b1e7182d24c06b1acaace6890fb755058453d653b0d217d76c9ed9cec785628e

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
21-05-2024 09:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Plată Factura MTL1185.xls
Size

140KB
MD5

2838526d9fb2cacb67df0ce3ed842254
SHA1

6a3d7a3d3ecb37428a5538da254e2d19d44adc7f
SHA256

b1e7182d24c06b1acaace6890fb755058453d653b0d217d76c9ed9cec785628e
SHA512

526c32606397f0512473cdb719060f42dd865ebc29e4dfc4f72282cbc937ebdb1eee721051cad18f36b4c90127cd1937688cc482cf4da416b4541fdaeff0d75b
SSDEEP

3072:40WF2rlGK9RDjlonbHUA++TVdOCsTd9gjQlyf4xd:40W8r0mRvanb04VsLT3

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEEXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEEXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid process

4364 EXCEL.EXE
1932 WINWORD.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WINWORD.EXE

description pid process

Token: SeAuditPrivilege 1932 WINWORD.EXE

description	pid	process
Token: SeAuditPrivilege	1932	WINWORD.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid	process
4364	EXCEL.EXE
4364	EXCEL.EXE
4364	EXCEL.EXE
4364	EXCEL.EXE
4364	EXCEL.EXE
4364	EXCEL.EXE
4364	EXCEL.EXE
4364	EXCEL.EXE
4364	EXCEL.EXE
4364	EXCEL.EXE
4364	EXCEL.EXE
4364	EXCEL.EXE
1932	WINWORD.EXE
1932	WINWORD.EXE
1932	WINWORD.EXE
1932	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 1932 wrote to memory of 4284	1932	WINWORD.EXE	splwow64.exe
PID 1932 wrote to memory of 4284	1932	WINWORD.EXE	splwow64.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Plată Factura MTL1185.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4364

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1932

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:4284

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:3692

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04
Filesize
471B

MD5
a4bae28bb2e23e486f9c1aa562a58823

SHA1
c200627a1eeb1217bcd1be85fdadf133e5033b6d

SHA256
37acdd7fc40ae1e1238ccde843516ccba1598d0d0d129541711a645716cfbc1a

SHA512
d30ca73ef53911fbb08c90e67ed01a4ebffdeeee6b3079af568e8bc566163f07346d54d0baeb005a95fcbb48673235208fd071c666f52fd789e7af1144701077

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04
Filesize
412B

MD5
ce16883d590b5d1aade09d2c7c4edf90

SHA1
23f341ff7ce3fea878d4a0811b72331a6898bb1a

SHA256
f84950dd162237028451df0ad43946188437d47f3aed308a1e0b71c5989ffd44

SHA512
a82c4f9d264cee501f663205d139768ae07b971deef1180eb977fda844c4c02c438465888bcc22f97fed77c6b8622936c4234a5c469e47a895767976f72207c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\5080B4A8-8B9F-4ADB-8062-1C17030AF447
Filesize
161KB

MD5
b3febad39955e26477b965cea63bff22

SHA1
030f3789c3296e4d56c9fbed48ed216330baca16

SHA256
0a2b045c24a89bea7347eec9a8011ed9eaf9100c3c593be6bb8dbf9654fc2d07

SHA512
86585f83934d6b37a3221f74394e5b506a65ca6ed985cc11e7619ce0d2a011f35bde40f98ee624980b84040f97028648330208765aae0121a5ad1260fcdbfec2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog
Filesize
21KB

MD5
f2220aee8b107b7b91c3e5a8a9ab1bd4

SHA1
8e09eaa718c162236a3b7b231e35fa7a4c5ce761

SHA256
6ea84f92a221c2592550d3d4eb1c1fdae7612239ea2a8d8076575a57c8a7a0d9

SHA512
36554bbd2bfc8f40b3c53912f76243ac5376cb737a2722245f76fa2a724b287e5355d31d141f9e0018c7acd30773d5d9106879b63c1a14d625c39b31622e2946

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize
2KB

MD5
938e0c2f7a287a9c8e654f5054c48fc1

SHA1
231a809b28fe5aeb99824b91ad7bc3c3c0017c00

SHA256
11c3dced28881ddfdb0e77cc1e9a79cc4d1592ad83383c74ba875138c4ad9dd9

SHA512
b711f56a03181cbee91a7223c86abbfafebb5045ebbd9a7df07eaf1aff2a3adc083a8da9006c890316a5214e15fcd9e13e9e58403ebf11081507f682c68d4f77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize
2KB

MD5
f96747aea005614217e08187865b994b

SHA1
4b69da26680947bf88dacc3c4066de4fc71a81d8

SHA256
c5cf44f3e7216bdad894bdb2269f07b85ccdd3242537ccfff3bdc4a9b0f05780

SHA512
20f27910c0bf6ca7766f1332e67989a1b1b20884e71bccc2c94970ff973f52fa5a9463829993ee9252fd7f8cffcbc73a98d5e18f6428bb8eb4013260bfc5af2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6TQEXKX3\lionisthekingofjunglewhichturlygiveugoodforjunglelionmeetgreatanimalsaroundtheworldwithgunleimagestoundertasndlionking___lionkingiskingofjungle[1].doc
Filesize
36KB

MD5
459dcd076e83ea265e96dad6f7c90277

SHA1
f0e08942831e10442e1aced92e0802d33983be06

SHA256
96af9dff502f5710d657de83d4515b8d2b75dbf8ec2d98c944d0dd7105f1ea62

SHA512
a3823ed30bb490aafa77a38ce97013e62219f4017002988a58582ba20e16496ee47bdcb8837cb538f10a4f7d488661c0e28fd13c74451226b1fd10f06b17a64c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCD9E05.tmp\sist02.xsl
Filesize
245KB

MD5
f883b260a8d67082ea895c14bf56dd56

SHA1
7954565c1f243d46ad3b1e2f1baf3281451fc14b

SHA256
ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

SHA512
d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
Filesize
231B

MD5
953b4a02f2561623c2b606efe01c5dba

SHA1
8f30e0b7f17d7750de957b536c0c6c3e8cf61bea

SHA256
bb112bc76e9ea90f73cadb4972dafcebab980d0ea0f1ce037684c0613ac18d71

SHA512
8f773e7d5bedec141b1806d1433cf39d3979d3c3e9fed89971328f0dd745d48df04b3465de44e043be6f452e6313fd84f83c6557941cf83c69401c34ad634831

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize
3KB

MD5
85037b0c7990d6a03cd1f082288f2b00

SHA1
35195000c589b4195c7ec3aa7c3b85b171a202f5

SHA256
80809cfa1d65cc63fd816cea9d4cea582fd99f31e63c464ededdc1c19eb3c9d6

SHA512
9b518f4fee76fe251012b944cf45cd476aeb78910a1c812203c077179538f912cc4ee96e638dda834146ae8f3f6f445504703a0bd005dc9faca7058c2ff20b86

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize
5KB

MD5
eb34bda2acbf632339f7f0970c7bc437

SHA1
3e3ba3d3bafe1ef2a15780640902e77af990dcb1

SHA256
7bd9c26801a9815f62037dae3fc4358e3f51a27217ac210f1b59c3ce5274c9d8

SHA512
f2fed6a21157a5431e201c409f66513f09cc5a7beb416ca4eb397b52e26df3f06a03deb6fdc0d812e002427fbb52680aacb4a736051b3bc2abd16453c507779c

Download Submit
memory/1932-37-0x00007FFD26DB0000-0x00007FFD26FA5000-memory.dmp

Filesize
2.0MB

Download
memory/1932-570-0x00007FFD26DB0000-0x00007FFD26FA5000-memory.dmp

Filesize
2.0MB

Download
memory/1932-44-0x00007FFD26DB0000-0x00007FFD26FA5000-memory.dmp

Filesize
2.0MB

Download
memory/1932-43-0x00007FFD26DB0000-0x00007FFD26FA5000-memory.dmp

Filesize
2.0MB

Download
memory/1932-42-0x00007FFD26DB0000-0x00007FFD26FA5000-memory.dmp

Filesize
2.0MB

Download
memory/1932-41-0x00007FFD26DB0000-0x00007FFD26FA5000-memory.dmp

Filesize
2.0MB

Download
memory/1932-39-0x00007FFD26DB0000-0x00007FFD26FA5000-memory.dmp

Filesize
2.0MB

Download
memory/4364-8-0x00007FFCE46E0000-0x00007FFCE46F0000-memory.dmp

Filesize
64KB

Download
memory/4364-7-0x00007FFD26DB0000-0x00007FFD26FA5000-memory.dmp

Filesize
2.0MB

Download
memory/4364-17-0x00007FFD26DB0000-0x00007FFD26FA5000-memory.dmp

Filesize
2.0MB

Download
memory/4364-15-0x00007FFD26DB0000-0x00007FFD26FA5000-memory.dmp

Filesize
2.0MB

Download
memory/4364-14-0x00007FFD26DB0000-0x00007FFD26FA5000-memory.dmp

Filesize
2.0MB

Download
memory/4364-13-0x00007FFD26DB0000-0x00007FFD26FA5000-memory.dmp

Filesize
2.0MB

Download
memory/4364-20-0x00007FFD26DB0000-0x00007FFD26FA5000-memory.dmp

Filesize
2.0MB

Download
memory/4364-21-0x00007FFD26DB0000-0x00007FFD26FA5000-memory.dmp

Filesize
2.0MB

Download
memory/4364-22-0x00007FFD26DB0000-0x00007FFD26FA5000-memory.dmp

Filesize
2.0MB

Download
memory/4364-23-0x00007FFD26DB0000-0x00007FFD26FA5000-memory.dmp

Filesize
2.0MB

Download
memory/4364-19-0x00007FFD26DB0000-0x00007FFD26FA5000-memory.dmp

Filesize
2.0MB

Download
memory/4364-16-0x00007FFD26DB0000-0x00007FFD26FA5000-memory.dmp

Filesize
2.0MB

Download
memory/4364-12-0x00007FFCE46E0000-0x00007FFCE46F0000-memory.dmp

Filesize
64KB

Download
memory/4364-18-0x00007FFD26DB0000-0x00007FFD26FA5000-memory.dmp

Filesize
2.0MB

Download
memory/4364-0-0x00007FFCE6E30000-0x00007FFCE6E40000-memory.dmp

Filesize
64KB

Download
memory/4364-10-0x00007FFD26DB0000-0x00007FFD26FA5000-memory.dmp

Filesize
2.0MB

Download
memory/4364-11-0x00007FFD26DB0000-0x00007FFD26FA5000-memory.dmp

Filesize
2.0MB

Download
memory/4364-9-0x00007FFD26DB0000-0x00007FFD26FA5000-memory.dmp

Filesize
2.0MB

Download
memory/4364-6-0x00007FFD26DB0000-0x00007FFD26FA5000-memory.dmp

Filesize
2.0MB

Download
memory/4364-5-0x00007FFD26E4D000-0x00007FFD26E4E000-memory.dmp

Filesize
4KB

Download
memory/4364-3-0x00007FFCE6E30000-0x00007FFCE6E40000-memory.dmp

Filesize
64KB

Download
memory/4364-4-0x00007FFCE6E30000-0x00007FFCE6E40000-memory.dmp

Filesize
64KB

Download
memory/4364-1-0x00007FFCE6E30000-0x00007FFCE6E40000-memory.dmp

Filesize
64KB

Download
memory/4364-569-0x00007FFD26DB0000-0x00007FFD26FA5000-memory.dmp

Filesize
2.0MB

Download
memory/4364-2-0x00007FFCE6E30000-0x00007FFCE6E40000-memory.dmp

Filesize
64KB

Download