fb51a555286437da6427a8f381f22a6c206c28284eafd7fe0962a4ca82b29112

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20-05-2024 06:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PON2401071.xls
Size

243KB
MD5

71e4c5440a96949a52716772afeecaf9
SHA1

1423b128556af44a2d4b459b3e6bbc552992cf23
SHA256

fb51a555286437da6427a8f381f22a6c206c28284eafd7fe0962a4ca82b29112
SHA512

33d98eaa90945772f87812abfe88a1494450f8afdd07ae4bbeab484ea9be79c1cd4c9c31cac0341da773348e9d4dda2c29c3ea96097c5e7e61055a77993a960d
SSDEEP

6144:Ue4UcLe0JOqPQZR8MDdATCR3tSvz/9RZsHzJWdT64GNtN:aUP/qPQZR8MxAm/Svz/9RGAdW

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEEXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEWINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid process

4984 EXCEL.EXE
4520 WINWORD.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WINWORD.EXE

description pid process

Token: SeAuditPrivilege 4520 WINWORD.EXE

description	pid	process
Token: SeAuditPrivilege	4520	WINWORD.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid	process
4984	EXCEL.EXE
4984	EXCEL.EXE
4984	EXCEL.EXE
4984	EXCEL.EXE
4984	EXCEL.EXE
4984	EXCEL.EXE
4984	EXCEL.EXE
4984	EXCEL.EXE
4984	EXCEL.EXE
4984	EXCEL.EXE
4984	EXCEL.EXE
4984	EXCEL.EXE
4520	WINWORD.EXE
4520	WINWORD.EXE
4520	WINWORD.EXE
4520	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 4520 wrote to memory of 3232	4520	WINWORD.EXE	splwow64.exe
PID 4520 wrote to memory of 3232	4520	WINWORD.EXE	splwow64.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\PON2401071.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4984

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4520

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:3232

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:4924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
1KB

MD5
fe6bd6c298147e79a7f3d71cd37dc191

SHA1
d46b556357a38b15fb12aa6b05f49298d2327925

SHA256
4805b33be79c1143a7370210d66c6b95613680e54105a897052b0f23c3197365

SHA512
632ea2e5d3ee49dbaa2b7a23fcc8e343d7832b5d5789e38a1e6846c177d76e09a975b974b00b07b74a1a4be6378c8dca79f2b1aa547f686d2d08acdaa4b9bcb1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04
Filesize
471B

MD5
06dcbd58744f04194e9539c3b5d9d27f

SHA1
fcfe1c6e17de2200b346bf252dca02f9a4202ee4

SHA256
c39e7de26badc307d396e81725442901aba72d948ad68d3b7e280c232b4976f5

SHA512
51ff3ef89cbf78ab2080eb5fc970ad10874a2e664ab4e020d5e80418df9d57d10eaa61f0be09a709855e2f0f05ba1ec1ed65dd441299da1e1bbafbb6adb4169c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
410B

MD5
e526d3b21219916896cdba82cba6d529

SHA1
9479052d9df9be615a190697cab6f8dacdd9ade8

SHA256
96df514db91563c7b447d0cff1aac3fce97602e87962337b4e0a8288548f24f7

SHA512
c316271693840e9f937dd3953e5733a17a74db376577511c6835f0791f628b7f35e451f8abd74d5f824d1b29670c0ddab4a0ef56829d008fb3ff005daa51d6d9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
392B

MD5
63177f1e868d024bb6f4d8c71624ad3d

SHA1
4b495bc01653478b78edc4ae4bbdf96c2c44beed

SHA256
815de7b8a781f697581692d1aae5c42cc6503d3994a87fdd07e727e11f698ce1

SHA512
4d1aa091e39c7917663e6416ebf301f4eb4ad2d38b16ebe5c133ff3a4537189de10c6aae3a1ea39e42a326aefcf45c89b02a9614f98969c9e6c3c626549f63c3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04
Filesize
412B

MD5
84a0fbdf9fa903b455db6cf687a22136

SHA1
26c6c69113b4886a72ce2005887b1a0740bc95ab

SHA256
b985583b5d7775cec743a3e7329c9bd53531d0f6389d87fc627fb8dc9069c77b

SHA512
c55acb486e8cc6bece883e80ed4deb7417483e24b44cf9beddad9f1f26cf60485cb04ed86f91bb59102ef37e98852cd01b6eba03fade12e347af7d9b5ef52bac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\BA8108A3-B0EB-44BE-AEAD-C30930B084BA
Filesize
161KB

MD5
13dd5e691fc1dd3cb7d99343dc2a5019

SHA1
b227668a59c5d88ce159edc633e0c31c301e2ef9

SHA256
b0b182aa3c409aab2526b26e1d3b37740d337fafae6bca76ab9c52f6382017f3

SHA512
7cac038c4fe7a2a8844e3397890548abe62d0c8b64dc1c30d9770801f4aa06acba2e733c0c17f1e52dee56e11736cfee146d8ee6dbfd465f4b8a2715c7972522

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog
Filesize
20KB

MD5
30613f8ec37c7cfb745b8f3e6f845e65

SHA1
a1dc98668c7f83d68bcf1170f17341cb22e9dd3b

SHA256
3767e2a8662cd9ce4dc4da732e6d93a6c89028d89eddee116421f2352e5bed00

SHA512
04c9559765dce363a5c0e74b01f9c7cb37af2192f7c75a196211cfb62255a0dc842dfa74f4a8b7fefda0e1e522e9807253dcfc4a7da8fa55b78151086ee5c5d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize
2KB

MD5
cdcb6a1c71aa623038885bad69d539b0

SHA1
61dbe4c32c3210802ccd036623780a59ff88b8f9

SHA256
108e19db0f951f02c504408533c35fdc15c437a24887f13ddcac39865bb0dad5

SHA512
ac667e589fa28ac998cf651b9087a70339e966dd46e4bb40558e7cc62c8015472d73127062c7f175e8950681524d93a85b7d8ce1f438172ed36d35386d158e60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize
2KB

MD5
2eca2fb0cc4ecbc871c4aa2181e5edd9

SHA1
f42fc861cc53b4a5cc237f59632955cfde9a64c1

SHA256
9bc96824060de1699c210a279f55350d506b4fb85199bacac7376d332fb7929b

SHA512
715b5eb150f60432a0ec26f191d9f6c49227c3c87eab82d60717aa4b53e156c3ef4d2d611d2a070d8c214439be67f93a87de618d730a62288c69dbc0db28d679

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DKWDYRX8\hiddenwaterfallisverybeautifulandgivingsurprisesforeveryonewholovenaturebutsheisverybeautiuflwomenever___iseenmylovekisserlove[1].doc
Filesize
32KB

MD5
7bd5c65249e0c2c02d3c5391e592825d

SHA1
146cad17ec1ce64fc6064f29acf96d7ab1544145

SHA256
c7df929820b7b7a9226d3042765595bbb46a5325bdf7db214ec8af10f64c95d0

SHA512
b1426e327c1ef7551a8c2181d8bbe8e673bf135722d82ee204cb8de39a6566f0d0f1fd4db381b65d0a7769c4134268b82210089964d00c760d4d410e44297002

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCDA4ED.tmp\sist02.xsl
Filesize
245KB

MD5
f883b260a8d67082ea895c14bf56dd56

SHA1
7954565c1f243d46ad3b1e2f1baf3281451fc14b

SHA256
ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

SHA512
d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
Filesize
228B

MD5
10bd5fd8924711ed7fe26e81c69806d1

SHA1
e95ca161ec6d86f0c2a99207121854653d65d8ac

SHA256
f6107a32b0f471c871196e0646bdc6e1b70c9e75114e4b9d6f119415338c93d1

SHA512
9bc034d4786c5af6feadd33580aa643e84bff87956156ff420985e9aaeb3a1997a962d1beed2e684118ece51fdea2e777b406a978e8dc53eb1ef6b16ae67a628

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize
3KB

MD5
c06afaaa60aea519fc3497fc3ec34374

SHA1
86ee1efca713eadcc66cff8f163a4b02ae74601a

SHA256
ca478c65f7e6be17c95c6b5d5809c76290b12112a0c6bb2e387027e77b43e1a1

SHA512
ccaf5e1d2d338f7ebbee365ff52329c5345af74edb8573dab54b4a242895b7cae3900f3202b06bb9063c56ff2531b6159a82cb2a3ecd4bbbaac5cce26f289993

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize
5KB

MD5
962bcf9f5db59ab3a27fe9330fac7cd7

SHA1
f8f4ef50816495ee78fa1ce36db62e954f2c036b

SHA256
5d45df5dca5febeb5221d3d0fcfb8af2e1984fb65c034c6a5b6a5488b04f27c4

SHA512
c4e8ed76f102408ac9bf8ecdb383db49662ef298272b3d33781377086187693cdd74a201cb3e4b589cb16b7573bf1773b2f789e1d255479f2bbaf10da720840b

Download Submit
memory/4520-42-0x00007FFF7C9B0000-0x00007FFF7CBA5000-memory.dmp

Filesize
2.0MB

Download
memory/4520-575-0x00007FFF7C9B0000-0x00007FFF7CBA5000-memory.dmp

Filesize
2.0MB

Download
memory/4520-45-0x00007FFF7C9B0000-0x00007FFF7CBA5000-memory.dmp

Filesize
2.0MB

Download
memory/4520-44-0x00007FFF7C9B0000-0x00007FFF7CBA5000-memory.dmp

Filesize
2.0MB

Download
memory/4984-13-0x00007FFF7C9B0000-0x00007FFF7CBA5000-memory.dmp

Filesize
2.0MB

Download
memory/4984-0-0x00007FFF3CA30000-0x00007FFF3CA40000-memory.dmp

Filesize
64KB

Download
memory/4984-20-0x00007FFF7C9B0000-0x00007FFF7CBA5000-memory.dmp

Filesize
2.0MB

Download
memory/4984-19-0x00007FFF7C9B0000-0x00007FFF7CBA5000-memory.dmp

Filesize
2.0MB

Download
memory/4984-10-0x00007FFF7C9B0000-0x00007FFF7CBA5000-memory.dmp

Filesize
2.0MB

Download
memory/4984-11-0x00007FFF7C9B0000-0x00007FFF7CBA5000-memory.dmp

Filesize
2.0MB

Download
memory/4984-14-0x00007FFF7C9B0000-0x00007FFF7CBA5000-memory.dmp

Filesize
2.0MB

Download
memory/4984-17-0x00007FFF3A770000-0x00007FFF3A780000-memory.dmp

Filesize
64KB

Download
memory/4984-16-0x00007FFF7C9B0000-0x00007FFF7CBA5000-memory.dmp

Filesize
2.0MB

Download
memory/4984-15-0x00007FFF7C9B0000-0x00007FFF7CBA5000-memory.dmp

Filesize
2.0MB

Download
memory/4984-12-0x00007FFF7C9B0000-0x00007FFF7CBA5000-memory.dmp

Filesize
2.0MB

Download
memory/4984-18-0x00007FFF7C9B0000-0x00007FFF7CBA5000-memory.dmp

Filesize
2.0MB

Download
memory/4984-9-0x00007FFF3A770000-0x00007FFF3A780000-memory.dmp

Filesize
64KB

Download
memory/4984-6-0x00007FFF7C9B0000-0x00007FFF7CBA5000-memory.dmp

Filesize
2.0MB

Download
memory/4984-8-0x00007FFF7C9B0000-0x00007FFF7CBA5000-memory.dmp

Filesize
2.0MB

Download
memory/4984-7-0x00007FFF7C9B0000-0x00007FFF7CBA5000-memory.dmp

Filesize
2.0MB

Download
memory/4984-5-0x00007FFF3CA30000-0x00007FFF3CA40000-memory.dmp

Filesize
64KB

Download
memory/4984-4-0x00007FFF3CA30000-0x00007FFF3CA40000-memory.dmp

Filesize
64KB

Download
memory/4984-3-0x00007FFF7CA4D000-0x00007FFF7CA4E000-memory.dmp

Filesize
4KB

Download
memory/4984-1-0x00007FFF3CA30000-0x00007FFF3CA40000-memory.dmp

Filesize
64KB

Download
memory/4984-574-0x00007FFF7C9B0000-0x00007FFF7CBA5000-memory.dmp

Filesize
2.0MB

Download
memory/4984-2-0x00007FFF3CA30000-0x00007FFF3CA40000-memory.dmp

Filesize
64KB

Download