d9a36f96f6d7263584d9d7ef75116e6f3361b989ef59df225b53ee826654373d

Analysis

max time kernel
101s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 18:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Enquiry No. 2421005.xla.xls
Size

288KB
MD5

c0ebdb60b864fa2e67de7ce936940fe7
SHA1

cd7d188d435223ef0ecc0b1b7288ad9e6b4ff1e6
SHA256

d9a36f96f6d7263584d9d7ef75116e6f3361b989ef59df225b53ee826654373d
SHA512

8e677a80609a7d54008b319836cdbd60747ade9f3ec74670617f33f68a3c9f6db768c3e9e2d2e8d9d162a930f35c19585300bcdd83f3600b90544b6b6cd52f0c
SSDEEP

6144:96NCLXoD6NCLXuc2gfBsHPUacczIoQva0FYnbDjXSR8CBMzWEDS9V5hqc:96NCL4D6NCLeCfG8kMva0FYXjQFTf5h

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEWINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEEXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid process

4540 EXCEL.EXE
4144 WINWORD.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WINWORD.EXE

description pid process

Token: SeAuditPrivilege 4144 WINWORD.EXE

description	pid	process
Token: SeAuditPrivilege	4144	WINWORD.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid	process
4540	EXCEL.EXE
4540	EXCEL.EXE
4540	EXCEL.EXE
4540	EXCEL.EXE
4540	EXCEL.EXE
4540	EXCEL.EXE
4540	EXCEL.EXE
4540	EXCEL.EXE
4144	WINWORD.EXE
4144	WINWORD.EXE
4144	WINWORD.EXE
4144	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 4144 wrote to memory of 3556	4144	WINWORD.EXE	splwow64.exe
PID 4144 wrote to memory of 3556	4144	WINWORD.EXE	splwow64.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Enquiry No. 2421005.xla.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4540

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4144

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:3556

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:3012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187
Filesize
471B

MD5
608a0f0428e32a24eb0d796f5a972823

SHA1
df9342aa3d1fa8be89caabee60f5959a1f6272cd

SHA256
718177a404d91eee14a31f1b06ac15eecb90a9d14f458a113b2af44847279b61

SHA512
45d28a3bd9b5bb7f0ed8616ee83bedcc267d0349f01c0be349dbb1ef88d9c5a9c372a88330074b97c05fc2c0dc43598c584584803f169b8c99c1e98011d4be90

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187
Filesize
412B

MD5
82d7cf230f9102e86aff73aa7f407bec

SHA1
7ad5078b1065656e0b2076c39945336ba92333e8

SHA256
531c0d1c091490c43429a013f60c22f1f3d262859707ed2da2d64e4f868e3442

SHA512
5d1ac6c0f9a031a336337ae13e9bbf50976ed86b163da79d37b24fea17b8d82eef638c29a37e0740831480ead62c2cc0b756a89a49467bc46b17eb843bc8b4d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\A7AD6FA1-0FBD-4D93-8AC7-224D1CAB6161
Filesize
161KB

MD5
a42274e81b590fbc2481babbcde97175

SHA1
b423e481058f8a7bc13e975f6f7230a42b867778

SHA256
e44053c538a544e1819625e91227b323c0bd74818eb01c419376ea83a60ab311

SHA512
de601fc5bf59c55eed085bb78c9f95ce4dbd82cbc3b094cbc212a2945546e3c71fef33720163dda9b8ca6d301805bab247a560d1265821fa27fc80983497ff0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog
Filesize
21KB

MD5
2563ed01b6b7497306bf9baa62270f8e

SHA1
7f0d292b22b0b390fff64088cbc026c86f70f408

SHA256
41b44477dad2da4e09b2af469f697d9314d8238b5df2614053c79cdff92d2f0c

SHA512
bdefb6afb7b97235340d8cb41583d019d595668ac30690e014acec0dccd0c671b1ba941b98f98defd37f48eda79feb510dffb9839821f093e50aa94c5ff5bd95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize
2KB

MD5
7e6e5f2f7f3e6d26cafcc7182cc610f5

SHA1
4475290efadcba1ebdbdf9a37e5dfb298480bc67

SHA256
d22aeaad97af800786662f9ff6f940036cdf6eee06412198521945020183a03e

SHA512
fca88a043a2510846b95b3dc7ff61b27144e680943c8ea79d0e32ac8d619b0ad2cb651827d3b9ae3a8beccf8ab3212fe4829c29cff3d6ee8473597ea7ded44dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize
2KB

MD5
403bd97880bd0e23e283f58e48c40283

SHA1
6154a3f2f18569a42a9c0c683c1f4dd70c48a403

SHA256
78fdd7c357d7729028826646947e8d14ba9127d42a8ec5ecbb6d10d947481fb1

SHA512
26d6bc24231f6148b2182615a99a9f8fa91bafbbd357e0659268441524186129dc81560ff1132afc4fcd5d66f2e72889169061c8c427d91febdf46772165f3f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\3YK18YAR\lionshavethebeautiuflthingswhichevennobodytounderstandhowbeautiulfheislionsarekingofthejunglewhichgreatandyearofthey__lionsgreatgood[1].doc
Filesize
74KB

MD5
aee84865f46aa4a99f5298a9100c7965

SHA1
a09c8b011dbef828e263e42d9dfbc33670798949

SHA256
638a0742d77a00830f2ae1f81bd7fdc502d594f65eaf2136a80c5577562d87af

SHA512
975a89e88a1674fd4e1bbb94c9aef647b61f33e1936b29b8f5ae02d845fb3671464b28bfd379505ff4aee44f5816a5ac10c16a6a1563e83b58b00454880296ce

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
Filesize
234B

MD5
740b82149c69cdfdc97f83b9f892404c

SHA1
7eececd1885532e694f2e77bcbfeae2c6f45c595

SHA256
ea4ecc4711a22e7fec9fc065c1e926e2d4bcfbc53b513ad2b183547a17e6e765

SHA512
eab187017fb09eae491588ea70d96f95a2d8319cf929adcede2becc29812502bacbc50c77a18eb6b33b806e73c47ae8b56c8768fa501f183194238a13d81f02b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize
5KB

MD5
34a1204e9f6476f8f9fc48a17e1958ad

SHA1
532a165fbe203be63d410e3c46088c6097cc98a0

SHA256
21628509ef87058e8e37d08f4091acdcbce6f5fdaa85219da4bf3f908408452a

SHA512
a10d0d32de761a67d4d78bf90c560208aae95efcd14ea177e06d6d91d550841dda0927b85754cb84e36521e76bea6741dcbdb494889a96d3561a95c4b1257faa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize
3KB

MD5
7f18ab7b6bbfcb934902bbd33247742a

SHA1
bab100525a23ae5d018201aa0e0cb7344b17d551

SHA256
19fe1a06cf903f0baab6edea50156c78defaf1b42af610d6da047d4a7bfe56d5

SHA512
4bc15e939b4a737c98c2599f7e48e7170f3664e934c8a9de9b6a70d61e3017f56f0685d587bb5303b3e1b09dfd0abe2012c27165298abba084124c88b88f7ec6

Download Submit
memory/4144-593-0x00007FF8E1970000-0x00007FF8E1980000-memory.dmp

Filesize
64KB

Download
memory/4144-596-0x00007FF8E1970000-0x00007FF8E1980000-memory.dmp

Filesize
64KB

Download
memory/4144-595-0x00007FF8E1970000-0x00007FF8E1980000-memory.dmp

Filesize
64KB

Download
memory/4144-594-0x00007FF8E1970000-0x00007FF8E1980000-memory.dmp

Filesize
64KB

Download
memory/4144-517-0x00007FF9218F0000-0x00007FF921AE5000-memory.dmp

Filesize
2.0MB

Download
memory/4144-37-0x00007FF9218F0000-0x00007FF921AE5000-memory.dmp

Filesize
2.0MB

Download
memory/4144-518-0x00007FF9218F0000-0x00007FF921AE5000-memory.dmp

Filesize
2.0MB

Download
memory/4144-597-0x00007FF9218F0000-0x00007FF921AE5000-memory.dmp

Filesize
2.0MB

Download
memory/4144-33-0x00007FF9218F0000-0x00007FF921AE5000-memory.dmp

Filesize
2.0MB

Download
memory/4144-35-0x00007FF9218F0000-0x00007FF921AE5000-memory.dmp

Filesize
2.0MB

Download
memory/4144-36-0x00007FF9218F0000-0x00007FF921AE5000-memory.dmp

Filesize
2.0MB

Download
memory/4540-11-0x00007FF9218F0000-0x00007FF921AE5000-memory.dmp

Filesize
2.0MB

Download
memory/4540-2-0x00007FF8E1970000-0x00007FF8E1980000-memory.dmp

Filesize
64KB

Download
memory/4540-17-0x00007FF9218F0000-0x00007FF921AE5000-memory.dmp

Filesize
2.0MB

Download
memory/4540-16-0x00007FF9218F0000-0x00007FF921AE5000-memory.dmp

Filesize
2.0MB

Download
memory/4540-14-0x00007FF9218F0000-0x00007FF921AE5000-memory.dmp

Filesize
2.0MB

Download
memory/4540-13-0x00007FF9218F0000-0x00007FF921AE5000-memory.dmp

Filesize
2.0MB

Download
memory/4540-12-0x00007FF9218F0000-0x00007FF921AE5000-memory.dmp

Filesize
2.0MB

Download
memory/4540-10-0x00007FF8DF110000-0x00007FF8DF120000-memory.dmp

Filesize
64KB

Download
memory/4540-0-0x00007FF8E1970000-0x00007FF8E1980000-memory.dmp

Filesize
64KB

Download
memory/4540-77-0x00007FF9218F0000-0x00007FF921AE5000-memory.dmp

Filesize
2.0MB

Download
memory/4540-1-0x00007FF92198D000-0x00007FF92198E000-memory.dmp

Filesize
4KB

Download
memory/4540-15-0x00007FF8DF110000-0x00007FF8DF120000-memory.dmp

Filesize
64KB

Download
memory/4540-91-0x00007FF9218F0000-0x00007FF921AE5000-memory.dmp

Filesize
2.0MB

Download
memory/4540-90-0x00007FF92198D000-0x00007FF92198E000-memory.dmp

Filesize
4KB

Download
memory/4540-7-0x00007FF8E1970000-0x00007FF8E1980000-memory.dmp

Filesize
64KB

Download
memory/4540-9-0x00007FF9218F0000-0x00007FF921AE5000-memory.dmp

Filesize
2.0MB

Download
memory/4540-8-0x00007FF9218F0000-0x00007FF921AE5000-memory.dmp

Filesize
2.0MB

Download
memory/4540-4-0x00007FF8E1970000-0x00007FF8E1980000-memory.dmp

Filesize
64KB

Download
memory/4540-5-0x00007FF9218F0000-0x00007FF921AE5000-memory.dmp

Filesize
2.0MB

Download
memory/4540-6-0x00007FF9218F0000-0x00007FF921AE5000-memory.dmp

Filesize
2.0MB

Download
memory/4540-3-0x00007FF8E1970000-0x00007FF8E1980000-memory.dmp

Filesize
64KB

Download
memory/4540-606-0x00007FF9218F0000-0x00007FF921AE5000-memory.dmp

Filesize
2.0MB

Download