Analysis
-
max time kernel
149s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2024 18:13
Static task
static1
Behavioral task
behavioral1
Sample
Pepsico RFQ_P1005712.xls
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
Pepsico RFQ_P1005712.xls
Resource
win10v2004-20240508-en
General
-
Target
Pepsico RFQ_P1005712.xls
-
Size
111KB
-
MD5
9eba63f385b6efcc868f163cc53e5ef6
-
SHA1
8da5ad24a8a94e035b473f82e03a57740413998d
-
SHA256
47ee3997168e1d2f64c940453432642e7f7cea124561a40904d7d8d3b58d2b75
-
SHA512
6c47a8bdfbc30422ab8805fb98f454ee8b71f65057e334a0ee7723a90d2e864efa44b02e98a3984f315222065002d3cb8894b99734807f78045811597207f342
-
SSDEEP
1536:VU0BRPw/jF2gE+wxQAOhUMqTjfktX/t/qr2ml8Vvygn05kTheDm/:y0WF2F8ATjio2fVvr05ehe
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEWINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
EXCEL.EXEWINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
EXCEL.EXEWINWORD.EXEpid process 4260 EXCEL.EXE 4612 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WINWORD.EXEdescription pid process Token: SeAuditPrivilege 4612 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 16 IoCs
Processes:
EXCEL.EXEWINWORD.EXEpid process 4260 EXCEL.EXE 4260 EXCEL.EXE 4260 EXCEL.EXE 4260 EXCEL.EXE 4260 EXCEL.EXE 4260 EXCEL.EXE 4260 EXCEL.EXE 4260 EXCEL.EXE 4260 EXCEL.EXE 4260 EXCEL.EXE 4260 EXCEL.EXE 4260 EXCEL.EXE 4612 WINWORD.EXE 4612 WINWORD.EXE 4612 WINWORD.EXE 4612 WINWORD.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 4612 wrote to memory of 1460 4612 WINWORD.EXE splwow64.exe PID 4612 wrote to memory of 1460 4612 WINWORD.EXE splwow64.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Pepsico RFQ_P1005712.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4260
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4612 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:1460
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:1320
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5080DC7A65DB6A5960ECD874088F3328_862BA1770B2FEE013603D2FF9ABEAFDA
Filesize2KB
MD5b2973e96273fe840b4a132c0b1282697
SHA166bfe78a2f8cb9b0de54a2778be3e6042f4eda27
SHA256c22fc4c44df4307fdd018fe841e7d0d26aa4902864751878f01dfc34a49b3c9e
SHA512724fad4202c6c8730c53cb44b28338d8b901e1b21b4cf2d34d120cc9030ed2f6c392f8b5765001016f7176c829b6a02b0c90df7dbc1f4b0973dc5ef75c9db8b1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_2DBE917624E9880FE0C7C5570D56E691
Filesize1KB
MD5e59f7b1b4ba2d190bcc16704c4d0ae4e
SHA129bbe983e3ed093e2dfe9c8aec56908cfe49e733
SHA2567adc35c083730086749fb125a8ea63fb19dc47553c135007e44cbde354e6ae44
SHA51251aa926cf63ebd85dce9f233bdb5e1d14e1af163f4c1ae014b397bb45aa71373d2e4bb3a9d219bbdb8c308984e2d71a26d71b34bcd8a7b1aa3e9192115f7bf8b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5080DC7A65DB6A5960ECD874088F3328_862BA1770B2FEE013603D2FF9ABEAFDA
Filesize482B
MD5f687f1d539c1000e185e5a1cfb77da59
SHA1e3bd0e5200c820da9a752e2510c64c7f4dbcea8f
SHA2569c90a09555cc048c74a04d95c764dc9c552774cd202b39ce4faa19d99ba4b22c
SHA512193eb169333916687949323bff2da2b848da4e6cd2e4746340b504d2f12957cda7867b89b4a1d0c9fe464b0f5d85cb67e3bf54f6a56b6139b4eea5095ebd218d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_2DBE917624E9880FE0C7C5570D56E691
Filesize486B
MD515f664a9ab65a805538a1599d60d82e2
SHA1db575c2209540396dbddd4f1aaa7260cd86ac802
SHA256888878cf2e35ea3a7bb02918fa6a3018d3fb4d397d98c103f0312ff43a168a89
SHA51256e9e4a08140ce4d0fc1da4a26ff567dfb3da7bd9e2a33ad63cfd79f8212485cc40bc656e46e9d6a19dd59505534f935b32a585119e171922de558ebe6384119
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\F6FCDCC2-3ADE-4DED-86CD-36D8ABA42518
Filesize161KB
MD54942cfedd6aa3bf68face8df8d33d0b0
SHA13e6d4660bf6851003bd93b0f738e54bbcc13f9fd
SHA256571c536cced9b00e42c6f1236cced30ef9ca3dc148c9cb9b190f35dc51ee5e95
SHA5126c99d89e5088c8c5bf82456f4218eed6855fad538d5c60515b724224345ae9f639c6601b685077ae4b348891ce4b83cfdb9bfd5c939c176ed06d9f93254a820e
-
Filesize
21KB
MD5f1061ce54be971785b6cf11e9b5e63ba
SHA1852869aac0c905fb282a8037ef53fa8f7614dafb
SHA256b8d2b3e9fdc372cedd4dc49119e16b3bdcc2e1b051b7f1af42ba21e8e021043e
SHA51253273698ea4a0a67de0a0f409c80cc94a29eea704623a7a9324b39f2b9eb4fce3cdac4298eb75d312bde9ed84cad90987a93adde3d7fa2e9c65e5de7a986464e
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize2KB
MD5cf6aba1e08608a131000d6706ad19025
SHA15a0f6791800c8dd24e9e2095cbaf91767a0c449e
SHA25687e424b1edcabe9ad44865a17a778494f104f04c2e8a8119170f4f995f4c4ea2
SHA5129ff7e25b095b21748e54542b4b008306bed857ca3f033aaf06be26e81f018d1ad76cbbc41b8b12514c368fc3dabcf25ad16aa1e18887620cab3e2f8a1eee4002
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize2KB
MD50b64640a578313c4e604daf2da47264d
SHA10f88b920e2d1f63b211347dc42554d948acc6929
SHA2562cdc0d0d133f44133821ae350f5c11e82ccefcf3d8ad80e038d9e8aa7572b72c
SHA512e97ae52131aa4b67425f362121045d6f168da4fdd89b3c161f4d1a3f207a1f2e44cd1bce7f5f28d4ebba3c175648ad3cfc040d80ecb3a65d9df60f2783b29063
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VLW1SL5J\lionisthetruekingsofthejunglewhichcomaprewithtigerbecauseoftheattitudelionalwaysliontounderstandthepoweroflion__kingofthejnglelion[1].doc
Filesize34KB
MD50305665fe64e9a6f1ece3d43bc5d5112
SHA110460b71c923225d6c368a96a7c0b7058bd65b54
SHA256dc579de78c6ed74c526d2f3eabc5d486dcf1a046159e5eda72b1f232e495b6f2
SHA512f359b47159ecdbbbc83e76ed00295cdd279289db6333b83d03e2a111dfb26ce873d08938345fd91083df4661253a8da26972d8cb3bc9ce93ac7ff72611f07b66
-
Filesize
263KB
MD5ff0e07eff1333cdf9fc2523d323dd654
SHA177a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA2563f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d
-
Filesize
231B
MD530367aca0fa7da71b17deb16cea2655c
SHA1305e05a1d80fe85e8614dcab61bfa6208d3f8cde
SHA256c59ac5d670af99a8e17930767fd840817fb8ff182818387e51dd8e88b35f1b45
SHA512bc9add6972f6d0d4bf06249d3e55979dbdd158e0ea01f8f014d0d8d51846625e2862f3fd1b86d91c5569820af3c4cba0c6b7e1b9fd9617364a9ea35731ab91be
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize5KB
MD57697a289394d762d30cb650aeb391ed3
SHA1b3331a6fac8f070361cbe9777eeb3299a3722c4c
SHA25627bf62a79243dda53a0c91b7ef67d6344a11e3043f740e2c5bb16f6a9e68b0a5
SHA512ead2e0929015ec0184a3d960eb7c2b192c451ebd0243305d994f2e63e2dd64034afcb286f0f573e78497bc173b0630513eea3a59aa908488ab9f4feb2e7ab7b3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD53999c5e7a9160a2fe6404f783dd9760f
SHA1e93762ba6e9fdca7220f18cfd7349f6bae3c113a
SHA256aee8fd7910f065cd3a9d3b96b98a5d76f38d4896e0c8546fb3d9a933e2520402
SHA5120510609df648c4a109616a99f2e76dd0ef1fdae0d3f71c927c811eacfac0f647a0a688994b471c4744712e05c7cb58720073e9d72fe1a03b1c7dda0f628e26ee