cfa70bdd4f97f10fdb4067b7683edc6aefcd90ac65e83e783efc3e8ffbfedc03

Analysis

max time kernel
148s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 02:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cfa70bdd4f97f10fdb4067b7683edc6aefcd90ac65e83e783efc3e8ffbfedc03.xls
Size

308KB
MD5

fd1a4445eb0ac43a444303dfbcd14bff
SHA1

cdd327c448729d39584282a461d10c37b3f00a4f
SHA256

cfa70bdd4f97f10fdb4067b7683edc6aefcd90ac65e83e783efc3e8ffbfedc03
SHA512

2243b86581a8bfa0315367d5c914a2a72f4137585b9ce4e86bacd6ecf42ef570e591ec39dff5262769307590fbb138417149a9f8dedb442bd42eddc59eaa78fa
SSDEEP

6144:lKW5fnuSrQBkay4KX4mEmHSCn0rhia5WQ2P2TFHsEvT9KLtXqO:vvuSrgkayFX4/ULTPasEvYLtq

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEWINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEEXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid process

4632 EXCEL.EXE
2596 WINWORD.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WINWORD.EXE

description pid process

Token: SeAuditPrivilege 2596 WINWORD.EXE

description	pid	process
Token: SeAuditPrivilege	2596	WINWORD.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid	process
4632	EXCEL.EXE
4632	EXCEL.EXE
4632	EXCEL.EXE
4632	EXCEL.EXE
4632	EXCEL.EXE
4632	EXCEL.EXE
4632	EXCEL.EXE
4632	EXCEL.EXE
4632	EXCEL.EXE
4632	EXCEL.EXE
4632	EXCEL.EXE
4632	EXCEL.EXE
2596	WINWORD.EXE
2596	WINWORD.EXE
2596	WINWORD.EXE
2596	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 2596 wrote to memory of 816	2596	WINWORD.EXE	splwow64.exe
PID 2596 wrote to memory of 816	2596	WINWORD.EXE	splwow64.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\cfa70bdd4f97f10fdb4067b7683edc6aefcd90ac65e83e783efc3e8ffbfedc03.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4632

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2596

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:816

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:2284

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
1KB

MD5
64c143e9f2a438ddf74501d3b3cc54bf

SHA1
66b41aabcaa5c364d405c858b85fa7a995f53c72

SHA256
02802fa86c2539668fb375ddf8b3ffa5a6c7ad8ae0050c3471dc9fca1275c0ca

SHA512
9decfe443630833dfc6c4e2b728c0395d0cbd59a5d868639f300244c4c61df6540b21d33497a8dd4e1947aaef02e4cbc815f53acc21d70ba1653d9492f438e96

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
410B

MD5
b98d8ef60eb54d46562d30ac0c62f3a5

SHA1
6157b39cfd6f5323e526fc8ebed37833b44c9645

SHA256
d11b83b3df5f7fd3422f3bf0590dd6607aec05979b9af610ae339b1c52f9f25f

SHA512
c9599f394e16351a41795be31c15ab4174ad485e89a3457dee96afeecf2bf0a70d15afa24da3d571f7d7bd53476b89b0fcea00a4c51d15c4794da2090789d311

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
392B

MD5
f9fbf4e1e419cfb8761dd05b6402be10

SHA1
9e0d03d3f0ebaac910d4567c13508775a77e3ea5

SHA256
05659b345217491e1321b1fab7d98114eaac4bd29e1e30a66c3ae49afa60e1ad

SHA512
609fbbc0bcef862f13d279f31243017e4740cb363b3a1e2e6a8a87cab03c2bcbe7ee36d7d2beabc145cd7eb9485308429092de1e8da58d35cdb60c6b97dd0d81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\79306D6E-1D8C-41C7-A96F-1F96CFEABBCC
Filesize
161KB

MD5
f087663f124c404c9a9645ef41229986

SHA1
94c0fb3625bca1d3c83da57036a8bfa7fe65dcd2

SHA256
5d5a95be19d219ad2de990fc08482e6927654476942fa1f4c06685b039c69536

SHA512
44ee22d7414c939953bbb41a1b57fa8f7afc7a1a37238e722579b991da531be23039fb7da65c4be93f3b54de63616a0ac15d7f8aba50f232aac17c863bcc5a82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog
Filesize
21KB

MD5
3cb427a833e15c5efd192b212218f494

SHA1
7042dda228b2cd2ef938a7d8a543b55bb4bfa1d4

SHA256
51ba5a99aec939fd10cf5ba0cc0d317a95758132383e1b363d147cd898514508

SHA512
6b3786519efb80a1958d908a3d21ee88dbb434076df0254003eaa6cea4cdf10b350235eed270c967f680b6068b39c54a56957b056a948058a16e3ca515d3968a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize
2KB

MD5
279a407982a0df60e45d3c4fe0c60b7c

SHA1
a035de3b91310df9ed0c4f11cc5378af7887dc58

SHA256
a593741467fbbc3403176e0bae9e5ea01a2c39fa9476b8f61f5c36a7c96a4b4b

SHA512
84226c83130a4e8edde67e2253ff5e5cec9f14f6997f8a80b72dae01c00d06e9734dbf5e97dbed88f943a9427a82eb5cd3aa218269924ff106f0aba08ec03454

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize
2KB

MD5
7ff6c2f0213e390150e71d159bce942b

SHA1
2eecb5076c280e0368df283f672f5e3e4db6aa63

SHA256
a0d6ffb24e4576f93bc4ef06b36b2f46c10c81398122ca59c99cd8a553143e45

SHA512
f597f44c4b3924cf32b4727d63d2719ba94c8679f2792669d0cd9b705837ff59863ad83eb8c4bb988ce1e0d055ab6227ee1342a0a17a1d9a5c27f211ec408049

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VLW1SL5J\bluelinkimagesgreatwithlionpicturewhichlooklikeverybeautifultoseetheadvantageoflionisbehavingattitudeallgreaterthe__anothergirltosee[1].doc
Filesize
37KB

MD5
579ae7684b44059c6df7f843af04fd72

SHA1
dd8a17517b4b1d0216bfe6c38e9e61745f4d221a

SHA256
1a3b16582a25d3970441c462299bf550c85c7f4f5887392b1248dc3198584961

SHA512
bcb3551e003988d111a0ca0626e89ea236be5f3c748496642b8c35df81e4d24ac983289f7698d0a1945ad628b2ef7e2809b792b6cd3ca04efd763b235efc4e7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCD8F51.tmp\iso690.xsl
Filesize
263KB

MD5
ff0e07eff1333cdf9fc2523d323dd654

SHA1
77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

SHA256
3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

SHA512
b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
Filesize
229B

MD5
a1fdcdba3e25566e891746d87c5ae32c

SHA1
00b2198c755fe3677699d54da7705c3e26cf1f5c

SHA256
26444e1407d9f616cb61babcc2016b6b11ef07a12af9a003c50c42a06da415d1

SHA512
2526874e1d66d9b30e1b03a3e308a632e97a665e6009671e3685e911c2d65e608cd547aca289ab0f667faea327cca56910c535ed248fb6e3242ff2b04dd3618c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize
5KB

MD5
9005a6efac895075c6687ae4ae4dcf5c

SHA1
4ef60a7dfdc040a366dfef00a603dec6f6d74415

SHA256
749a32a57287e20babd7fb2e1d879301f60cca890680fbc45918d771323eaaed

SHA512
b352280a87ac31ff1c808f1062aa0312f292569c61b71916a82db7a91c5804557e1a5e77edc2169c4c27c68f752f60a64a321bcf776bb42a796a03721551d0fd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize
3KB

MD5
176ef9814fbe221dde09851ed1c32cbf

SHA1
bd5ed360322f773ee365b804261ba1cbfdcbb6b5

SHA256
a7eda92bbe6edef0e7185457f99cd7bc4c90e2814d578b8d4bda1c22c9c6e8a2

SHA512
d75f7c70c12eb441e4e72d9eeac576d57127c5c2b0868bb024df52b5f4baf9161b7203dc74867af0656b49272c07d7aa7da73025cae0b89322c59eeb56778547

Download Submit
memory/2596-46-0x00007FFA217B0000-0x00007FFA219A5000-memory.dmp

Filesize
2.0MB

Download
memory/2596-582-0x00007FFA217B0000-0x00007FFA219A5000-memory.dmp

Filesize
2.0MB

Download
memory/2596-51-0x00007FFA217B0000-0x00007FFA219A5000-memory.dmp

Filesize
2.0MB

Download
memory/2596-50-0x00007FFA217B0000-0x00007FFA219A5000-memory.dmp

Filesize
2.0MB

Download
memory/2596-49-0x00007FFA217B0000-0x00007FFA219A5000-memory.dmp

Filesize
2.0MB

Download
memory/2596-48-0x00007FFA217B0000-0x00007FFA219A5000-memory.dmp

Filesize
2.0MB

Download
memory/2596-47-0x00007FFA217B0000-0x00007FFA219A5000-memory.dmp

Filesize
2.0MB

Download
memory/4632-10-0x00007FFA217B0000-0x00007FFA219A5000-memory.dmp

Filesize
2.0MB

Download
memory/4632-11-0x00007FFA217B0000-0x00007FFA219A5000-memory.dmp

Filesize
2.0MB

Download
memory/4632-19-0x00007FFA217B0000-0x00007FFA219A5000-memory.dmp

Filesize
2.0MB

Download
memory/4632-21-0x00007FFA217B0000-0x00007FFA219A5000-memory.dmp

Filesize
2.0MB

Download
memory/4632-20-0x00007FFA217B0000-0x00007FFA219A5000-memory.dmp

Filesize
2.0MB

Download
memory/4632-15-0x00007FFA217B0000-0x00007FFA219A5000-memory.dmp

Filesize
2.0MB

Download
memory/4632-17-0x00007FFA217B0000-0x00007FFA219A5000-memory.dmp

Filesize
2.0MB

Download
memory/4632-16-0x00007FFA217B0000-0x00007FFA219A5000-memory.dmp

Filesize
2.0MB

Download
memory/4632-14-0x00007FFA217B0000-0x00007FFA219A5000-memory.dmp

Filesize
2.0MB

Download
memory/4632-13-0x00007FF9DF7D0000-0x00007FF9DF7E0000-memory.dmp

Filesize
64KB

Download
memory/4632-12-0x00007FFA217B0000-0x00007FFA219A5000-memory.dmp

Filesize
2.0MB

Download
memory/4632-18-0x00007FFA217B0000-0x00007FFA219A5000-memory.dmp

Filesize
2.0MB

Download
memory/4632-0-0x00007FF9E1830000-0x00007FF9E1840000-memory.dmp

Filesize
64KB

Download
memory/4632-9-0x00007FF9DF7D0000-0x00007FF9DF7E0000-memory.dmp

Filesize
64KB

Download
memory/4632-8-0x00007FFA217B0000-0x00007FFA219A5000-memory.dmp

Filesize
2.0MB

Download
memory/4632-7-0x00007FFA217B0000-0x00007FFA219A5000-memory.dmp

Filesize
2.0MB

Download
memory/4632-6-0x00007FFA217B0000-0x00007FFA219A5000-memory.dmp

Filesize
2.0MB

Download
memory/4632-5-0x00007FFA2184D000-0x00007FFA2184E000-memory.dmp

Filesize
4KB

Download
memory/4632-4-0x00007FF9E1830000-0x00007FF9E1840000-memory.dmp

Filesize
64KB

Download
memory/4632-3-0x00007FF9E1830000-0x00007FF9E1840000-memory.dmp

Filesize
64KB

Download
memory/4632-1-0x00007FF9E1830000-0x00007FF9E1840000-memory.dmp

Filesize
64KB

Download
memory/4632-581-0x00007FFA217B0000-0x00007FFA219A5000-memory.dmp

Filesize
2.0MB

Download
memory/4632-2-0x00007FF9E1830000-0x00007FF9E1840000-memory.dmp

Filesize
64KB

Download