9db870a4914a69f847d996c11ec1f6da501f6abf0a715a2a1c49cf82484317bf

Analysis

max time kernel
148s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 18:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

56882720_50174358_2024-05-23_203027.xls
Size

307KB
MD5

74e5490d445233f2448dce3734449ba4
SHA1

65f17e5cf0b97a21e7cb8f2f5255affe8a76b796
SHA256

9db870a4914a69f847d996c11ec1f6da501f6abf0a715a2a1c49cf82484317bf
SHA512

d47c750b13831eb77bd16b746bd137d616797dc2c11da5cbe66f5494e782dccae533e1241c07f28a55692cb60eab2c07ced5b986cd4f07794438830cbe34cddc
SSDEEP

6144:3KZvbHPkhP/sqnxxrcFviljLq2xLuFqah03KR09lTurgU:4LshP0sdcgljLq2xqFe6O9lu

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEEXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEEXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid process

964 EXCEL.EXE
4308 WINWORD.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WINWORD.EXE

description pid process

Token: SeAuditPrivilege 4308 WINWORD.EXE

description	pid	process
Token: SeAuditPrivilege	4308	WINWORD.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid	process
964	EXCEL.EXE
964	EXCEL.EXE
964	EXCEL.EXE
964	EXCEL.EXE
964	EXCEL.EXE
964	EXCEL.EXE
964	EXCEL.EXE
964	EXCEL.EXE
964	EXCEL.EXE
964	EXCEL.EXE
964	EXCEL.EXE
964	EXCEL.EXE
4308	WINWORD.EXE
4308	WINWORD.EXE
4308	WINWORD.EXE
4308	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 4308 wrote to memory of 1388	4308	WINWORD.EXE	splwow64.exe
PID 4308 wrote to memory of 1388	4308	WINWORD.EXE	splwow64.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\56882720_50174358_2024-05-23_203027.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:964

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4308

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1388

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:4420

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04
Filesize
471B

MD5
a1ea63317f798b4a8794feed068eb885

SHA1
89145042b32e863139c8d3b67763d1aaeb84628f

SHA256
4cb414ada8d6af38feb16ac9db9da6a1480992aa217560134e02a72fb53a5b0f

SHA512
bf7b88fc2c725e62dfa3ee08ff5d246f17fb4397bd745a99546b8083586a8aea334a431275de65c454b8c46b6ab90b9e0053d30b616cba28ccf7593697ff21dd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04
Filesize
412B

MD5
9f13dfe02bab5b71ff832d8c602640ce

SHA1
1b5ee4667f1bee48339be801d15fbbb2f37f7bdc

SHA256
73338884901fd9d362b873720191bc06956f5a219f224b5f900a8544596e6a9e

SHA512
891bd8bc6147275b41ac97c6923271517a6d0029e99546735aab7e70d563d670ac14d183648a1b612409eb6adbbc7d131905ffc09332cd48feb8bdb21fca7dfb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\4E3CA210-F7EF-4ED1-8EE9-F5EB0AFB9C90
Filesize
161KB

MD5
4d4a3709269fabdcca5f5b9060d51b40

SHA1
8498440ee40de439123b6b78180afc62e7992ea7

SHA256
0ca06c2e09cc680142ccbfa6e22c10cad48e88ea82ce982b4c39ccee5a5cdf52

SHA512
878ebe0f3c3f470900a5841518d2156eb824f5505fc8dc099d1cccc6fe06017d44a77ba43b0636ad08a51e8271b3507481e2cda55d08e52457b4996189162839

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog
Filesize
21KB

MD5
6e5a4a5fe9053a90486004791a14543f

SHA1
f20d7f6840a0c8b63530dc392fbd9310c8667f18

SHA256
f2e341684d938da75bee7059330729951bdb1fbb00a96b632f1d81bffe284941

SHA512
bb9c79ffb6e5c8d14966b3e8d0dafb1a9487300026ba74b862528954e1f8699332fd57af1805372165ab36a14ba180d6c7696a4f4e56f4d0a2b584d1e827c6ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize
2KB

MD5
6ae8fe16a1480c5ac87db5ebf6624867

SHA1
d0d26b0f64dc7e56699d8bed45673600fd8c6f56

SHA256
0dc83240d4702e6f7bb4c5e61e9731ef3201f41e330d547e8279dfb350f54745

SHA512
6d5d9426236d2d60b002014cd996209387db02c3267160be4cc388d1c881625459a4386523c5b894be557c36079ecffd24b74d67932c8ca316c0f6779fa9799b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize
2KB

MD5
fb495df1b91f3016fb5446134daf55ed

SHA1
1b2e7a8a0884124004e411451a4c7b35ef0d2cf8

SHA256
c4df3413e01551c9757e7b1bba3b2f79ac2a62512175a9d3db94d4bce40bcf76

SHA512
b1fc6ece6998d3b873df089e735f5fa11490fa2342cce40e8850d2d087da909c96ba5f4c7efed78fe47fe9172f9139fa0529d2cbf9b6eac2c3e43df34d5beff6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\2IX84YPE\lionisthekingofthejunglewhosurviveentirethingsandlivelikeakingofthejunglelionkingiknowitsgreattounderstandkingofthejungleislion__reallyamazingkinglion[1].doc
Filesize
30KB

MD5
0185e99b23980e018cdb8575daa7aca0

SHA1
b4113a5798d86a93b79565999772c5cc7f137ffc

SHA256
503801ad97e7a462b68e61a70e9a59daa1a0f367fe1750c1b01d63d3642fc8a9

SHA512
aeaf4861f54c5d914ead379e26fc340ddbcee199db66ebc333d44359edccc6652db3d5cf312ef6098da3bb453bc7374e90d3cbbf4580d805d5c3e64d3bfc0ea4

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCDC445.tmp\gb.xsl
Filesize
262KB

MD5
51d32ee5bc7ab811041f799652d26e04

SHA1
412193006aa3ef19e0a57e16acf86b830993024a

SHA256
6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97

SHA512
5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
Filesize
234B

MD5
c00513e8ac99b020a970b969c834afca

SHA1
8795cd8303d16e69abcd69734eddc1a1825a0706

SHA256
330181db4d5839f5d64096d34d4752cd6d4ed0d100c085f2e84c3783d99149a2

SHA512
476d803f4b5a68892f7c42ce2dcb23e9933c53dde1f60689e21d31d138a0a9feab9ed573a1c70c8af4a08169971b8cf22c49b6eea206ee46e6bf96c898f40c90

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize
5KB

MD5
499311899db4d86305849dfbdc067c7b

SHA1
d515eb75622c00cc403ffcf4a35fa818eedac33d

SHA256
e645e049135f5e18ce62c65be816847bc5403f9f23dc90db90ec5b7982124d05

SHA512
9efb81ec2d01e7163e7f44bbfd68b597764dfe93bdcfe08ae9b4096c380092bfa8ed5f84e7ee6d57f037be31bdf42ad1a4e3789bb37625d20cec983fdb631a26

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize
3KB

MD5
32221e6f96f4463f446506756ef2bfa9

SHA1
ae32182b622cde6ffd258c6e9c541dc1494c48a3

SHA256
80c25dc159461645a09a4e2b4c9f86d3cfca3ec7febe1c30e62ba016b89cb4f0

SHA512
05c88daef1e8672592189179588482750a90f9f690a42ffea660b6e89582760c973dfcb6ae4923b02ab550d9f1089ccb477f3a1c4e54a5656927d2c2716f4772

Download Submit
memory/964-12-0x00007FFE4F5B0000-0x00007FFE4F7A5000-memory.dmp

Filesize
2.0MB

Download
memory/964-4-0x00007FFE0F630000-0x00007FFE0F640000-memory.dmp

Filesize
64KB

Download
memory/964-8-0x00007FFE4F5B0000-0x00007FFE4F7A5000-memory.dmp

Filesize
2.0MB

Download
memory/964-14-0x00007FFE4F5B0000-0x00007FFE4F7A5000-memory.dmp

Filesize
2.0MB

Download
memory/964-16-0x00007FFE4F5B0000-0x00007FFE4F7A5000-memory.dmp

Filesize
2.0MB

Download
memory/964-18-0x00007FFE4F5B0000-0x00007FFE4F7A5000-memory.dmp

Filesize
2.0MB

Download
memory/964-19-0x00007FFE4F5B0000-0x00007FFE4F7A5000-memory.dmp

Filesize
2.0MB

Download
memory/964-17-0x00007FFE4F5B0000-0x00007FFE4F7A5000-memory.dmp

Filesize
2.0MB

Download
memory/964-15-0x00007FFE0D450000-0x00007FFE0D460000-memory.dmp

Filesize
64KB

Download
memory/964-1-0x00007FFE0F630000-0x00007FFE0F640000-memory.dmp

Filesize
64KB

Download
memory/964-545-0x00007FFE4F5B0000-0x00007FFE4F7A5000-memory.dmp

Filesize
2.0MB

Download
memory/964-0-0x00007FFE0F630000-0x00007FFE0F640000-memory.dmp

Filesize
64KB

Download
memory/964-6-0x00007FFE4F5B0000-0x00007FFE4F7A5000-memory.dmp

Filesize
2.0MB

Download
memory/964-5-0x00007FFE4F5B0000-0x00007FFE4F7A5000-memory.dmp

Filesize
2.0MB

Download
memory/964-13-0x00007FFE0D450000-0x00007FFE0D460000-memory.dmp

Filesize
64KB

Download
memory/964-7-0x00007FFE0F630000-0x00007FFE0F640000-memory.dmp

Filesize
64KB

Download
memory/964-10-0x00007FFE4F5B0000-0x00007FFE4F7A5000-memory.dmp

Filesize
2.0MB

Download
memory/964-2-0x00007FFE0F630000-0x00007FFE0F640000-memory.dmp

Filesize
64KB

Download
memory/964-11-0x00007FFE4F5B0000-0x00007FFE4F7A5000-memory.dmp

Filesize
2.0MB

Download
memory/964-9-0x00007FFE4F5B0000-0x00007FFE4F7A5000-memory.dmp

Filesize
2.0MB

Download
memory/964-3-0x00007FFE4F64D000-0x00007FFE4F64E000-memory.dmp

Filesize
4KB

Download
memory/4308-37-0x00007FFE4F5B0000-0x00007FFE4F7A5000-memory.dmp

Filesize
2.0MB

Download
memory/4308-38-0x00007FFE4F5B0000-0x00007FFE4F7A5000-memory.dmp

Filesize
2.0MB

Download
memory/4308-41-0x00007FFE4F5B0000-0x00007FFE4F7A5000-memory.dmp

Filesize
2.0MB

Download
memory/4308-39-0x00007FFE4F5B0000-0x00007FFE4F7A5000-memory.dmp

Filesize
2.0MB

Download
memory/4308-40-0x00007FFE4F5B0000-0x00007FFE4F7A5000-memory.dmp

Filesize
2.0MB

Download
memory/4308-35-0x00007FFE4F5B0000-0x00007FFE4F7A5000-memory.dmp

Filesize
2.0MB

Download
memory/4308-555-0x00007FFE4F5B0000-0x00007FFE4F7A5000-memory.dmp

Filesize
2.0MB

Download
memory/4308-33-0x00007FFE4F5B0000-0x00007FFE4F7A5000-memory.dmp

Filesize
2.0MB

Download