47ee3997168e1d2f64c940453432642e7f7cea124561a40904d7d8d3b58d2b75

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 09:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Pepsico LLC Company Profile.xls
Size

111KB
MD5

9eba63f385b6efcc868f163cc53e5ef6
SHA1

8da5ad24a8a94e035b473f82e03a57740413998d
SHA256

47ee3997168e1d2f64c940453432642e7f7cea124561a40904d7d8d3b58d2b75
SHA512

6c47a8bdfbc30422ab8805fb98f454ee8b71f65057e334a0ee7723a90d2e864efa44b02e98a3984f315222065002d3cb8894b99734807f78045811597207f342
SSDEEP

1536:VU0BRPw/jF2gE+wxQAOhUMqTjfktX/t/qr2ml8Vvygn05kTheDm/:y0WF2F8ATjio2fVvr05ehe

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEWINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEWINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid process

1828 EXCEL.EXE
3960 WINWORD.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WINWORD.EXE

description pid process

Token: SeAuditPrivilege 3960 WINWORD.EXE

description	pid	process
Token: SeAuditPrivilege	3960	WINWORD.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid	process
1828	EXCEL.EXE
1828	EXCEL.EXE
1828	EXCEL.EXE
1828	EXCEL.EXE
1828	EXCEL.EXE
1828	EXCEL.EXE
1828	EXCEL.EXE
1828	EXCEL.EXE
1828	EXCEL.EXE
1828	EXCEL.EXE
1828	EXCEL.EXE
1828	EXCEL.EXE
3960	WINWORD.EXE
3960	WINWORD.EXE
3960	WINWORD.EXE
3960	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 3960 wrote to memory of 5008	3960	WINWORD.EXE	splwow64.exe
PID 3960 wrote to memory of 5008	3960	WINWORD.EXE	splwow64.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Pepsico LLC Company Profile.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1828

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3960

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:5008

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:3132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5080DC7A65DB6A5960ECD874088F3328_862BA1770B2FEE013603D2FF9ABEAFDA
Filesize
2KB

MD5
b2973e96273fe840b4a132c0b1282697

SHA1
66bfe78a2f8cb9b0de54a2778be3e6042f4eda27

SHA256
c22fc4c44df4307fdd018fe841e7d0d26aa4902864751878f01dfc34a49b3c9e

SHA512
724fad4202c6c8730c53cb44b28338d8b901e1b21b4cf2d34d120cc9030ed2f6c392f8b5765001016f7176c829b6a02b0c90df7dbc1f4b0973dc5ef75c9db8b1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_2DBE917624E9880FE0C7C5570D56E691
Filesize
1KB

MD5
e59f7b1b4ba2d190bcc16704c4d0ae4e

SHA1
29bbe983e3ed093e2dfe9c8aec56908cfe49e733

SHA256
7adc35c083730086749fb125a8ea63fb19dc47553c135007e44cbde354e6ae44

SHA512
51aa926cf63ebd85dce9f233bdb5e1d14e1af163f4c1ae014b397bb45aa71373d2e4bb3a9d219bbdb8c308984e2d71a26d71b34bcd8a7b1aa3e9192115f7bf8b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187
Filesize
471B

MD5
133946709da45a7b28e009fe1f006cf6

SHA1
30d2ecf48ea55c52e38cf49acaa5e995bf40c440

SHA256
6cd6f655353d603edea24e06cf428ebfe246e52e6ebbd5411d98ca4bfd11e060

SHA512
ca2d8f971ba8a177d3d9c2e397965283aa2e356f2a676173815c4f6f20d3153a7becfd23b194fb3d3ba02398c5ab9f9451f484a7fe310707be5976807e889e09

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5080DC7A65DB6A5960ECD874088F3328_862BA1770B2FEE013603D2FF9ABEAFDA
Filesize
482B

MD5
940d871e0ac28211a7aabce1a9552205

SHA1
b4dc1196ae7083bad6285fdd0bb59f70262e151f

SHA256
fdf9889510f0b1ed0264371365b768f08be09739598ec430202cae08d1d3e651

SHA512
db4ae6b1a24d156e858fdd9b53b63cf5a4e923995d0bf4ac73702e3d5b843319d1f7006582bac9db588cd8791b745cb4aad30f350650ae79e5ad11e86ebe4af5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_2DBE917624E9880FE0C7C5570D56E691
Filesize
486B

MD5
d7f2a372327588dafb5a83600256194a

SHA1
7921a0603bbd301f71f1693966267ff4a8e39a44

SHA256
084baa242a3727b70654b02b8fe2b843045f5f48f4799f9b51d6a72ec135dd7f

SHA512
248c89d98a17d7dbde8668b5d24c7d04aaab704334c6fe4b3c78e79be27338be1da7ffaf4edd6ea562c5c6b62638022c8e0b2af6ae650ac74753b284e02ed6bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187
Filesize
412B

MD5
d4deca0871f48379b652ac338c4a9b63

SHA1
889a313b292e966ed243cc460ff3c172e2d9dd35

SHA256
3dd53d43cb85f8a5d6bf59be7461d3bca55ad81af1745e22db6a2b1e43530e6c

SHA512
45785c5c714b5a6f5d392c055f05cf71e4c14ad6bca2b56886a5a474f9d9f190db70d9413ac4312a3ae0a74a7c2f3e915b370ad0c2b8807c4490af0219ba223a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\EFC20038-8FBC-4242-A674-C18922281144
Filesize
161KB

MD5
e93f6df034d7efde37b757b702d0c358

SHA1
dde3571bed7f99abeda5c201ff2e29f0747f2ddf

SHA256
5f18f25e716d2afb93cc9043042bec5b25d2d05a232a2ad8109160e5c6341fd6

SHA512
4171a842a05d3b700d8bfd948181f1ddd507e5f6b37c1e31b12a8261991a4d4a50350303c2f27840bde1bc916dd96aebba0fdb8dbc42bbcb69352f4f6d3122f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog
Filesize
21KB

MD5
560e03ecf1f8c0bc394db94ff2a65b5a

SHA1
912f9c9af143e94027eaffea2597e02e96ca5faa

SHA256
a4209ce6b36f2297a7ce3a76468058ebf17f2b8432fc33006d6dd986f8e8135e

SHA512
b1d6bf3fd4477105a6ffccba4ca92b3b760ad319abc95cce9067166482a8c84392ef9708a8f5d5ee4bc080272c2368b4c44ad287c006b8c65ee3bf71e9c850bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize
2KB

MD5
e991b894b5db1632d6f2487b3145fed4

SHA1
6d901a96c8e8ba12383d1da08c6ec1e6ce491954

SHA256
78a0317c4fefdb7cd6b99b3965e69eee4838dd68950d9e6bd5263dd25d23d0ff

SHA512
52954bec0c9f704d6331efced9058016194161c557ff3780faf82f947541de79fb2359ace8dc0329a92b5f62d617e298125c3f0a7efc14e4a025fb456f951729

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize
2KB

MD5
d9330128952f4054eec1a9b2b3fd0f90

SHA1
f01c210ffd0c76039d7dfbd4c577cb4f2c1b9084

SHA256
d6f3bca3fc7d4dea9d9c20e90472748371a7d01af16014fa0cffbab21cd508f5

SHA512
c6eeeb3bc1aa0fed4650461cdcc68e44b09b2f112cd25b001a82206b52e9790623418d7218cc9fd485b6b616140b2bdc3c773c4881370fa95e5da4ebd51a7fab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\9O7X9C7J\lionisthetruekingsofthejunglewhichcomaprewithtigerbecauseoftheattitudelionalwaysliontounderstandthepoweroflion__kingofthejnglelion[1].doc
Filesize
34KB

MD5
0305665fe64e9a6f1ece3d43bc5d5112

SHA1
10460b71c923225d6c368a96a7c0b7058bd65b54

SHA256
dc579de78c6ed74c526d2f3eabc5d486dcf1a046159e5eda72b1f232e495b6f2

SHA512
f359b47159ecdbbbc83e76ed00295cdd279289db6333b83d03e2a111dfb26ce873d08938345fd91083df4661253a8da26972d8cb3bc9ce93ac7ff72611f07b66

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCD9906.tmp\iso690.xsl
Filesize
263KB

MD5
ff0e07eff1333cdf9fc2523d323dd654

SHA1
77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

SHA256
3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

SHA512
b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
Filesize
231B

MD5
30367aca0fa7da71b17deb16cea2655c

SHA1
305e05a1d80fe85e8614dcab61bfa6208d3f8cde

SHA256
c59ac5d670af99a8e17930767fd840817fb8ff182818387e51dd8e88b35f1b45

SHA512
bc9add6972f6d0d4bf06249d3e55979dbdd158e0ea01f8f014d0d8d51846625e2862f3fd1b86d91c5569820af3c4cba0c6b7e1b9fd9617364a9ea35731ab91be

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize
3KB

MD5
3bf04c1064c49d3e88d245716a9a625a

SHA1
6cc466520b37a027da06e170bbf65aaedb068508

SHA256
3966506f17ce969735aa6b7e6ace365206858ff6a629bd99d7bf8dfb1844a78d

SHA512
72e8504141d31d844b06405bb29eac224b5405db3574604e735f1f825838410373f39729244b55861470d196c576fe55adcdcf9734c64adb77d775b4b73896bb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize
5KB

MD5
0bf3dac2e8ecdd3ac112faaa027fbe5d

SHA1
3002640d131861b1a820108ef84b1a9e9b6082b6

SHA256
43f45dd1ff9b278cdb80bd5bb5aa4e45779f81672f905557f8bb5a66c803004e

SHA512
eb1f3d1181f7fc98a56fafd745b6d14df83e4b1aa2ea8d4614465dac09bb05f5a0f8680016a0ccfc8b830d36e6734b67fdc18d6387d5e3e3476563cd15db88d3

Download Submit
memory/1828-17-0x00007FF880F50000-0x00007FF881145000-memory.dmp

Filesize
2.0MB

Download
memory/1828-15-0x00007FF880F50000-0x00007FF881145000-memory.dmp

Filesize
2.0MB

Download
memory/1828-0-0x00007FF840FD0000-0x00007FF840FE0000-memory.dmp

Filesize
64KB

Download
memory/1828-18-0x00007FF83E700000-0x00007FF83E710000-memory.dmp

Filesize
64KB

Download
memory/1828-5-0x00007FF880F50000-0x00007FF881145000-memory.dmp

Filesize
2.0MB

Download
memory/1828-4-0x00007FF840FD0000-0x00007FF840FE0000-memory.dmp

Filesize
64KB

Download
memory/1828-3-0x00007FF840FD0000-0x00007FF840FE0000-memory.dmp

Filesize
64KB

Download
memory/1828-6-0x00007FF840FD0000-0x00007FF840FE0000-memory.dmp

Filesize
64KB

Download
memory/1828-7-0x00007FF880F50000-0x00007FF881145000-memory.dmp

Filesize
2.0MB

Download
memory/1828-8-0x00007FF880F50000-0x00007FF881145000-memory.dmp

Filesize
2.0MB

Download
memory/1828-16-0x00007FF880F50000-0x00007FF881145000-memory.dmp

Filesize
2.0MB

Download
memory/1828-1-0x00007FF880FED000-0x00007FF880FEE000-memory.dmp

Filesize
4KB

Download
memory/1828-14-0x00007FF880F50000-0x00007FF881145000-memory.dmp

Filesize
2.0MB

Download
memory/1828-2-0x00007FF840FD0000-0x00007FF840FE0000-memory.dmp

Filesize
64KB

Download
memory/1828-13-0x00007FF880F50000-0x00007FF881145000-memory.dmp

Filesize
2.0MB

Download
memory/1828-12-0x00007FF83E700000-0x00007FF83E710000-memory.dmp

Filesize
64KB

Download
memory/1828-9-0x00007FF880F50000-0x00007FF881145000-memory.dmp

Filesize
2.0MB

Download
memory/1828-10-0x00007FF880F50000-0x00007FF881145000-memory.dmp

Filesize
2.0MB

Download
memory/1828-82-0x00007FF880FED000-0x00007FF880FEE000-memory.dmp

Filesize
4KB

Download
memory/1828-83-0x00007FF880F50000-0x00007FF881145000-memory.dmp

Filesize
2.0MB

Download
memory/1828-84-0x00007FF880F50000-0x00007FF881145000-memory.dmp

Filesize
2.0MB

Download
memory/1828-11-0x00007FF880F50000-0x00007FF881145000-memory.dmp

Filesize
2.0MB

Download
memory/3960-44-0x00007FF880F50000-0x00007FF881145000-memory.dmp

Filesize
2.0MB

Download
memory/3960-42-0x00007FF880F50000-0x00007FF881145000-memory.dmp

Filesize
2.0MB

Download
memory/3960-576-0x00007FF880F50000-0x00007FF881145000-memory.dmp

Filesize
2.0MB

Download