4d97a5069b154b2e95af235dd32c82c1bf5b2e4cf2d188067da223f488ebaa48

Analysis

max time kernel
149s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 18:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ORDIN.xls
Size

307KB
MD5

8f82df8963d12e63c11d24991271c888
SHA1

205aa52dc1b466bb0ff5f5976288aa84e02b94e7
SHA256

4d97a5069b154b2e95af235dd32c82c1bf5b2e4cf2d188067da223f488ebaa48
SHA512

73f45a89f02b32afef07268529b74d6d81b654de77000c7d36162c0c88574f0d185114ab243580f4b88f170d5adb366f94076683293d4cb28ae9bebb42f1759a
SSDEEP

6144:70W8l06JYtpMV08kQMJ8ZNlamLmjxCIl/cyh5qkO9e4525OL:oW8l/qtKVMJslPLynl/cydCep5O

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEWINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEWINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid process

3184 EXCEL.EXE
2256 WINWORD.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WINWORD.EXE

description pid process

Token: SeAuditPrivilege 2256 WINWORD.EXE

description	pid	process
Token: SeAuditPrivilege	2256	WINWORD.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid	process
3184	EXCEL.EXE
3184	EXCEL.EXE
3184	EXCEL.EXE
3184	EXCEL.EXE
3184	EXCEL.EXE
3184	EXCEL.EXE
3184	EXCEL.EXE
3184	EXCEL.EXE
3184	EXCEL.EXE
3184	EXCEL.EXE
3184	EXCEL.EXE
3184	EXCEL.EXE
2256	WINWORD.EXE
2256	WINWORD.EXE
2256	WINWORD.EXE
2256	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 2256 wrote to memory of 4580	2256	WINWORD.EXE	splwow64.exe
PID 2256 wrote to memory of 4580	2256	WINWORD.EXE	splwow64.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\ORDIN.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3184

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2256

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:4580

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:4676

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187
Filesize
471B

MD5
608a0f0428e32a24eb0d796f5a972823

SHA1
df9342aa3d1fa8be89caabee60f5959a1f6272cd

SHA256
718177a404d91eee14a31f1b06ac15eecb90a9d14f458a113b2af44847279b61

SHA512
45d28a3bd9b5bb7f0ed8616ee83bedcc267d0349f01c0be349dbb1ef88d9c5a9c372a88330074b97c05fc2c0dc43598c584584803f169b8c99c1e98011d4be90

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187
Filesize
412B

MD5
d0c1b964784fbc7afe0a4f0ba20d6766

SHA1
955d3d71378b38223b31e47c2eff8f8335b75cd9

SHA256
9ca923f723905e50bbc901165998e01fc3c5ac550a92221ef0754f89ea7b4332

SHA512
317ebea9c22e85351e44e4b9414376c1bea94e578d8e92f45757b620cbf4097f7e6e36c47db09b9339633eed876da698a7e888a6d75b14de6762ffaf69434081

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\CDBCEA8E-BD7E-408F-B235-16372550E06A
Filesize
161KB

MD5
14a3064c34bb2b288f075a2f0e2aeb50

SHA1
d4668bd185efda7aff498e4c7601648495d06697

SHA256
c67008c5309cbf9fd8ae2db27d23dcbee65c812f2adf800f2e0fb2ec4a3828c1

SHA512
ab836cdcc73bf010674225cfbb12cb8fa4787facf36f8072cd53137ca92834b8d9bb18f1e409fe02802de75f055cd8a25250a314a5f36d483c8bae189b6274c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog
Filesize
21KB

MD5
327bc482db488a96b8ae5e8ececff571

SHA1
ac4a3f00acf3a9aa488f5622caee865f3c67cb52

SHA256
0209ea493217b82233166c1400c1c1d8f1eae88b175cba541736210c7040a3cc

SHA512
3a72a9ea473bf90ddafcc8a988824157823087005be874e9d3a92c973c0e38029d4ec5603013e6bcdd2285dcb99407abd5ba524e6e2f39868daf71913d93ba17

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize
2KB

MD5
d857280b67807f2cde2eadd37bd8d165

SHA1
faa5fac03b1827e1c8dc24b18cd82c4ca0be1272

SHA256
3e361221eb335a8d301bde14f367777431679df6c100319d4db44cfbe647c44a

SHA512
954a654b683631fd5b60a7112501497bfaff9b3d3d0a688eb323c1911415862fa85256781f897c68bc169e602e44d9c41d9e862d7603d5a7321cfe1bfe4dce5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize
2KB

MD5
fffa4fbef8dcc43878391db0a02312d8

SHA1
d42d8d7fa1d2312ef2b2e8feb3199825fd44eacc

SHA256
9a4ca2ecff6b3c396a64f8e84474c7f673a6822b652c242390923750987601ce

SHA512
d343f0fb7571e055300923ba428227f4c7ff3675991cf21693477357a2d2ea71ed99e5ebaf5a97abd7f607dc923caf4de58214160f62c480fcbddeb5b6b754bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NCVVYLW7\lionisthekinfofthejnglewhorulestheentireworldtoundersandlionalwaygreattoentirethingstomakejungleistherulstounders__lionkingofbeauty[1].doc
Filesize
39KB

MD5
8a55797224e00e639f096ffaf6b476ef

SHA1
2ce6affe5c1a86bc7292aef0831b1cdf51e771df

SHA256
f2d151dad739faddbe76bf66069c3e1b8d982e00eabc9b8f408b505a082a7961

SHA512
8e4e443784e1acb34cf2ab1a720f186ccefc97dd8dccde3d2da87c377ca45b1460bece26497e684ee0929e3ab6c91a17ab94fbf598e007899f0f5a7e7bb6175a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCD9289.tmp\gb.xsl
Filesize
262KB

MD5
51d32ee5bc7ab811041f799652d26e04

SHA1
412193006aa3ef19e0a57e16acf86b830993024a

SHA256
6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97

SHA512
5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
Filesize
234B

MD5
912b65fedaddc8c3a564cead889ff587

SHA1
830a62a55326c0ab7508c96b37e48bfad6b0bb84

SHA256
abe5ad98ea1cc0fc02bf0066de10bb32e65b2ea9eb3578415f3a1a8b80d92de3

SHA512
6c66b63fe96cc28d91a7eddcfdf435c9acbd9b1e740c8663f5d2f1dbeaf86129a6fc2c2441e2a824157e4d0ae3e19b542ecdd389af8ba5b09d0c8083b7c6d8c2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize
5KB

MD5
8ea3ea973680ce455cd59b1077c1e98a

SHA1
fdd252c76980fc39f6854de78a7c1e042ef68348

SHA256
20575bf41f2befed4b386ac1ec709d8da77a835e64e07bbe114f552c1098811e

SHA512
8bf68f760507ef0338849760d34bf6afc2a312a5b0852174f325cf879901ef39bdfd87a9d57bc247e24802a3627f26c8ab02d0289c696d948ba45a49b645343c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize
3KB

MD5
bd4f81992073fe2ec75a94428b80901c

SHA1
0c89c492c58472fb6beb7de7bdd4c64cb768d749

SHA256
c238cfc268be8abb4d6c2f8a2d5fc14ffbedf293f454d4b518194cd496d2a943

SHA512
208f3cad18617c85aa9ef4bc9ffdfcbaeb1de0df0134cf3a6b9b01000a6d382d307449d957f4ff960236737ac8e7a84eae5870f6f4bed3a402a37380b80ce369

Download Submit
memory/2256-33-0x00007FFA40850000-0x00007FFA40A45000-memory.dmp

Filesize
2.0MB

Download
memory/2256-34-0x00007FFA40850000-0x00007FFA40A45000-memory.dmp

Filesize
2.0MB

Download
memory/2256-558-0x00007FFA40850000-0x00007FFA40A45000-memory.dmp

Filesize
2.0MB

Download
memory/2256-557-0x00007FFA40850000-0x00007FFA40A45000-memory.dmp

Filesize
2.0MB

Download
memory/2256-38-0x00007FFA40850000-0x00007FFA40A45000-memory.dmp

Filesize
2.0MB

Download
memory/2256-37-0x00007FFA40850000-0x00007FFA40A45000-memory.dmp

Filesize
2.0MB

Download
memory/2256-36-0x00007FFA40850000-0x00007FFA40A45000-memory.dmp

Filesize
2.0MB

Download
memory/2256-35-0x00007FFA40850000-0x00007FFA40A45000-memory.dmp

Filesize
2.0MB

Download
memory/3184-12-0x00007FF9FE240000-0x00007FF9FE250000-memory.dmp

Filesize
64KB

Download
memory/3184-5-0x00007FFA008D0000-0x00007FFA008E0000-memory.dmp

Filesize
64KB

Download
memory/3184-16-0x00007FFA40850000-0x00007FFA40A45000-memory.dmp

Filesize
2.0MB

Download
memory/3184-17-0x00007FFA40850000-0x00007FFA40A45000-memory.dmp

Filesize
2.0MB

Download
memory/3184-18-0x00007FFA40850000-0x00007FFA40A45000-memory.dmp

Filesize
2.0MB

Download
memory/3184-15-0x00007FF9FE240000-0x00007FF9FE250000-memory.dmp

Filesize
64KB

Download
memory/3184-11-0x00007FFA40850000-0x00007FFA40A45000-memory.dmp

Filesize
2.0MB

Download
memory/3184-14-0x00007FFA40850000-0x00007FFA40A45000-memory.dmp

Filesize
2.0MB

Download
memory/3184-10-0x00007FFA40850000-0x00007FFA40A45000-memory.dmp

Filesize
2.0MB

Download
memory/3184-8-0x00007FFA40850000-0x00007FFA40A45000-memory.dmp

Filesize
2.0MB

Download
memory/3184-7-0x00007FFA40850000-0x00007FFA40A45000-memory.dmp

Filesize
2.0MB

Download
memory/3184-0-0x00007FFA008D0000-0x00007FFA008E0000-memory.dmp

Filesize
64KB

Download
memory/3184-6-0x00007FFA40850000-0x00007FFA40A45000-memory.dmp

Filesize
2.0MB

Download
memory/3184-2-0x00007FFA008D0000-0x00007FFA008E0000-memory.dmp

Filesize
64KB

Download
memory/3184-3-0x00007FFA008D0000-0x00007FFA008E0000-memory.dmp

Filesize
64KB

Download
memory/3184-4-0x00007FFA008D0000-0x00007FFA008E0000-memory.dmp

Filesize
64KB

Download
memory/3184-95-0x00007FFA40850000-0x00007FFA40A45000-memory.dmp

Filesize
2.0MB

Download
memory/3184-96-0x00007FFA408ED000-0x00007FFA408EE000-memory.dmp

Filesize
4KB

Download
memory/3184-97-0x00007FFA40850000-0x00007FFA40A45000-memory.dmp

Filesize
2.0MB

Download
memory/3184-1-0x00007FFA408ED000-0x00007FFA408EE000-memory.dmp

Filesize
4KB

Download
memory/3184-9-0x00007FFA40850000-0x00007FFA40A45000-memory.dmp

Filesize
2.0MB

Download
memory/3184-13-0x00007FFA40850000-0x00007FFA40A45000-memory.dmp

Filesize
2.0MB

Download