47ee3997168e1d2f64c940453432642e7f7cea124561a40904d7d8d3b58d2b75

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 18:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Pepsico RFQ_P1005712.xls
Size

111KB
MD5

9eba63f385b6efcc868f163cc53e5ef6
SHA1

8da5ad24a8a94e035b473f82e03a57740413998d
SHA256

47ee3997168e1d2f64c940453432642e7f7cea124561a40904d7d8d3b58d2b75
SHA512

6c47a8bdfbc30422ab8805fb98f454ee8b71f65057e334a0ee7723a90d2e864efa44b02e98a3984f315222065002d3cb8894b99734807f78045811597207f342
SSDEEP

1536:VU0BRPw/jF2gE+wxQAOhUMqTjfktX/t/qr2ml8Vvygn05kTheDm/:y0WF2F8ATjio2fVvr05ehe

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEWINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEWINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid process

4260 EXCEL.EXE
4612 WINWORD.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WINWORD.EXE

description pid process

Token: SeAuditPrivilege 4612 WINWORD.EXE

description	pid	process
Token: SeAuditPrivilege	4612	WINWORD.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid	process
4260	EXCEL.EXE
4260	EXCEL.EXE
4260	EXCEL.EXE
4260	EXCEL.EXE
4260	EXCEL.EXE
4260	EXCEL.EXE
4260	EXCEL.EXE
4260	EXCEL.EXE
4260	EXCEL.EXE
4260	EXCEL.EXE
4260	EXCEL.EXE
4260	EXCEL.EXE
4612	WINWORD.EXE
4612	WINWORD.EXE
4612	WINWORD.EXE
4612	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 4612 wrote to memory of 1460	4612	WINWORD.EXE	splwow64.exe
PID 4612 wrote to memory of 1460	4612	WINWORD.EXE	splwow64.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Pepsico RFQ_P1005712.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4260

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4612
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1460

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:1320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5080DC7A65DB6A5960ECD874088F3328_862BA1770B2FEE013603D2FF9ABEAFDA

Filesize
2KB

MD5
b2973e96273fe840b4a132c0b1282697

SHA1
66bfe78a2f8cb9b0de54a2778be3e6042f4eda27

SHA256
c22fc4c44df4307fdd018fe841e7d0d26aa4902864751878f01dfc34a49b3c9e

SHA512
724fad4202c6c8730c53cb44b28338d8b901e1b21b4cf2d34d120cc9030ed2f6c392f8b5765001016f7176c829b6a02b0c90df7dbc1f4b0973dc5ef75c9db8b1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_2DBE917624E9880FE0C7C5570D56E691

Filesize
1KB

MD5
e59f7b1b4ba2d190bcc16704c4d0ae4e

SHA1
29bbe983e3ed093e2dfe9c8aec56908cfe49e733

SHA256
7adc35c083730086749fb125a8ea63fb19dc47553c135007e44cbde354e6ae44

SHA512
51aa926cf63ebd85dce9f233bdb5e1d14e1af163f4c1ae014b397bb45aa71373d2e4bb3a9d219bbdb8c308984e2d71a26d71b34bcd8a7b1aa3e9192115f7bf8b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5080DC7A65DB6A5960ECD874088F3328_862BA1770B2FEE013603D2FF9ABEAFDA

Filesize
482B

MD5
f687f1d539c1000e185e5a1cfb77da59

SHA1
e3bd0e5200c820da9a752e2510c64c7f4dbcea8f

SHA256
9c90a09555cc048c74a04d95c764dc9c552774cd202b39ce4faa19d99ba4b22c

SHA512
193eb169333916687949323bff2da2b848da4e6cd2e4746340b504d2f12957cda7867b89b4a1d0c9fe464b0f5d85cb67e3bf54f6a56b6139b4eea5095ebd218d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_2DBE917624E9880FE0C7C5570D56E691

Filesize
486B

MD5
15f664a9ab65a805538a1599d60d82e2

SHA1
db575c2209540396dbddd4f1aaa7260cd86ac802

SHA256
888878cf2e35ea3a7bb02918fa6a3018d3fb4d397d98c103f0312ff43a168a89

SHA512
56e9e4a08140ce4d0fc1da4a26ff567dfb3da7bd9e2a33ad63cfd79f8212485cc40bc656e46e9d6a19dd59505534f935b32a585119e171922de558ebe6384119

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\F6FCDCC2-3ADE-4DED-86CD-36D8ABA42518

Filesize
161KB

MD5
4942cfedd6aa3bf68face8df8d33d0b0

SHA1
3e6d4660bf6851003bd93b0f738e54bbcc13f9fd

SHA256
571c536cced9b00e42c6f1236cced30ef9ca3dc148c9cb9b190f35dc51ee5e95

SHA512
6c99d89e5088c8c5bf82456f4218eed6855fad538d5c60515b724224345ae9f639c6601b685077ae4b348891ce4b83cfdb9bfd5c939c176ed06d9f93254a820e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

Filesize
21KB

MD5
f1061ce54be971785b6cf11e9b5e63ba

SHA1
852869aac0c905fb282a8037ef53fa8f7614dafb

SHA256
b8d2b3e9fdc372cedd4dc49119e16b3bdcc2e1b051b7f1af42ba21e8e021043e

SHA512
53273698ea4a0a67de0a0f409c80cc94a29eea704623a7a9324b39f2b9eb4fce3cdac4298eb75d312bde9ed84cad90987a93adde3d7fa2e9c65e5de7a986464e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
cf6aba1e08608a131000d6706ad19025

SHA1
5a0f6791800c8dd24e9e2095cbaf91767a0c449e

SHA256
87e424b1edcabe9ad44865a17a778494f104f04c2e8a8119170f4f995f4c4ea2

SHA512
9ff7e25b095b21748e54542b4b008306bed857ca3f033aaf06be26e81f018d1ad76cbbc41b8b12514c368fc3dabcf25ad16aa1e18887620cab3e2f8a1eee4002

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
0b64640a578313c4e604daf2da47264d

SHA1
0f88b920e2d1f63b211347dc42554d948acc6929

SHA256
2cdc0d0d133f44133821ae350f5c11e82ccefcf3d8ad80e038d9e8aa7572b72c

SHA512
e97ae52131aa4b67425f362121045d6f168da4fdd89b3c161f4d1a3f207a1f2e44cd1bce7f5f28d4ebba3c175648ad3cfc040d80ecb3a65d9df60f2783b29063

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VLW1SL5J\lionisthetruekingsofthejunglewhichcomaprewithtigerbecauseoftheattitudelionalwaysliontounderstandthepoweroflion__kingofthejnglelion[1].doc

Filesize
34KB

MD5
0305665fe64e9a6f1ece3d43bc5d5112

SHA1
10460b71c923225d6c368a96a7c0b7058bd65b54

SHA256
dc579de78c6ed74c526d2f3eabc5d486dcf1a046159e5eda72b1f232e495b6f2

SHA512
f359b47159ecdbbbc83e76ed00295cdd279289db6333b83d03e2a111dfb26ce873d08938345fd91083df4661253a8da26972d8cb3bc9ce93ac7ff72611f07b66

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCD11D7.tmp\iso690.xsl

Filesize
263KB

MD5
ff0e07eff1333cdf9fc2523d323dd654

SHA1
77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

SHA256
3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

SHA512
b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
231B

MD5
30367aca0fa7da71b17deb16cea2655c

SHA1
305e05a1d80fe85e8614dcab61bfa6208d3f8cde

SHA256
c59ac5d670af99a8e17930767fd840817fb8ff182818387e51dd8e88b35f1b45

SHA512
bc9add6972f6d0d4bf06249d3e55979dbdd158e0ea01f8f014d0d8d51846625e2862f3fd1b86d91c5569820af3c4cba0c6b7e1b9fd9617364a9ea35731ab91be

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
5KB

MD5
7697a289394d762d30cb650aeb391ed3

SHA1
b3331a6fac8f070361cbe9777eeb3299a3722c4c

SHA256
27bf62a79243dda53a0c91b7ef67d6344a11e3043f740e2c5bb16f6a9e68b0a5

SHA512
ead2e0929015ec0184a3d960eb7c2b192c451ebd0243305d994f2e63e2dd64034afcb286f0f573e78497bc173b0630513eea3a59aa908488ab9f4feb2e7ab7b3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
3999c5e7a9160a2fe6404f783dd9760f

SHA1
e93762ba6e9fdca7220f18cfd7349f6bae3c113a

SHA256
aee8fd7910f065cd3a9d3b96b98a5d76f38d4896e0c8546fb3d9a933e2520402

SHA512
0510609df648c4a109616a99f2e76dd0ef1fdae0d3f71c927c811eacfac0f647a0a688994b471c4744712e05c7cb58720073e9d72fe1a03b1c7dda0f628e26ee

Download Submit
memory/4260-9-0x00007FFB6FFB0000-0x00007FFB701A5000-memory.dmp

Filesize
2.0MB

Download
memory/4260-1-0x00007FFB30030000-0x00007FFB30040000-memory.dmp

Filesize
64KB

Download
memory/4260-15-0x00007FFB6FFB0000-0x00007FFB701A5000-memory.dmp

Filesize
2.0MB

Download
memory/4260-16-0x00007FFB2DED0000-0x00007FFB2DEE0000-memory.dmp

Filesize
64KB

Download
memory/4260-17-0x00007FFB6FFB0000-0x00007FFB701A5000-memory.dmp

Filesize
2.0MB

Download
memory/4260-18-0x00007FFB6FFB0000-0x00007FFB701A5000-memory.dmp

Filesize
2.0MB

Download
memory/4260-2-0x00007FFB30030000-0x00007FFB30040000-memory.dmp

Filesize
64KB

Download
memory/4260-6-0x00007FFB30030000-0x00007FFB30040000-memory.dmp

Filesize
64KB

Download
memory/4260-5-0x00007FFB6FFB0000-0x00007FFB701A5000-memory.dmp

Filesize
2.0MB

Download
memory/4260-14-0x00007FFB6FFB0000-0x00007FFB701A5000-memory.dmp

Filesize
2.0MB

Download
memory/4260-11-0x00007FFB6FFB0000-0x00007FFB701A5000-memory.dmp

Filesize
2.0MB

Download
memory/4260-12-0x00007FFB2DED0000-0x00007FFB2DEE0000-memory.dmp

Filesize
64KB

Download
memory/4260-10-0x00007FFB6FFB0000-0x00007FFB701A5000-memory.dmp

Filesize
2.0MB

Download
memory/4260-0-0x00007FFB30030000-0x00007FFB30040000-memory.dmp

Filesize
64KB

Download
memory/4260-8-0x00007FFB6FFB0000-0x00007FFB701A5000-memory.dmp

Filesize
2.0MB

Download
memory/4260-7-0x00007FFB6FFB0000-0x00007FFB701A5000-memory.dmp

Filesize
2.0MB

Download
memory/4260-13-0x00007FFB6FFB0000-0x00007FFB701A5000-memory.dmp

Filesize
2.0MB

Download
memory/4260-4-0x00007FFB7004D000-0x00007FFB7004E000-memory.dmp

Filesize
4KB

Download
memory/4260-3-0x00007FFB30030000-0x00007FFB30040000-memory.dmp

Filesize
64KB

Download
memory/4260-79-0x00007FFB6FFB0000-0x00007FFB701A5000-memory.dmp

Filesize
2.0MB

Download
memory/4612-46-0x00007FFB6FFB0000-0x00007FFB701A5000-memory.dmp

Filesize
2.0MB

Download
memory/4612-44-0x00007FFB6FFB0000-0x00007FFB701A5000-memory.dmp

Filesize
2.0MB

Download
memory/4612-42-0x00007FFB6FFB0000-0x00007FFB701A5000-memory.dmp

Filesize
2.0MB

Download
memory/4612-443-0x00007FFB6FFB0000-0x00007FFB701A5000-memory.dmp

Filesize
2.0MB

Download