483eef90751d6677489055c3049fe20f2d785acdc3e735a9e213fedaedaf49db

Analysis

max time kernel
143s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
21-05-2024 07:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PURCHASE ORDER_REQUEST.xls
Size

243KB
MD5

c0131de013ab7ff784f3fbe434f26730
SHA1

94a4a10b98a4597e8fd640254291700db4efe1bd
SHA256

483eef90751d6677489055c3049fe20f2d785acdc3e735a9e213fedaedaf49db
SHA512

ab81b78bd00492aa04c73a233763d015860406869139f666463e601873c9933ebe3d50ba6fae661991fd3b12571589efabda2ead44e435039a608872d61a145b
SSDEEP

6144:se4UcLe0JOqPQZR8MDdATCR3tS+aqgvCZ8Yan+gC:iUP/qPQZR8MxAm/SL9n+gC

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEWINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEEXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid process

212 EXCEL.EXE
5076 WINWORD.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WINWORD.EXE

description pid process

Token: SeAuditPrivilege 5076 WINWORD.EXE

description	pid	process
Token: SeAuditPrivilege	5076	WINWORD.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid	process
212	EXCEL.EXE
212	EXCEL.EXE
212	EXCEL.EXE
212	EXCEL.EXE
212	EXCEL.EXE
212	EXCEL.EXE
212	EXCEL.EXE
212	EXCEL.EXE
5076	WINWORD.EXE
5076	WINWORD.EXE
5076	WINWORD.EXE
5076	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 5076 wrote to memory of 3608	5076	WINWORD.EXE	splwow64.exe
PID 5076 wrote to memory of 3608	5076	WINWORD.EXE	splwow64.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER_REQUEST.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:212

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5076

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:3608

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:4368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
1KB

MD5
af3b7b913141a440f351cd5889f1dea4

SHA1
f1e6a1a3f12b69a77d228323e93ec99dc96ccf8a

SHA256
12d33df611378f47d31a475b9fb967be75b33a2403ba55165780b0d0d9307d46

SHA512
5e33a15751f2c781a4cfbc2d8b87d70802d61d249ac00661ea3810b5a48f007a6c40ddfaaccd9b4cec646439b5b365e56e116e9cffb31a5be4aeac5d5720e800

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
410B

MD5
59e1bf38b900112402a81813e43209e6

SHA1
396e36477027b08de9721ea01bedc4e135c9f6c3

SHA256
9ce214efde41e12963a30c44e74f918dfdcf3f61903faa3231e3b6e1b0c44900

SHA512
ea7f6d10cdb6b94416e1f0733c5ec4b9db2aa892f0b15900e43f1d5d084775ebaaa5c51d3930341b0e3dc80507bf1503af41381b5a8d00acd6600c28a7bb6793

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
392B

MD5
5b8199f13c3477f54ab0fab2fa00d288

SHA1
6c7af25cccf93e664c54219bdc1b89a12c0000a6

SHA256
3b49154002cac79f6e6dddb048d051959d5e25f3798d04812e5bf4703ee9ca3e

SHA512
df4a450fc92845661d01baa37d5a459aa34f791a443ddd6c253e8a159c7989480579429ae71c72f87a66c08a7000a82bc05dcaf275378f4d754844bb370f9852

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\474A1745-FE87-4695-917C-ED50DC508ADA
Filesize
161KB

MD5
05b629f2c8d608f53b3b38290bd87a34

SHA1
252d262aca8b060d5263962be1c6e60cb7afa3ba

SHA256
8f2f209e3c2685bd0fd6aac600db50e4d77076ea46c5e0ba106f42c3d8f351c2

SHA512
7f829cea0661837303257416462433e3987a9738d9a8087fb8763b6e6acf25ab20a3f2fb32e46a8fb2501a3c7781919f88fe9364ee4fc31f65ca3fe539a6c4f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog
Filesize
21KB

MD5
fcdf040047f84df75d61a7955f924680

SHA1
b3a51518ea367f343a3ef91d2818524768b69e3a

SHA256
e79b390543e94d2f16faaae5dfa7bb6d8068b2ace173e54140fd15c7ec72e7fb

SHA512
ff8010ffc5aff569c3fe16ddec113fd747c36390a6f143de3dd3978cc1f64efbb4f50ca4594ec5b9b64c529e478e9234adab134557cd5247f78399fc97a4bd12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize
2KB

MD5
42bd788a971a4dd9561845fa50341695

SHA1
bae592af537acc478eb229b234634265fd42792b

SHA256
3a16cda4934b558ea90bdb717dde16f4523495646e82784428cf1c3e8539c781

SHA512
cc5acf7a5c13563f0daa936c3201cfa5afdf3f641eb50476cbc8a17d881384f2c01ba29802dd060cda9f25e8359bb2506c5b268ec72caf90aca0bd27ee3eedd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize
2KB

MD5
3c6073d9fd02ea5da382e154f130cd45

SHA1
5384165eb588dd0d46cef28decde5ce91b414c7c

SHA256
adc7aca69372d8df2552884232343ec219e5f38f62e52ea7280bd1e5f1769d4a

SHA512
846ded3edeca32df6f841f2ddd52a862b336bc615534d60a27f12edd661335c78c8bd5b666c75f652ff5e474883b8e21e0fd03d23cafb6f37c384bb7a450bbae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VLW1SL5J\ebeautifulthingstoflowersarebeautilfandverybeautilftoseetheroseflowersarebeautuiflandamazimgverybeautilfimages__flowersareabeautiuflimages[1].doc
Filesize
37KB

MD5
91e4012f7dcdf549d97c3b11a38ba904

SHA1
08aeb60cde52cfccf1a11e22dddc34d41ddae54a

SHA256
b1a1bcb72ee52079c927e0ae751a7dc484a8e0fad9946346c57a3f323e248233

SHA512
c0d8321c658cf9bd1c2d5c4496a41da0108168a32e28fb1edb6d6592c1b0cc3d2f4dee3c4a36d0851e5f1f23ea32b28a70bbf75bcb8e8eb174a5d39b02ffc774

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCD9F82.tmp\sist02.xsl
Filesize
245KB

MD5
f883b260a8d67082ea895c14bf56dd56

SHA1
7954565c1f243d46ad3b1e2f1baf3281451fc14b

SHA256
ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

SHA512
d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
Filesize
229B

MD5
414beff98c4e14d9d1d5a9df7867336f

SHA1
769a5e682752e01bb7209b57616f73aba8d59f99

SHA256
bea30f4cfcea7678c36fc2febc942bf134be72b850ca336cccba6e6d9331dcf0

SHA512
2641b93fd152a7cfbb2f1dfeec198a7c14ec5a16a229e47a834eede18cd374a5b0115b0f90bed02d00fbd827659b3070de9819837f3a782fa2dab4474b8c2322

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize
3KB

MD5
0f800c468dc8dd00b471a38fed1c0c1e

SHA1
36a4b3b1c8b5b68b1c66d79c3d2080efcdb7090e

SHA256
986a2911e7e77e290366e870ae133cf4edae7158d84a1e463ff5e8b1e2c7f8df

SHA512
e8daba78ed4ecefd20b923e19a197f59a890d2c72f4801bb581e3557ea867eb777a8bc364b6973b156abe41e2bfec371b3ed4f1bb72d8386c82537da656441ed

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize
5KB

MD5
5309631c84c5abd433cb40b98a3b70bd

SHA1
19bddbde7908036238e379f605e65d1d74e41679

SHA256
cb14896e188a4e925bf5e1190dfe533096466a81737d6703630e37332dd1ca1f

SHA512
f0c3134e4322d5e36547a3bd9fcfa8539d2013625ca5d439d7c68f6a6413886441ad8677f0d030cd4ff4a1b6b2cd7893d5906fca1551754e73f949dc2a09cbfd

Download Submit
memory/212-15-0x00007FFAF8010000-0x00007FFAF8205000-memory.dmp

Filesize
2.0MB

Download
memory/212-11-0x00007FFAF8010000-0x00007FFAF8205000-memory.dmp

Filesize
2.0MB

Download
memory/212-18-0x00007FFAF8010000-0x00007FFAF8205000-memory.dmp

Filesize
2.0MB

Download
memory/212-22-0x00007FFAF8010000-0x00007FFAF8205000-memory.dmp

Filesize
2.0MB

Download
memory/212-21-0x00007FFAF8010000-0x00007FFAF8205000-memory.dmp

Filesize
2.0MB

Download
memory/212-20-0x00007FFAF8010000-0x00007FFAF8205000-memory.dmp

Filesize
2.0MB

Download
memory/212-19-0x00007FFAF8010000-0x00007FFAF8205000-memory.dmp

Filesize
2.0MB

Download
memory/212-17-0x00007FFAF8010000-0x00007FFAF8205000-memory.dmp

Filesize
2.0MB

Download
memory/212-6-0x00007FFAF8010000-0x00007FFAF8205000-memory.dmp

Filesize
2.0MB

Download
memory/212-5-0x00007FFAB8090000-0x00007FFAB80A0000-memory.dmp

Filesize
64KB

Download
memory/212-620-0x00007FFAF8010000-0x00007FFAF8205000-memory.dmp

Filesize
2.0MB

Download
memory/212-618-0x00007FFAB8090000-0x00007FFAB80A0000-memory.dmp

Filesize
64KB

Download
memory/212-16-0x00007FFAB5A90000-0x00007FFAB5AA0000-memory.dmp

Filesize
64KB

Download
memory/212-14-0x00007FFAF8010000-0x00007FFAF8205000-memory.dmp

Filesize
2.0MB

Download
memory/212-0-0x00007FFAB8090000-0x00007FFAB80A0000-memory.dmp

Filesize
64KB

Download
memory/212-13-0x00007FFAB5A90000-0x00007FFAB5AA0000-memory.dmp

Filesize
64KB

Download
memory/212-12-0x00007FFAF8010000-0x00007FFAF8205000-memory.dmp

Filesize
2.0MB

Download
memory/212-10-0x00007FFAF8010000-0x00007FFAF8205000-memory.dmp

Filesize
2.0MB

Download
memory/212-9-0x00007FFAF8010000-0x00007FFAF8205000-memory.dmp

Filesize
2.0MB

Download
memory/212-7-0x00007FFAF8010000-0x00007FFAF8205000-memory.dmp

Filesize
2.0MB

Download
memory/212-8-0x00007FFAF8010000-0x00007FFAF8205000-memory.dmp

Filesize
2.0MB

Download
memory/212-4-0x00007FFAF80AD000-0x00007FFAF80AE000-memory.dmp

Filesize
4KB

Download
memory/212-1-0x00007FFAB8090000-0x00007FFAB80A0000-memory.dmp

Filesize
64KB

Download
memory/212-3-0x00007FFAB8090000-0x00007FFAB80A0000-memory.dmp

Filesize
64KB

Download
memory/212-2-0x00007FFAB8090000-0x00007FFAB80A0000-memory.dmp

Filesize
64KB

Download
memory/212-553-0x00007FFAF8010000-0x00007FFAF8205000-memory.dmp

Filesize
2.0MB

Download
memory/212-619-0x00007FFAB8090000-0x00007FFAB80A0000-memory.dmp

Filesize
64KB

Download
memory/212-616-0x00007FFAB8090000-0x00007FFAB80A0000-memory.dmp

Filesize
64KB

Download
memory/212-617-0x00007FFAB8090000-0x00007FFAB80A0000-memory.dmp

Filesize
64KB

Download
memory/5076-565-0x00007FFAF8010000-0x00007FFAF8205000-memory.dmp

Filesize
2.0MB

Download
memory/5076-46-0x00007FFAF8010000-0x00007FFAF8205000-memory.dmp

Filesize
2.0MB

Download
memory/5076-44-0x00007FFAF8010000-0x00007FFAF8205000-memory.dmp

Filesize
2.0MB

Download
memory/5076-629-0x00007FFAF8010000-0x00007FFAF8205000-memory.dmp

Filesize
2.0MB

Download