bb949bbd9084851dde732678a6dbfefca7628df752cb8a7ada6ccecd55c14b93

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 01:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bb949bbd9084851dde732678a6dbfefca7628df752cb8a7ada6ccecd55c14b93.xls
Size

408KB
MD5

12280821eb7e23095d873ae109f6b675
SHA1

cc6bfbde43e20a9aa6ec5cdb4d8edaddf6c9d530
SHA256

bb949bbd9084851dde732678a6dbfefca7628df752cb8a7ada6ccecd55c14b93
SHA512

212e3dd29cbfbf8567c4b082c6b158ecede03daa432c6547a58f8154162ac5d83307927aa964962fc1b2f81c996d9d790a97b1ff8373efd3197eb64c6d2f8241
SSDEEP

12288:9qFzu4Ljxcp3m5cnINJVStxdtBpghLi2:azu4LjxEboStxdfpui2

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEEXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEWINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid process

1728 EXCEL.EXE
1168 WINWORD.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WINWORD.EXE

description pid process

Token: SeAuditPrivilege 1168 WINWORD.EXE

description	pid	process
Token: SeAuditPrivilege	1168	WINWORD.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid	process
1728	EXCEL.EXE
1728	EXCEL.EXE
1728	EXCEL.EXE
1728	EXCEL.EXE
1728	EXCEL.EXE
1728	EXCEL.EXE
1728	EXCEL.EXE
1728	EXCEL.EXE
1728	EXCEL.EXE
1728	EXCEL.EXE
1728	EXCEL.EXE
1728	EXCEL.EXE
1168	WINWORD.EXE
1168	WINWORD.EXE
1168	WINWORD.EXE
1168	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 1168 wrote to memory of 4468	1168	WINWORD.EXE	splwow64.exe
PID 1168 wrote to memory of 4468	1168	WINWORD.EXE	splwow64.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\bb949bbd9084851dde732678a6dbfefca7628df752cb8a7ada6ccecd55c14b93.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1728

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1168

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:4468

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:1048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5080DC7A65DB6A5960ECD874088F3328_862BA1770B2FEE013603D2FF9ABEAFDA

Filesize
2KB

MD5
b2973e96273fe840b4a132c0b1282697

SHA1
66bfe78a2f8cb9b0de54a2778be3e6042f4eda27

SHA256
c22fc4c44df4307fdd018fe841e7d0d26aa4902864751878f01dfc34a49b3c9e

SHA512
724fad4202c6c8730c53cb44b28338d8b901e1b21b4cf2d34d120cc9030ed2f6c392f8b5765001016f7176c829b6a02b0c90df7dbc1f4b0973dc5ef75c9db8b1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_2DBE917624E9880FE0C7C5570D56E691

Filesize
1KB

MD5
e59f7b1b4ba2d190bcc16704c4d0ae4e

SHA1
29bbe983e3ed093e2dfe9c8aec56908cfe49e733

SHA256
7adc35c083730086749fb125a8ea63fb19dc47553c135007e44cbde354e6ae44

SHA512
51aa926cf63ebd85dce9f233bdb5e1d14e1af163f4c1ae014b397bb45aa71373d2e4bb3a9d219bbdb8c308984e2d71a26d71b34bcd8a7b1aa3e9192115f7bf8b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5080DC7A65DB6A5960ECD874088F3328_862BA1770B2FEE013603D2FF9ABEAFDA

Filesize
482B

MD5
9090636308d3e6217828b95c363752cc

SHA1
82dbdd9d79d9d38b6a0d0d99ff76c65e26d9620e

SHA256
b4a4a54f6cf435c925afee46d40439654c63b9b141aca52919b90213a1744ebe

SHA512
d362ae7b5aba8320a2db2db24650a7210a18e3a188bc5b1cf5348555e4adbbe82f3cc723a9c4d96f43e56e85fdbec2d492efd3730ee7e4b7996be4d798438d46

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_2DBE917624E9880FE0C7C5570D56E691

Filesize
486B

MD5
17382aa0c210c53cec159ea412ff49ad

SHA1
f3f5f3e61d0a39dacf884532b2a9ae1ba8003f11

SHA256
f5c860f36c4f3e2449c0d87a64238eaa08bad85205d7fd64e2a0d8699e1d6313

SHA512
36f17516c385735be90227ab8d4b15585efc86a61fb6565356636ff8155b17a4c1ba81a6e25d0e3d4805dbf8f8f18d1b7d94e73798927135ddbdbfb31435c3d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\AABEEBAE-B0C3-4701-BC87-8D43B3FA5A7F

Filesize
161KB

MD5
826497aaf6453117d6e8b0c522b4b7bd

SHA1
fed0b7522e4415b25f7ac3919d71b70f6d80f973

SHA256
185a48aaa6a4a0e3e6c1dfe6777dccefee84a4c5919b46fb4cc129ea94a55c9a

SHA512
5a215fba3614f685ac583d9202478b00790b81ae26d7072c85971ce3223c148b0c836e5ffc09712e745771059c8fb6163fcccc69951997db504cbc4f5ef023fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

Filesize
21KB

MD5
c4709bf6f208c4b98b58bf6e0cb05f9e

SHA1
dfc2e1d083185607eda85a362ed5b4f0587dae7c

SHA256
7248237aabda29702710257a28eff51983603a327e61ea39e76061094cb29efd

SHA512
cd2a37d382b6ba9f33956d42edaa16caa7dd1c94530fe860d19b101cc449fbe74c78a44ea54763778b32a7488a9691256d9f64656b24a559cc72735f86439cf3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
ff35ceb4b814dc89839dce97241b63d8

SHA1
e3ac6c896002ecc907897f1eea93e767862e1550

SHA256
dad58082985f117542f0cbc5bbb3834e84e3ef718544cd28311b20562af5f478

SHA512
ca97d974d92b62ce3918c9a224bc20b86acbe7067ed057e33c9cc104ed7a6ef5093ba678f5902baac4498de90ff96eab1d3f936237501e1535f2908100788099

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
936110345948f3129d14af6091d17292

SHA1
14f33a49cb956d760d2798019f32f2f2c277dbeb

SHA256
8bd8f227543513b1286455f8ab73abcc5eae266b86d8885248eb22c3657d01f6

SHA512
23a1db01062853cf23d8b4e9e870841797d757a9486a601254afafd3a5ba1666923d559cdc0c58bf7d932954dd5d393525575327afdfc414d5fd5cc749bbf0fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DKWDYRX8\lionsaregreattheyknowhowtotreatothersbeautifullytounderstandentirethingsgoingtobegreatalwaysgreatnothingunderstand__sheislionbeautiufl[1].doc

Filesize
32KB

MD5
229327068cf40e9804185ef47f640a70

SHA1
3d4012063327219a81eebf1564d10fcf5b51bf3c

SHA256
4d602a8f2f0991f334738912e80a99ed7f36e98d6538a493ae3eab73461a374f

SHA512
7273b52b5bb09f1854710c7f1f02fad72c9570a425c563f9e855b2563562d31c9e8bdb778225dcde17e14009af9a9541f4aff174e072da22e0569de9db1bf1ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCDAB3D.tmp\sist02.xsl

Filesize
245KB

MD5
f883b260a8d67082ea895c14bf56dd56

SHA1
7954565c1f243d46ad3b1e2f1baf3281451fc14b

SHA256
ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

SHA512
d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
231B

MD5
da0b6270b217c4bc71142973ef8eed1d

SHA1
8c982ce08f15a3c9dcd38cb702af694f6822e5de

SHA256
adbfbdc160d46b48a1e7fee2fce0fc3f1fdd57d078dd67e8b4d400f4aa01078a

SHA512
10cc30111e009a5a146aa6cb73d9b3f0ef4a3132e0f33775202348d8af4cbb7d60fd239f292bf6592665851693b85ec2b31168135180bd604df55107d855eef2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
5KB

MD5
6deda89f693b29b9144f95d8bb4a007a

SHA1
bf724910530e6bb6d765c21c4855d152a11ebe35

SHA256
2a833c23aee20679b4e89b61b3b0283f031470b0fe836a3f687ad1d3c5239905

SHA512
ea5e6e14c43e8fa1437c6941f8cbaeb84d0b4d5b80d5018ddb1c692d96f95468452439868e5577942412071743bf339b933d5235080d9f8272cc5bc9e6d1c520

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
5a7ab8bb8fc18f59ac8051d2b9a0139a

SHA1
d722a3e0b8438602febe381979c0f6e7e688f579

SHA256
e92c1176dd03925dbe7749fb8e0e655e083272fb2f756301aec0683b13a497b3

SHA512
ff341587bdd0992a6d5fed6262d337af4d2366aef02b53d3a206ad13d8180708bc365957bca9e3a387299783b5dc22377f2e87aa3de4bc608bb1d0e051f452db

Download Submit
memory/1168-42-0x00007FFE78D90000-0x00007FFE78F85000-memory.dmp

Filesize
2.0MB

Download
memory/1168-43-0x00007FFE78D90000-0x00007FFE78F85000-memory.dmp

Filesize
2.0MB

Download
memory/1168-580-0x00007FFE78D90000-0x00007FFE78F85000-memory.dmp

Filesize
2.0MB

Download
memory/1168-46-0x00007FFE78D90000-0x00007FFE78F85000-memory.dmp

Filesize
2.0MB

Download
memory/1168-45-0x00007FFE78D90000-0x00007FFE78F85000-memory.dmp

Filesize
2.0MB

Download
memory/1168-40-0x00007FFE78D90000-0x00007FFE78F85000-memory.dmp

Filesize
2.0MB

Download
memory/1168-41-0x00007FFE78D90000-0x00007FFE78F85000-memory.dmp

Filesize
2.0MB

Download
memory/1168-44-0x00007FFE78D90000-0x00007FFE78F85000-memory.dmp

Filesize
2.0MB

Download
memory/1728-15-0x00007FFE78D90000-0x00007FFE78F85000-memory.dmp

Filesize
2.0MB

Download
memory/1728-9-0x00007FFE78D90000-0x00007FFE78F85000-memory.dmp

Filesize
2.0MB

Download
memory/1728-6-0x00007FFE38E10000-0x00007FFE38E20000-memory.dmp

Filesize
64KB

Download
memory/1728-2-0x00007FFE38E10000-0x00007FFE38E20000-memory.dmp

Filesize
64KB

Download
memory/1728-13-0x00007FFE78D90000-0x00007FFE78F85000-memory.dmp

Filesize
2.0MB

Download
memory/1728-17-0x00007FFE78D90000-0x00007FFE78F85000-memory.dmp

Filesize
2.0MB

Download
memory/1728-16-0x00007FFE36AF0000-0x00007FFE36B00000-memory.dmp

Filesize
64KB

Download
memory/1728-11-0x00007FFE78D90000-0x00007FFE78F85000-memory.dmp

Filesize
2.0MB

Download
memory/1728-14-0x00007FFE78D90000-0x00007FFE78F85000-memory.dmp

Filesize
2.0MB

Download
memory/1728-12-0x00007FFE78D90000-0x00007FFE78F85000-memory.dmp

Filesize
2.0MB

Download
memory/1728-10-0x00007FFE36AF0000-0x00007FFE36B00000-memory.dmp

Filesize
64KB

Download
memory/1728-1-0x00007FFE78E2D000-0x00007FFE78E2E000-memory.dmp

Filesize
4KB

Download
memory/1728-8-0x00007FFE38E10000-0x00007FFE38E20000-memory.dmp

Filesize
64KB

Download
memory/1728-5-0x00007FFE78D90000-0x00007FFE78F85000-memory.dmp

Filesize
2.0MB

Download
memory/1728-85-0x00007FFE78D90000-0x00007FFE78F85000-memory.dmp

Filesize
2.0MB

Download
memory/1728-86-0x00007FFE78E2D000-0x00007FFE78E2E000-memory.dmp

Filesize
4KB

Download
memory/1728-87-0x00007FFE78D90000-0x00007FFE78F85000-memory.dmp

Filesize
2.0MB

Download
memory/1728-88-0x00007FFE78D90000-0x00007FFE78F85000-memory.dmp

Filesize
2.0MB

Download
memory/1728-7-0x00007FFE78D90000-0x00007FFE78F85000-memory.dmp

Filesize
2.0MB

Download
memory/1728-4-0x00007FFE78D90000-0x00007FFE78F85000-memory.dmp

Filesize
2.0MB

Download
memory/1728-0-0x00007FFE38E10000-0x00007FFE38E20000-memory.dmp

Filesize
64KB

Download
memory/1728-3-0x00007FFE38E10000-0x00007FFE38E20000-memory.dmp

Filesize
64KB

Download