3fe5151f163c297964aec

SHA512
66780d03e965783788f2945b1b9c5ac25f3f50002b45de2455d65937856f44c305c2de7d11b1faceb71cecd3771a14259f10a98bf7d5af885b3b19d3d94c6623

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
cffcde0c088382ed35ebdbae37d21f4a

SHA1
922c0a40201baaea20c659b9c160455af9628d45

SHA256
b53f0f7a95cc905ad76a385c8feb7681a83e2571d9426ac72aaac223c1d2d656

SHA512
42e735be06770c64c26d32b51ebde237275a99cf051da9b9740ce25e455be8f756ef563fa24fe9e36946372f8d7102ff78e42b70c48bf3c6bbabc5d69a61d8c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
12cb44db47a3b1ed4f5cbcdf85356e15

SHA1
0ae603e7a0b8013f9d7f79e96687442653136514

SHA256
38df2e487d21c04e54d4c166f6952634fe6a86ce97c826f0921bb859927c29fb

SHA512
0d3bb95c5d21a4b0a293d1dda31a736cc47a3694e4cef050cb877d110b93023f5822990f780b38ea3f27c75f57b5dfebc643ea6266e603cbfc6a07a27d7917ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VVOFDIUO\wecurrentlyunderstandhowmchimportantforthisbecauseitsverydifficulttohandlethethingsbetterwithmeandeverytinggoodfor__heartounderstandbeautiy[1].doc

Filesize
38KB

MD5
ab7f45e1bccea5c0f81bce3b484e0d23

SHA1
11a122bfbf1f148f962b766f9a2ec3b3c4e8561f

SHA256
7e006635b6f91e3dc43113847833d6d08ed1bcf257a39a8e67d5c47082780c39

SHA512
64157206b3f3fefd78cd9cfb22c50e9e8e234cf872b60aaad398dcf3b37b27ce994477391c959baf42b043867c3b616734bd084ec483a0e0d2770eda890998a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCD2F2C.tmp\iso690.xsl

Filesize
263KB

MD5
ff0e07eff1333cdf9fc2523d323dd654

SHA1
77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

SHA256
3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

SHA512
b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
227B

MD5
5e7d1a507cd941c88ced96decc83c826

SHA1
65aed43fd10d39a1efac8454a425c8a460adcf66

SHA256
546d9bb984093ff2f58568940914abed8ae9af7a4517adae32f7d30f3919b4ff

SHA512
2a4fcb02d42c6205dcfb7233b90d98092ee7806358fc0082e4c8a743690ea9fa473a2613d59109a31507794329e90bbe2a1423e839c80dc801141884416fd01d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
5KB

MD5
b4c9e191178ba8be68f758570bdd3835

SHA1
71ed8a2e1f656ba61fa1c6ea57266d21b64703bb

SHA256
272d070d809aa96b2d89bb8f1f5df4fba1075412384017024d9fd5aba68ec5e8

SHA512
199da2e15052ec87be19ad67315acb17c219eb2413f037e9f4604f05d91cb89180252f5560a6d7f5b693bc6e9aea34b2c65333ac45a4e8d50a8208c3a80ed4ff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
7a8cb102e2906e57d5b895bc501d6b08

SHA1
c7dbf3423629a29dd7b246a185c8b0bffe989b4d

SHA256
dc4ba37bf819965d08a731c454a56dda137323af3ff73f8cb1d6166ac4dd3fee

SHA512
8929c94f8befe8de097eeb58b117721cab767e9294cd1c0d89a3134699088b6207b8c631cfdf42065a16da676c9cf0994504b8e0d0fee2bcad4a06a82b280d00

Download Submit
memory/2732-13-0x00007FFD7EEC0000-0x00007FFD7EED0000-memory.dmp

Filesize
64KB

Download
memory/2732-11-0x00007FFDC1530000-0x00007FFDC1725000-memory.dmp

Filesize
2.0MB

Download
memory/2732-16-0x00007FFDC1530000-0x00007FFDC1725000-memory.dmp

Filesize
2.0MB

Download
memory/2732-535-0x00007FFDC15CD000-0x00007FFDC15CE000-memory.dmp

Filesize
4KB

Download
memory/2732-536-0x00007FFDC1530000-0x00007FFDC1725000-memory.dmp

Filesize
2.0MB

Download
memory/2732-462-0x00007FFDC1530000-0x00007FFDC1725000-memory.dmp

Filesize
2.0MB

Download
memory/2732-15-0x00007FFDC1530000-0x00007FFDC1725000-memory.dmp

Filesize
2.0MB

Download
memory/2732-14-0x00007FFD7EEC0000-0x00007FFD7EED0000-memory.dmp

Filesize
64KB

Download
memory/2732-3-0x00007FFD815B0000-0x00007FFD815C0000-memory.dmp

Filesize
64KB

Download
memory/2732-9-0x00007FFDC1530000-0x00007FFDC1725000-memory.dmp

Filesize
2.0MB

Download
memory/2732-10-0x00007FFDC1530000-0x00007FFDC1725000-memory.dmp

Filesize
2.0MB

Download
memory/2732-0-0x00007FFD815B0000-0x00007FFD815C0000-memory.dmp

Filesize
64KB

Download
memory/2732-12-0x00007FFDC1530000-0x00007FFDC1725000-memory.dmp

Filesize
2.0MB

Download
memory/2732-17-0x00007FFDC1530000-0x00007FFDC1725000-memory.dmp

Filesize
2.0MB

Download
memory/2732-7-0x00007FFD815B0000-0x00007FFD815C0000-memory.dmp

Filesize
64KB

Download
memory/2732-8-0x00007FFDC1530000-0x00007FFDC1725000-memory.dmp

Filesize
2.0MB

Download
memory/2732-6-0x00007FFDC1530000-0x00007FFDC1725000-memory.dmp

Filesize
2.0MB

Download
memory/2732-5-0x00007FFD815B0000-0x00007FFD815C0000-memory.dmp

Filesize
64KB

Download
memory/2732-4-0x00007FFD815B0000-0x00007FFD815C0000-memory.dmp

Filesize
64KB

Download
memory/2732-1-0x00007FFDC15CD000-0x00007FFDC15CE000-memory.dmp

Filesize
4KB

Download
memory/2732-2-0x00007FFDC1530000-0x00007FFDC1725000-memory.dmp

Filesize
2.0MB

Download
memory/4848-41-0x00007FFDC1530000-0x00007FFDC1725000-memory.dmp

Filesize
2.0MB

Download
memory/4848-40-0x00007FFDC1530000-0x00007FFDC1725000-memory.dmp

Filesize
2.0MB

Download
memory/4848-38-0x00007FFDC1530000-0x00007FFDC1725000-memory.dmp

Filesize
2.0MB

Download
memory/4848-555-0x00007FFDC1530000-0x00007FFDC1725000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads