47ee3997168e1d2f64c940453432642e7f7cea124561a40904d7d8d3b58d2b75

Resubmissions

22-05-2024 09:38

240522-lmablaag68 10

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 09:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Pepsico RFQ_P1005712.xls
Size

111KB
MD5

9eba63f385b6efcc868f163cc53e5ef6
SHA1

8da5ad24a8a94e035b473f82e03a57740413998d
SHA256

47ee3997168e1d2f64c940453432642e7f7cea124561a40904d7d8d3b58d2b75
SHA512

6c47a8bdfbc30422ab8805fb98f454ee8b71f65057e334a0ee7723a90d2e864efa44b02e98a3984f315222065002d3cb8894b99734807f78045811597207f342
SSDEEP

1536:VU0BRPw/jF2gE+wxQAOhUMqTjfktX/t/qr2ml8Vvygn05kTheDm/:y0WF2F8ATjio2fVvr05ehe

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEWINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEWINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid process

2092 EXCEL.EXE
4256 WINWORD.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WINWORD.EXE

description pid process

Token: SeAuditPrivilege 4256 WINWORD.EXE

description	pid	process
Token: SeAuditPrivilege	4256	WINWORD.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid	process
2092	EXCEL.EXE
2092	EXCEL.EXE
2092	EXCEL.EXE
2092	EXCEL.EXE
2092	EXCEL.EXE
2092	EXCEL.EXE
2092	EXCEL.EXE
2092	EXCEL.EXE
2092	EXCEL.EXE
2092	EXCEL.EXE
2092	EXCEL.EXE
2092	EXCEL.EXE
4256	WINWORD.EXE
4256	WINWORD.EXE
4256	WINWORD.EXE
4256	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 4256 wrote to memory of 2848	4256	WINWORD.EXE	splwow64.exe
PID 4256 wrote to memory of 2848	4256	WINWORD.EXE	splwow64.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Pepsico RFQ_P1005712.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2092

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4256

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:2848

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:4080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5080DC7A65DB6A5960ECD874088F3328_862BA1770B2FEE013603D2FF9ABEAFDA
Filesize
2KB

MD5
b2973e96273fe840b4a132c0b1282697

SHA1
66bfe78a2f8cb9b0de54a2778be3e6042f4eda27

SHA256
c22fc4c44df4307fdd018fe841e7d0d26aa4902864751878f01dfc34a49b3c9e

SHA512
724fad4202c6c8730c53cb44b28338d8b901e1b21b4cf2d34d120cc9030ed2f6c392f8b5765001016f7176c829b6a02b0c90df7dbc1f4b0973dc5ef75c9db8b1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_2DBE917624E9880FE0C7C5570D56E691
Filesize
1KB

MD5
e59f7b1b4ba2d190bcc16704c4d0ae4e

SHA1
29bbe983e3ed093e2dfe9c8aec56908cfe49e733

SHA256
7adc35c083730086749fb125a8ea63fb19dc47553c135007e44cbde354e6ae44

SHA512
51aa926cf63ebd85dce9f233bdb5e1d14e1af163f4c1ae014b397bb45aa71373d2e4bb3a9d219bbdb8c308984e2d71a26d71b34bcd8a7b1aa3e9192115f7bf8b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5080DC7A65DB6A5960ECD874088F3328_862BA1770B2FEE013603D2FF9ABEAFDA
Filesize
482B

MD5
425a44bd37ecd3130ee104cd1db78928

SHA1
5543e12c0196ac8d2645cc74c485acca0cb1a989

SHA256
51d86541e81947c2cc0284a78f6b6cbaa01a0c66dd1ec7d71d6ec20b8c2cc23a

SHA512
f60fcfd8802988e57172b0c168f0dda4db6fa2898d42bdf47b47d8558049ee39f3e2fbe6762477c0e0eade1688955a23898134df05f38ee04d470360eb4cc230

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_2DBE917624E9880FE0C7C5570D56E691
Filesize
486B

MD5
e2634f776926c35176dfc1d9775b20be

SHA1
ea31028060f9dbe7ff33e6ae370737635e5ca609

SHA256
9c8f48b4a8c5a41e5f367bd372f8fcb9aa08895715354885872d1bc81304d829

SHA512
272178b3b0871c6c88f4297c72a3dea0c50a81efdaf57dd0606858ea50b982a976e05a351604070dde595455e88b0b66ca74ea15686094a2d2cd6910931cd8df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\607482D3-C446-44A1-B79F-436E072C9B9A
Filesize
161KB

MD5
1e0b0fe7a20c6b3adb14c589c7ffa45c

SHA1
33a47d960f7828d7ffbcd05e21504938f39fd43f

SHA256
f1443a97cc1c56fba8acca57ad2e1deeee628cdfa0f767e1e21c2941fec42fb5

SHA512
86f38e461d895d0c5ba2812cc64b966f00c5492374818cbd57d2cb80321751a53b4bfe3e95b7600ef830cd213e63c97199dc222c98c8de9e940b7ca733a1aa0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog
Filesize
21KB

MD5
2a8b39d144ddda0e513e6424ad42d999

SHA1
478b8e185ad4753d062eaa7d85c9d85fd17a2ac2

SHA256
4c70776f991773ab2a5b9787b23b40470e31a59585725af7d594f7333bb2f0fd

SHA512
7a39abba8c8f98d1e4f7a2781a4ef9cf3d51893d8ed844bcc684b03d1d8a46c232a27f0ab63ea46d537674cda95463c1964e2d497e67146fe7cf5e3e118b1372

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize
2KB

MD5
80e01f09fe33c169502027f985a050d8

SHA1
83a4b806d834a879854a325e1bd0c9fb7c3e1875

SHA256
e8e1ae05fa5ca648066ec7be9e2bd08d61a623701cefb295a84002f075d102dc

SHA512
3c979d8edb34c4c52705f802a4ef46604c6812faf0597cc77d0e53915b79b9579237c610cb14d106219e37790bb2102abe5ae4f8af40db0280d88fcd896b7f6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize
2KB

MD5
b6ab773f68f74a258bbf35e2b8727045

SHA1
00a318b376b936ff57f29f584106cff4aaca6734

SHA256
48ad31dc13af1cb11c7143e14031ae55545de2943a637c51cb8fb7a92c315663

SHA512
3ffb1abcf5480b798fdde4013f0c1dcec7d1b3c99bbefde36b566a7b14004f3d9076d0628d803a681eec54413c998f59775623e6cf23e61bff4732a44f216d24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZURVPW13\lionisthetruekingsofthejunglewhichcomaprewithtigerbecauseoftheattitudelionalwaysliontounderstandthepoweroflion__kingofthejnglelion[1].doc
Filesize
34KB

MD5
0305665fe64e9a6f1ece3d43bc5d5112

SHA1
10460b71c923225d6c368a96a7c0b7058bd65b54

SHA256
dc579de78c6ed74c526d2f3eabc5d486dcf1a046159e5eda72b1f232e495b6f2

SHA512
f359b47159ecdbbbc83e76ed00295cdd279289db6333b83d03e2a111dfb26ce873d08938345fd91083df4661253a8da26972d8cb3bc9ce93ac7ff72611f07b66

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCDA691.tmp\gb.xsl
Filesize
262KB

MD5
51d32ee5bc7ab811041f799652d26e04

SHA1
412193006aa3ef19e0a57e16acf86b830993024a

SHA256
6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97

SHA512
5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
Filesize
231B

MD5
30367aca0fa7da71b17deb16cea2655c

SHA1
305e05a1d80fe85e8614dcab61bfa6208d3f8cde

SHA256
c59ac5d670af99a8e17930767fd840817fb8ff182818387e51dd8e88b35f1b45

SHA512
bc9add6972f6d0d4bf06249d3e55979dbdd158e0ea01f8f014d0d8d51846625e2862f3fd1b86d91c5569820af3c4cba0c6b7e1b9fd9617364a9ea35731ab91be

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize
3KB

MD5
7e465625da3f9ea04bf499a3561ae381

SHA1
bcac63ca59e6cb1e5097a0176f563ecdc6c92d61

SHA256
6c5347fed1451d37db9ccf93778faabee6df455c7963a21ea8582428ffa32746

SHA512
dadb2180c4839d886a42b73504b1d25b1621c9fb86c1486ec09210467ed7b033c94863012c997475378908da4d3f823c10858e0806a3ffeb9a56680c930ff6fe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize
5KB

MD5
e49e48e1a6cbdc4a5bb1089e669b19a6

SHA1
f8dd64c2e80f834a541791af12b3036186327b2c

SHA256
03d0e5529b9c018f4f99e460426c5d1a5133c888eeff2fcdd5b205e9aa322420

SHA512
4a018e7ba8f1e2e234d886894effb33485d9fe3b0e73ba93567682fa04de0f641c91df5c8abd3a5a2a2f6a8499b267192daa40bd81fb575563b4d0af39321af5

Download Submit
memory/2092-9-0x00007FFBA1F50000-0x00007FFBA2145000-memory.dmp

Filesize
2.0MB

Download
memory/2092-3-0x00007FFB61FD0000-0x00007FFB61FE0000-memory.dmp

Filesize
64KB

Download
memory/2092-17-0x00007FFBA1F50000-0x00007FFBA2145000-memory.dmp

Filesize
2.0MB

Download
memory/2092-16-0x00007FFBA1F50000-0x00007FFBA2145000-memory.dmp

Filesize
2.0MB

Download
memory/2092-15-0x00007FFBA1F50000-0x00007FFBA2145000-memory.dmp

Filesize
2.0MB

Download
memory/2092-1-0x00007FFB61FD0000-0x00007FFB61FE0000-memory.dmp

Filesize
64KB

Download
memory/2092-0-0x00007FFB61FD0000-0x00007FFB61FE0000-memory.dmp

Filesize
64KB

Download
memory/2092-4-0x00007FFB61FD0000-0x00007FFB61FE0000-memory.dmp

Filesize
64KB

Download
memory/2092-80-0x00007FFBA1F50000-0x00007FFBA2145000-memory.dmp

Filesize
2.0MB

Download
memory/2092-14-0x00007FFB5F7D0000-0x00007FFB5F7E0000-memory.dmp

Filesize
64KB

Download
memory/2092-13-0x00007FFBA1F50000-0x00007FFBA2145000-memory.dmp

Filesize
2.0MB

Download
memory/2092-11-0x00007FFBA1F50000-0x00007FFBA2145000-memory.dmp

Filesize
2.0MB

Download
memory/2092-12-0x00007FFBA1F50000-0x00007FFBA2145000-memory.dmp

Filesize
2.0MB

Download
memory/2092-10-0x00007FFBA1F50000-0x00007FFBA2145000-memory.dmp

Filesize
2.0MB

Download
memory/2092-2-0x00007FFB61FD0000-0x00007FFB61FE0000-memory.dmp

Filesize
64KB

Download
memory/2092-8-0x00007FFB5F7D0000-0x00007FFB5F7E0000-memory.dmp

Filesize
64KB

Download
memory/2092-7-0x00007FFBA1F50000-0x00007FFBA2145000-memory.dmp

Filesize
2.0MB

Download
memory/2092-6-0x00007FFBA1F50000-0x00007FFBA2145000-memory.dmp

Filesize
2.0MB

Download
memory/2092-5-0x00007FFBA1FED000-0x00007FFBA1FEE000-memory.dmp

Filesize
4KB

Download
memory/4256-43-0x00007FFBA1F50000-0x00007FFBA2145000-memory.dmp

Filesize
2.0MB

Download
memory/4256-44-0x00007FFBA1F50000-0x00007FFBA2145000-memory.dmp

Filesize
2.0MB

Download
memory/4256-42-0x00007FFBA1F50000-0x00007FFBA2145000-memory.dmp

Filesize
2.0MB

Download
memory/4256-39-0x00007FFBA1F50000-0x00007FFBA2145000-memory.dmp

Filesize
2.0MB

Download
memory/4256-41-0x00007FFBA1F50000-0x00007FFBA2145000-memory.dmp

Filesize
2.0MB

Download
memory/4256-572-0x00007FFBA1F50000-0x00007FFBA2145000-memory.dmp

Filesize
2.0MB

Download