cfa70bdd4f97f10fdb4067b7683edc6aefcd90ac65e83e783efc3e8ffbfedc03

Analysis

max time kernel
149s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 18:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Drwg.xls
Size

308KB
MD5

fd1a4445eb0ac43a444303dfbcd14bff
SHA1

cdd327c448729d39584282a461d10c37b3f00a4f
SHA256

cfa70bdd4f97f10fdb4067b7683edc6aefcd90ac65e83e783efc3e8ffbfedc03
SHA512

2243b86581a8bfa0315367d5c914a2a72f4137585b9ce4e86bacd6ecf42ef570e591ec39dff5262769307590fbb138417149a9f8dedb442bd42eddc59eaa78fa
SSDEEP

6144:lKW5fnuSrQBkay4KX4mEmHSCn0rhia5WQ2P2TFHsEvT9KLtXqO:vvuSrgkayFX4/ULTPasEvYLtq

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEWINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEWINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid process

2196 EXCEL.EXE
4168 WINWORD.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WINWORD.EXE

description pid process

Token: SeAuditPrivilege 4168 WINWORD.EXE

description	pid	process
Token: SeAuditPrivilege	4168	WINWORD.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid	process
2196	EXCEL.EXE
2196	EXCEL.EXE
2196	EXCEL.EXE
2196	EXCEL.EXE
2196	EXCEL.EXE
2196	EXCEL.EXE
2196	EXCEL.EXE
2196	EXCEL.EXE
2196	EXCEL.EXE
2196	EXCEL.EXE
2196	EXCEL.EXE
2196	EXCEL.EXE
4168	WINWORD.EXE
4168	WINWORD.EXE
4168	WINWORD.EXE
4168	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 4168 wrote to memory of 4928	4168	WINWORD.EXE	splwow64.exe
PID 4168 wrote to memory of 4928	4168	WINWORD.EXE	splwow64.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Drwg.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2196

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4168

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:4928

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:3916

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
1KB

MD5
64c143e9f2a438ddf74501d3b3cc54bf

SHA1
66b41aabcaa5c364d405c858b85fa7a995f53c72

SHA256
02802fa86c2539668fb375ddf8b3ffa5a6c7ad8ae0050c3471dc9fca1275c0ca

SHA512
9decfe443630833dfc6c4e2b728c0395d0cbd59a5d868639f300244c4c61df6540b21d33497a8dd4e1947aaef02e4cbc815f53acc21d70ba1653d9492f438e96

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04
Filesize
471B

MD5
a1ea63317f798b4a8794feed068eb885

SHA1
89145042b32e863139c8d3b67763d1aaeb84628f

SHA256
4cb414ada8d6af38feb16ac9db9da6a1480992aa217560134e02a72fb53a5b0f

SHA512
bf7b88fc2c725e62dfa3ee08ff5d246f17fb4397bd745a99546b8083586a8aea334a431275de65c454b8c46b6ab90b9e0053d30b616cba28ccf7593697ff21dd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
410B

MD5
ec1a653d18edffc12ccd11040b20aceb

SHA1
0e01f513b468c97957213a30622f3988c8c9888d

SHA256
43bbc89aa42bd6900d85ba3eea318f091c2ef588512c7fc5e656ac38e4261012

SHA512
bce79c7566604fe78e72fe2857eec65be75f48a37f25a986b6c48428d704478d05d2010c977b48f34eb3053a3ba13f16a64ac2f21a3985e9e8bd7f445a08a3f7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
392B

MD5
af92e454b225bae270b77f20fe58f346

SHA1
3185c0fc2671b817677b7210249214338ebe6866

SHA256
d745aa254369a2018d79363a2ac5e204cd255c424d75953b212f3ae08fb2e339

SHA512
5d3fe33cb718c88f2f41e9e06a5203074e39bfe7303f156bdf06b5a5da48c4c8b0bbdcfe536b14ca9d6ce1d6708abbcc8b0247b3ebf74582f1fd10dee0d65486

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04
Filesize
412B

MD5
924f79cdf9a77bcaa9513fbdb19f5381

SHA1
04a5dd76e8f831e517d07dc417aecec8e09d7779

SHA256
429d701da65fb38d70849c6b78bb3af0c68e28ab20bec86f4bf57abf4e9d9240

SHA512
f0b4055f0dbc97e4fe262f144fb254eec91a1201492fb6d4ca8669743d36faeba04050d55dc5db81489cb68d763463c3efa1f7b79b6b33bc7624a45388dd30f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\832650BE-3CAE-4927-AB5F-AF1254ADC151
Filesize
161KB

MD5
6c9bfdd986c1f88490a2e353c384cfac

SHA1
846e2039d03cb0f2e0fbef90783dc3101bfdbe31

SHA256
5e7bacece71229751838e45ae68ae395d02022b7259efa6245283fc54f452949

SHA512
bf18451812772d0dae216e19acc0a3e63b02bce1bbbcf4e8fcf328b0672bdb1cd04b806e6bb9c94f45470d34e57640dda75f2f96ea90fe82e87ca9ed480e82c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog
Filesize
21KB

MD5
0431bfa8414b26ad1580bb4f1a13923b

SHA1
37ff297f099e6b609d22ae0df9325f8ce7b624ff

SHA256
63a7e224dfbe9d5d97a63c65a00b33019fc65e1b9b6d61d60aa93a64691385e2

SHA512
e64efd269e554a2058d81ebf8634fc2edec694d772032a7ab29c291cb41ee2b237e1bd9e6518b2aaa233702f0092ee8c09bc24e3e174a56733f600fc6e01cd9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize
2KB

MD5
94cb23f7d79158c1d5908cf25d09d5f9

SHA1
760c4acb09d68a2e6c452a6f53110bd19276dd2a

SHA256
c28f005d5462fce0b98a255931a2d53c317ebab13b09b148f2c9aa9aa7cc8cfd

SHA512
9fd3ceda98fe0578f86615ab7576cb38326781a31b176269b3bd1ae94b1f2853c1291d0e5c6a776b18ec90d0633482347b44c9ac81105686ba0fcf68dc2f9272

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize
2KB

MD5
05745fc671cd287683c2126ecdd066f2

SHA1
4d728f9e43ff9054f13c144a15e35eedca088036

SHA256
a11d9413dec71ea8aa9659679b393426bb6fbd06fb8e0094ac00f0cfd6fec976

SHA512
89cb1903f86352e1633d658727e8bf29e069c3d366bca1825139ad4501ef84d5b55972b148d4492e3a824171e5325cc28b6a54d1909c73328d29e7ca1537f406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6SQF6WJH\bluelinkimagesgreatwithlionpicturewhichlooklikeverybeautifultoseetheadvantageoflionisbehavingattitudeallgreaterthe__anothergirltosee[1].doc
Filesize
37KB

MD5
579ae7684b44059c6df7f843af04fd72

SHA1
dd8a17517b4b1d0216bfe6c38e9e61745f4d221a

SHA256
1a3b16582a25d3970441c462299bf550c85c7f4f5887392b1248dc3198584961

SHA512
bcb3551e003988d111a0ca0626e89ea236be5f3c748496642b8c35df81e4d24ac983289f7698d0a1945ad628b2ef7e2809b792b6cd3ca04efd763b235efc4e7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCD777A.tmp\gb.xsl
Filesize
262KB

MD5
51d32ee5bc7ab811041f799652d26e04

SHA1
412193006aa3ef19e0a57e16acf86b830993024a

SHA256
6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97

SHA512
5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
Filesize
229B

MD5
a1fdcdba3e25566e891746d87c5ae32c

SHA1
00b2198c755fe3677699d54da7705c3e26cf1f5c

SHA256
26444e1407d9f616cb61babcc2016b6b11ef07a12af9a003c50c42a06da415d1

SHA512
2526874e1d66d9b30e1b03a3e308a632e97a665e6009671e3685e911c2d65e608cd547aca289ab0f667faea327cca56910c535ed248fb6e3242ff2b04dd3618c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize
5KB

MD5
8897823efcb9be1c47ace0cbfa2eee9d

SHA1
2ceb600d346a5d5d7ac0b923f7c172acaf580b98

SHA256
74b2b2b77dd52ba0cf4060e2d427079b15c6201a1d0d1121dac8cb2948aa2270

SHA512
8ea354019d55d0a50506c391633eeeb2213a45e808260e39912b253bb6d80b89f5d54101c3bdc53121b78a5579d3df5ade80640c92407ba841f27adbb2b1101e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize
3KB

MD5
19f92b8da2d22fab808258c05e7f5d11

SHA1
9bc80a5b3ec5c545dcb806eb33fdac7809fa46f1

SHA256
65d72fe874cea5e8a9bd5751c2b135152f475abfcbb64b9ca3db4464117abedb

SHA512
5086bcb7d1b2be39be6a589291a5bcf86aa932504bc92360728bcc8398bbb50e4ff95566fe558e4d3e52c5d0b92b5d1b8da5977ddb980b13e1f8bed230cd49e0

Download Submit
memory/2196-12-0x00007FFCF9F50000-0x00007FFCFA145000-memory.dmp

Filesize
2.0MB

Download
memory/2196-7-0x00007FFCF9F50000-0x00007FFCFA145000-memory.dmp

Filesize
2.0MB

Download
memory/2196-21-0x00007FFCF9F50000-0x00007FFCFA145000-memory.dmp

Filesize
2.0MB

Download
memory/2196-20-0x00007FFCF9F50000-0x00007FFCFA145000-memory.dmp

Filesize
2.0MB

Download
memory/2196-19-0x00007FFCF9F50000-0x00007FFCFA145000-memory.dmp

Filesize
2.0MB

Download
memory/2196-16-0x00007FFCF9F50000-0x00007FFCFA145000-memory.dmp

Filesize
2.0MB

Download
memory/2196-13-0x00007FFCB7CE0000-0x00007FFCB7CF0000-memory.dmp

Filesize
64KB

Download
memory/2196-579-0x00007FFCF9F50000-0x00007FFCFA145000-memory.dmp

Filesize
2.0MB

Download
memory/2196-3-0x00007FFCB9FD0000-0x00007FFCB9FE0000-memory.dmp

Filesize
64KB

Download
memory/2196-2-0x00007FFCB9FD0000-0x00007FFCB9FE0000-memory.dmp

Filesize
64KB

Download
memory/2196-5-0x00007FFCF9FED000-0x00007FFCF9FEE000-memory.dmp

Filesize
4KB

Download
memory/2196-6-0x00007FFCF9F50000-0x00007FFCFA145000-memory.dmp

Filesize
2.0MB

Download
memory/2196-17-0x00007FFCF9F50000-0x00007FFCFA145000-memory.dmp

Filesize
2.0MB

Download
memory/2196-15-0x00007FFCF9F50000-0x00007FFCFA145000-memory.dmp

Filesize
2.0MB

Download
memory/2196-14-0x00007FFCF9F50000-0x00007FFCFA145000-memory.dmp

Filesize
2.0MB

Download
memory/2196-11-0x00007FFCF9F50000-0x00007FFCFA145000-memory.dmp

Filesize
2.0MB

Download
memory/2196-0-0x00007FFCB9FD0000-0x00007FFCB9FE0000-memory.dmp

Filesize
64KB

Download
memory/2196-1-0x00007FFCB9FD0000-0x00007FFCB9FE0000-memory.dmp

Filesize
64KB

Download
memory/2196-10-0x00007FFCB7CE0000-0x00007FFCB7CF0000-memory.dmp

Filesize
64KB

Download
memory/2196-4-0x00007FFCB9FD0000-0x00007FFCB9FE0000-memory.dmp

Filesize
64KB

Download
memory/2196-8-0x00007FFCF9F50000-0x00007FFCFA145000-memory.dmp

Filesize
2.0MB

Download
memory/2196-9-0x00007FFCF9F50000-0x00007FFCFA145000-memory.dmp

Filesize
2.0MB

Download
memory/2196-18-0x00007FFCF9F50000-0x00007FFCFA145000-memory.dmp

Filesize
2.0MB

Download
memory/4168-50-0x00007FFCF9F50000-0x00007FFCFA145000-memory.dmp

Filesize
2.0MB

Download
memory/4168-49-0x00007FFCF9F50000-0x00007FFCFA145000-memory.dmp

Filesize
2.0MB

Download
memory/4168-48-0x00007FFCF9F50000-0x00007FFCFA145000-memory.dmp

Filesize
2.0MB

Download
memory/4168-47-0x00007FFCF9F50000-0x00007FFCFA145000-memory.dmp

Filesize
2.0MB

Download
memory/4168-46-0x00007FFCF9F50000-0x00007FFCFA145000-memory.dmp

Filesize
2.0MB

Download
memory/4168-580-0x00007FFCF9F50000-0x00007FFCFA145000-memory.dmp

Filesize
2.0MB

Download