405173d3f4b78123bdb8d7d14009fe634d7ad45294032b94690836702f2216c7

Analysis

max time kernel
101s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 08:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Purchase Order # PO-00159.xls
Size

159KB
MD5

a2e27ccfd115281542473a2a75817b7b
SHA1

6fe6c950003d0d574741d68dcaad6f19e76a296e
SHA256

405173d3f4b78123bdb8d7d14009fe634d7ad45294032b94690836702f2216c7
SHA512

7f11bf14f0ed1d935fd497a74b9738f83bd5c23f0f6774210fcc4b73a8a93dbbc01d113437b55bc6a79c423bdb283410d3a56f57df44a9e0a4d738a9b1b47f32
SSDEEP

3072:r8tq3KR9pLmLXCxpFNUXU5VQXrNAoboOSIPwGatXiQjnpFDJAtJIH8:r6NCLXCnrUXAVQZA0dRYBr9k

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEWINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEEXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid process

2064 EXCEL.EXE
1612 WINWORD.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WINWORD.EXE

description pid process

Token: SeAuditPrivilege 1612 WINWORD.EXE

description	pid	process
Token: SeAuditPrivilege	1612	WINWORD.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid	process
2064	EXCEL.EXE
2064	EXCEL.EXE
2064	EXCEL.EXE
2064	EXCEL.EXE
2064	EXCEL.EXE
2064	EXCEL.EXE
2064	EXCEL.EXE
2064	EXCEL.EXE
1612	WINWORD.EXE
1612	WINWORD.EXE
1612	WINWORD.EXE
1612	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 1612 wrote to memory of 1188	1612	WINWORD.EXE	splwow64.exe
PID 1612 wrote to memory of 1188	1612	WINWORD.EXE	splwow64.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Purchase Order # PO-00159.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2064

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1612

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1188

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:3120

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04
Filesize
471B

MD5
6fe86f61844682b66eb0e8e5ffedb9db

SHA1
ee01554a31c29ea6cf581c2728d1d0ecc5a5c720

SHA256
19e5c432c12c7f17a681f54cc75b5a88b2f374360e1ecb086bf21447a0fd830a

SHA512
93dc92d22b193ba9a6db17cfdd191985ad989a1fc71a6049f361a5e9132ec8381480064b03923a93785bf1dc194b3ccc5a1320e97f55cac93783ddaa16df6abe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04
Filesize
412B

MD5
8d09363e701797d2a311e1c58ba14524

SHA1
c1444d6a810e998439aa3c5185f77683438eb165

SHA256
dd20453ac1d03a0fa7e48b3038bb76448281cb898922fd4d70e76706c71876b4

SHA512
39f1178656f59d4d97b41aebca880df2dcc56582f3917323122a1dae3af26320abb680ba429af0f0d240d74fe717a22bfd5819bfb9981f76c7d525d30cbb9df3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\D654C024-9A21-4822-80FE-DD5F6EA2B0C8
Filesize
161KB

MD5
ac0ca3047502f3b1e4565c61e3fd28eb

SHA1
9b44888ced172cf5c7fbd622a80b0c854cf0db39

SHA256
3f5ae605c4bf24356250e5c7d104c56499eae41c8411c308e5c815208490ce85

SHA512
5a358aae2fa2387926f3b85b13f8439e9af7d372c9d923f5d4b0444bca7e5fa99d24f9d7e4bfc45b3b3a9371f6e223cb7e1e42b37519498f0652d877ab589141

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog
Filesize
21KB

MD5
de978b2f16e202641c60542585a44a0f

SHA1
2fbd59bf298111fa6bfc491f55caaa119afe63a3

SHA256
86a508de9afe5491be48d01d9b879f04e8f0441852d74be4491bc7a2f4f38d9a

SHA512
d52ff4337c5f4114812df3c15146527e6c05e934b72ebae4904182ca246d3f152521a19375c85d0e5823ca3089d3eba198940d8a00dbd411e0becd2ee19570b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize
2KB

MD5
d01b439b51120e09f6d69d0212a2429f

SHA1
f13dd75d85a110d2fedb96d3456d669be6fa68d9

SHA256
fed9d18010ca5856f58ff2938a98537b72622fef1a0c6f0886e330798cc1e93f

SHA512
c70deb171ae3d2078a19bb3a976589e3a7eecae3a47d34f8a6cdd8f54138f5da06e4e75eba0d88ee5b9d3a872858d235a5de8a98dc99eb2c26816ff4d29a2c33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize
2KB

MD5
2e4e71c3c3a8cbeba1fdb531897bef90

SHA1
3740e6ff95603a711987a5601a3ee8f3abdf7ec9

SHA256
83ffdaa65977570984afa6c88403011a57878e4d8575acdc338767613c8d05b3

SHA512
79b688f872a486bc55fc244bd5776af8495d04aac311dbdeb8c5490030c28492e66e08e2974a97385c09a198732f62ccf72d4bf7c8365b3c52b211969031115f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\3YK18YAR\lionisthekingofjunglewhoruletheentirejungletounderstandhowpowerfulkingofjungleheisattitudeismakingentirethinggreattounderstand___lionkingrulethejunglefors[1].doc
Filesize
33KB

MD5
b03fb70c3be411363c911037b610df82

SHA1
73a641e3b46dffa65c6d720119da0af40e7bfbc8

SHA256
e137f8e51aa73d7a046106a61237d7cbec7e0552607784ac8e62fdb0f245027b

SHA512
655bed1ea5b2b8d37524f091ca4a3ed834abefba67ee80d2b3f4fa648c6d750da8a4c6e8ffe07d55b4ea0f5ea52dc94b684c6da7a56eff3be95d984c85c22e4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCDAF42.tmp\gb.xsl
Filesize
262KB

MD5
51d32ee5bc7ab811041f799652d26e04

SHA1
412193006aa3ef19e0a57e16acf86b830993024a

SHA256
6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97

SHA512
5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
Filesize
234B

MD5
0e94f0bb69c61f9fe18e6bfb88e2f91e

SHA1
8d9ef0fd68a73f64124540a6174dace569c13331

SHA256
c544ff923a3af9ddd77f34e66f5a243da158db77c8386ba4ecd6777c41989532

SHA512
fec1fd312c32616c32b7ad778c59b241d9921d813b7049fe74881b68652677066e7f4ba4ddc3b28b987c4316c9ad7b4096a394fa40024edb293d0014dae2771f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize
5KB

MD5
0656f8716f96ef8dbd29c64c78cf9ab1

SHA1
0c3781c52fa7d1f013bb16b1444445ad0b70551a

SHA256
52e11953b196abb10b5736284eede2d81e1d4cf151a28fa3d6c7df73e5b1b94d

SHA512
0888d2191b3296b720c8258dc88dc86b07cc656cc8a40c702dc0cc62034fce446a40bfa34dd2a5201ed87972857f449207717155903ce165f5b3c6a4ce3137ff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize
3KB

MD5
4120e27040400da519c483d3d11c6871

SHA1
53d18dbc9793219d48c81d7cf609cde16bb7dd5e

SHA256
ac3d3ccf0357dce96fa217c3c8fec7cd498e7edc0662762ad00c9b7e0a4853e5

SHA512
8cdd0027c48bd08ce9b77a7d99204cb14621f77c777afda07e3a5f736cde633298ce917b5ff7ce51c5ae5df1b74787475d2543cd597d73044f76ae9638df9ce0

Download Submit
memory/1612-36-0x00007FFD24B90000-0x00007FFD24D85000-memory.dmp

Filesize
2.0MB

Download
memory/1612-573-0x00007FFD24B90000-0x00007FFD24D85000-memory.dmp

Filesize
2.0MB

Download
memory/1612-612-0x00007FFCE4C10000-0x00007FFCE4C20000-memory.dmp

Filesize
64KB

Download
memory/1612-614-0x00007FFCE4C10000-0x00007FFCE4C20000-memory.dmp

Filesize
64KB

Download
memory/1612-615-0x00007FFCE4C10000-0x00007FFCE4C20000-memory.dmp

Filesize
64KB

Download
memory/1612-613-0x00007FFCE4C10000-0x00007FFCE4C20000-memory.dmp

Filesize
64KB

Download
memory/1612-616-0x00007FFD24B90000-0x00007FFD24D85000-memory.dmp

Filesize
2.0MB

Download
memory/1612-39-0x00007FFD24B90000-0x00007FFD24D85000-memory.dmp

Filesize
2.0MB

Download
memory/2064-12-0x00007FFD24B90000-0x00007FFD24D85000-memory.dmp

Filesize
2.0MB

Download
memory/2064-11-0x00007FFD24B90000-0x00007FFD24D85000-memory.dmp

Filesize
2.0MB

Download
memory/2064-15-0x00007FFD24B90000-0x00007FFD24D85000-memory.dmp

Filesize
2.0MB

Download
memory/2064-13-0x00007FFCE2890000-0x00007FFCE28A0000-memory.dmp

Filesize
64KB

Download
memory/2064-18-0x00007FFD24B90000-0x00007FFD24D85000-memory.dmp

Filesize
2.0MB

Download
memory/2064-19-0x00007FFD24B90000-0x00007FFD24D85000-memory.dmp

Filesize
2.0MB

Download
memory/2064-20-0x00007FFD24B90000-0x00007FFD24D85000-memory.dmp

Filesize
2.0MB

Download
memory/2064-21-0x00007FFD24B90000-0x00007FFD24D85000-memory.dmp

Filesize
2.0MB

Download
memory/2064-22-0x00007FFD24B90000-0x00007FFD24D85000-memory.dmp

Filesize
2.0MB

Download
memory/2064-17-0x00007FFD24B90000-0x00007FFD24D85000-memory.dmp

Filesize
2.0MB

Download
memory/2064-14-0x00007FFD24B90000-0x00007FFD24D85000-memory.dmp

Filesize
2.0MB

Download
memory/2064-10-0x00007FFCE2890000-0x00007FFCE28A0000-memory.dmp

Filesize
64KB

Download
memory/2064-0-0x00007FFCE4C10000-0x00007FFCE4C20000-memory.dmp

Filesize
64KB

Download
memory/2064-16-0x00007FFD24B90000-0x00007FFD24D85000-memory.dmp

Filesize
2.0MB

Download
memory/2064-9-0x00007FFD24B90000-0x00007FFD24D85000-memory.dmp

Filesize
2.0MB

Download
memory/2064-8-0x00007FFD24B90000-0x00007FFD24D85000-memory.dmp

Filesize
2.0MB

Download
memory/2064-7-0x00007FFD24B90000-0x00007FFD24D85000-memory.dmp

Filesize
2.0MB

Download
memory/2064-570-0x00007FFD24B90000-0x00007FFD24D85000-memory.dmp

Filesize
2.0MB

Download
memory/2064-572-0x00007FFD24B90000-0x00007FFD24D85000-memory.dmp

Filesize
2.0MB

Download
memory/2064-571-0x00007FFD24C2D000-0x00007FFD24C2E000-memory.dmp

Filesize
4KB

Download
memory/2064-6-0x00007FFD24B90000-0x00007FFD24D85000-memory.dmp

Filesize
2.0MB

Download
memory/2064-5-0x00007FFCE4C10000-0x00007FFCE4C20000-memory.dmp

Filesize
64KB

Download
memory/2064-4-0x00007FFCE4C10000-0x00007FFCE4C20000-memory.dmp

Filesize
64KB

Download
memory/2064-3-0x00007FFCE4C10000-0x00007FFCE4C20000-memory.dmp

Filesize
64KB

Download
memory/2064-2-0x00007FFCE4C10000-0x00007FFCE4C20000-memory.dmp

Filesize
64KB

Download
memory/2064-1-0x00007FFD24C2D000-0x00007FFD24C2E000-memory.dmp

Filesize
4KB

Download
memory/2064-625-0x00007FFD24B90000-0x00007FFD24D85000-memory.dmp

Filesize
2.0MB

Download