47ee3997168e1d2f64c940453432642e7f7cea124561a40904d7d8d3b58d2b75

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 08:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Pepsico RFQ_P1005712.xls
Size

111KB
MD5

9eba63f385b6efcc868f163cc53e5ef6
SHA1

8da5ad24a8a94e035b473f82e03a57740413998d
SHA256

47ee3997168e1d2f64c940453432642e7f7cea124561a40904d7d8d3b58d2b75
SHA512

6c47a8bdfbc30422ab8805fb98f454ee8b71f65057e334a0ee7723a90d2e864efa44b02e98a3984f315222065002d3cb8894b99734807f78045811597207f342
SSDEEP

1536:VU0BRPw/jF2gE+wxQAOhUMqTjfktX/t/qr2ml8Vvygn05kTheDm/:y0WF2F8ATjio2fVvr05ehe

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEEXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEWINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid process

4384 EXCEL.EXE
724 WINWORD.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WINWORD.EXE

description pid process

Token: SeAuditPrivilege 724 WINWORD.EXE

description	pid	process
Token: SeAuditPrivilege	724	WINWORD.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid	process
4384	EXCEL.EXE
4384	EXCEL.EXE
4384	EXCEL.EXE
4384	EXCEL.EXE
4384	EXCEL.EXE
4384	EXCEL.EXE
4384	EXCEL.EXE
4384	EXCEL.EXE
4384	EXCEL.EXE
4384	EXCEL.EXE
4384	EXCEL.EXE
4384	EXCEL.EXE
724	WINWORD.EXE
724	WINWORD.EXE
724	WINWORD.EXE
724	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 724 wrote to memory of 1972	724	WINWORD.EXE	splwow64.exe
PID 724 wrote to memory of 1972	724	WINWORD.EXE	splwow64.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Pepsico RFQ_P1005712.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4384

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:724
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1972

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:1728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5080DC7A65DB6A5960ECD874088F3328_862BA1770B2FEE013603D2FF9ABEAFDA

Filesize
2KB

MD5
b2973e96273fe840b4a132c0b1282697

SHA1
66bfe78a2f8cb9b0de54a2778be3e6042f4eda27

SHA256
c22fc4c44df4307fdd018fe841e7d0d26aa4902864751878f01dfc34a49b3c9e

SHA512
724fad4202c6c8730c53cb44b28338d8b901e1b21b4cf2d34d120cc9030ed2f6c392f8b5765001016f7176c829b6a02b0c90df7dbc1f4b0973dc5ef75c9db8b1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_2DBE917624E9880FE0C7C5570D56E691

Filesize
1KB

MD5
e59f7b1b4ba2d190bcc16704c4d0ae4e

SHA1
29bbe983e3ed093e2dfe9c8aec56908cfe49e733

SHA256
7adc35c083730086749fb125a8ea63fb19dc47553c135007e44cbde354e6ae44

SHA512
51aa926cf63ebd85dce9f233bdb5e1d14e1af163f4c1ae014b397bb45aa71373d2e4bb3a9d219bbdb8c308984e2d71a26d71b34bcd8a7b1aa3e9192115f7bf8b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187

Filesize
471B

MD5
133946709da45a7b28e009fe1f006cf6

SHA1
30d2ecf48ea55c52e38cf49acaa5e995bf40c440

SHA256
6cd6f655353d603edea24e06cf428ebfe246e52e6ebbd5411d98ca4bfd11e060

SHA512
ca2d8f971ba8a177d3d9c2e397965283aa2e356f2a676173815c4f6f20d3153a7becfd23b194fb3d3ba02398c5ab9f9451f484a7fe310707be5976807e889e09

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5080DC7A65DB6A5960ECD874088F3328_862BA1770B2FEE013603D2FF9ABEAFDA

Filesize
482B

MD5
86cd4c8906890d4148c604d5d12f5c77

SHA1
b4db776f1ab9f7d9952e484c2f8264645e899c77

SHA256
0902ffa500d452bf72db30798319d2b5c88240114076830b31df1ac9da9e952a

SHA512
efbdced1f6e1daab917a32e09fdcc120eab9280735f857473a20128004faf80825d1dff4d5232f49d5169ae414c1e26c4d2f579390b51b27b6304d64c89a11c0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_2DBE917624E9880FE0C7C5570D56E691

Filesize
486B

MD5
498cdba47d53f5792fc8aed6aee2408c

SHA1
97fa19064a48f1c16adfb203f0f903febea17fd3

SHA256
3eb3871dc895c0461e6c7fa5407108ce9d14955df560e0438cbdb8ee9dac6088

SHA512
23f372d7076836c579d1d53f1018053174b1b539095988fa785f9e00bb11894c7d504d78973eb5c3a4fa2d5a57c4997bd5b11033555a03a9b9422524e9fcbf2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187

Filesize
412B

MD5
19884499bbaffbf2b7866082e2f60dd6

SHA1
bf5ab7b423c38684b35fad14a572171ff101b906

SHA256
dee9aca9569fd8f4a68f30f99b7074aac9a449a0bf74ea9fa36ce70e421bdbb8

SHA512
c1a2abc87cf206701662e3d4c50ec0deddbe027028fffb6c084eafde783c979f7a5468dbc62265d639bfe984d8d40ac03d3e26bc2a7d2dcef76f23b339c0eb24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\57805509-6CCF-4423-B4BA-4ACDDABB95C1

Filesize
161KB

MD5
6329971978da390f17bb71f4d869da2d

SHA1
ac7f36653375d3ef792e50c207274c68a4194288

SHA256
668ec38a30a98eeb67a99dbd9bcfa9ba973e6cd081f88f471fff30172f0e7167

SHA512
3b78a08244ba29b387bddd1444d66a168d6b77fb21c3236ca8a262a50e54a31d2a8ccfe83eb964c6d2011356358827ddd277949dc15424a5ef406efd3baf5e73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

Filesize
21KB

MD5
a59b28f020b2af41d128561513305424

SHA1
94b22a6491b05ce78c2a996aabfa7ec5501ad604

SHA256
ab6bfe6e00b806da3990823c4688196bde3f0fabd29531bb613ec9c663da6171

SHA512
a77ea4f8522337213e816292d374d7fd370ba37766e69bcffd0b0241456ca1c91e11b1b1f77447b68e7683a8b87ddf1d5c38118a7dad562d47b3285560d496a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
b95c397a0491b124b939c2197217a3e7

SHA1
8c7fe09cd93f8d48793c06b52690336550a7f5cf

SHA256
39717597b1a37f9ba262717fa446aa02339f3186eda123ef7d66b758af61df2b

SHA512
d2b6afaedb0f9ba56de8d23cf76fcb2073bb061b31474c460eef438df1d094db74e4458d15b75b9898daaaedb52985c108785b049938726d57e448c4c7c45db2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
9361c8f247f2cea37f1203a0e11d2a95

SHA1
ae472cba30d68cc3c520e6fa4a85abe168ddd8d6

SHA256
efc84691b1c22adf99afcc9c6045ac29073ac8d5f69c809b4cae03e70c07a8b2

SHA512
5212d4d9357a3a2d9f70050e97b08519d6a581d5a94c55311b50c567d6bfea0aa59c7890601806b8c43a2fdd51d712d31d4a7d537be5455da7b0e676b81d36b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\CMMYN4JX\lionisthetruekingsofthejunglewhichcomaprewithtigerbecauseoftheattitudelionalwaysliontounderstandthepoweroflion__kingofthejnglelion[1].doc

Filesize
34KB

MD5
0305665fe64e9a6f1ece3d43bc5d5112

SHA1
10460b71c923225d6c368a96a7c0b7058bd65b54

SHA256
dc579de78c6ed74c526d2f3eabc5d486dcf1a046159e5eda72b1f232e495b6f2

SHA512
f359b47159ecdbbbc83e76ed00295cdd279289db6333b83d03e2a111dfb26ce873d08938345fd91083df4661253a8da26972d8cb3bc9ce93ac7ff72611f07b66

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCD8E07.tmp\iso690.xsl

Filesize
263KB

MD5
ff0e07eff1333cdf9fc2523d323dd654

SHA1
77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

SHA256
3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

SHA512
b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
231B

MD5
30367aca0fa7da71b17deb16cea2655c

SHA1
305e05a1d80fe85e8614dcab61bfa6208d3f8cde

SHA256
c59ac5d670af99a8e17930767fd840817fb8ff182818387e51dd8e88b35f1b45

SHA512
bc9add6972f6d0d4bf06249d3e55979dbdd158e0ea01f8f014d0d8d51846625e2862f3fd1b86d91c5569820af3c4cba0c6b7e1b9fd9617364a9ea35731ab91be

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\8TEOGDSJSN3BHO8AH2O8.temp

Filesize
5KB

MD5
b74ea23d50cb272732b8d4bf5ff6fa1f

SHA1
7f267b9e4791e36bf5808fbc75a42841e76805ef

SHA256
ff033285077ef024e2698d379265530f37524250e42904bc5bc099c08ee129b9

SHA512
115f821b8e1748b81e763c22969dd83d877c83f34132288ff6e23523c8ba798430f6afa4f25fd64ba8fef0416f4bd1ad4ec2c20b4c90a32e7ca16260ef4ed1bc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
967380bf301b650813477d3d28a52d40

SHA1
c32e1780235a4cc989058d1e7b582617747a930f

SHA256
ae85b52fc9c78271d48376aac6e1e120dc71175d90552ff7f32d5063f4625b52

SHA512
77bd4352b0601bbec9ea746d04feb9b980504ea71bd983a3579e83db0d1240ff72b6aa1aebd70b9d510181fa997af8635b7578b6f0ba82b60ae160d822417b2e

Download Submit
memory/724-42-0x00007FFAC1D10000-0x00007FFAC1F05000-memory.dmp

Filesize
2.0MB

Download
memory/724-43-0x00007FFAC1D10000-0x00007FFAC1F05000-memory.dmp

Filesize
2.0MB

Download
memory/724-576-0x00007FFAC1D10000-0x00007FFAC1F05000-memory.dmp

Filesize
2.0MB

Download
memory/724-40-0x00007FFAC1D10000-0x00007FFAC1F05000-memory.dmp

Filesize
2.0MB

Download
memory/724-41-0x00007FFAC1D10000-0x00007FFAC1F05000-memory.dmp

Filesize
2.0MB

Download
memory/724-45-0x00007FFAC1D10000-0x00007FFAC1F05000-memory.dmp

Filesize
2.0MB

Download
memory/724-44-0x00007FFAC1D10000-0x00007FFAC1F05000-memory.dmp

Filesize
2.0MB

Download
memory/724-46-0x00007FFAC1D10000-0x00007FFAC1F05000-memory.dmp

Filesize
2.0MB

Download
memory/4384-13-0x00007FFAC1D10000-0x00007FFAC1F05000-memory.dmp

Filesize
2.0MB

Download
memory/4384-9-0x00007FFAC1D10000-0x00007FFAC1F05000-memory.dmp

Filesize
2.0MB

Download
memory/4384-15-0x00007FFAC1D10000-0x00007FFAC1F05000-memory.dmp

Filesize
2.0MB

Download
memory/4384-16-0x00007FFA7FD30000-0x00007FFA7FD40000-memory.dmp

Filesize
64KB

Download
memory/4384-17-0x00007FFAC1D10000-0x00007FFAC1F05000-memory.dmp

Filesize
2.0MB

Download
memory/4384-12-0x00007FFAC1D10000-0x00007FFAC1F05000-memory.dmp

Filesize
2.0MB

Download
memory/4384-14-0x00007FFAC1D10000-0x00007FFAC1F05000-memory.dmp

Filesize
2.0MB

Download
memory/4384-11-0x00007FFAC1D10000-0x00007FFAC1F05000-memory.dmp

Filesize
2.0MB

Download
memory/4384-8-0x00007FFA7FD30000-0x00007FFA7FD40000-memory.dmp

Filesize
64KB

Download
memory/4384-0-0x00007FFA81D90000-0x00007FFA81DA0000-memory.dmp

Filesize
64KB

Download
memory/4384-7-0x00007FFAC1D10000-0x00007FFAC1F05000-memory.dmp

Filesize
2.0MB

Download
memory/4384-6-0x00007FFAC1D10000-0x00007FFAC1F05000-memory.dmp

Filesize
2.0MB

Download
memory/4384-4-0x00007FFAC1DAD000-0x00007FFAC1DAE000-memory.dmp

Filesize
4KB

Download
memory/4384-5-0x00007FFA81D90000-0x00007FFA81DA0000-memory.dmp

Filesize
64KB

Download
memory/4384-84-0x00007FFAC1D10000-0x00007FFAC1F05000-memory.dmp

Filesize
2.0MB

Download
memory/4384-3-0x00007FFA81D90000-0x00007FFA81DA0000-memory.dmp

Filesize
64KB

Download
memory/4384-1-0x00007FFA81D90000-0x00007FFA81DA0000-memory.dmp

Filesize
64KB

Download
memory/4384-2-0x00007FFA81D90000-0x00007FFA81DA0000-memory.dmp

Filesize
64KB

Download
memory/4384-10-0x00007FFAC1D10000-0x00007FFAC1F05000-memory.dmp

Filesize
2.0MB

Download