23beb2cb2dcecd755000c7992a9b691b1b66f3f8b4410c8d6c9af7411f5c7fc1

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 09:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LHER0006981753.xls
Size

243KB
MD5

9a3bc48238b66f452505a411d111672f
SHA1

d6bd686fe55e31c0a0cc387f0fd9e508cf7963e6
SHA256

23beb2cb2dcecd755000c7992a9b691b1b66f3f8b4410c8d6c9af7411f5c7fc1
SHA512

68dc475eeff17b495015d2676504bad0d7b6f653733e40a7c0c692b2fb0b816a4c1a66514ef6f92e76662fb2b637acdfeee774c43536b8a67a369b5f40d14c3b
SSDEEP

6144:ue4UcLe0JOqPQZR8MDdATCR3tSul0W8ETwFN3sm4Lc7qRcz0DLdvU:EUP/qPQZR8MxAm/SbW8E8N394oeuMLq

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEWINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEWINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid process

4820 EXCEL.EXE
812 WINWORD.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WINWORD.EXE

description pid process

Token: SeAuditPrivilege 812 WINWORD.EXE

description	pid	process
Token: SeAuditPrivilege	812	WINWORD.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid	process
4820	EXCEL.EXE
4820	EXCEL.EXE
4820	EXCEL.EXE
4820	EXCEL.EXE
4820	EXCEL.EXE
4820	EXCEL.EXE
4820	EXCEL.EXE
4820	EXCEL.EXE
4820	EXCEL.EXE
4820	EXCEL.EXE
4820	EXCEL.EXE
4820	EXCEL.EXE
812	WINWORD.EXE
812	WINWORD.EXE
812	WINWORD.EXE
812	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 812 wrote to memory of 2080	812	WINWORD.EXE	splwow64.exe
PID 812 wrote to memory of 2080	812	WINWORD.EXE	splwow64.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\LHER0006981753.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4820

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:812

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:2080

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:4416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187

Filesize
471B

MD5
0ae1d079f1f9257a73e3d4a3abfe6d03

SHA1
2cda060a175f217bb92004fadb1ced4b821c6d9c

SHA256
74cbed1098654dbf5d4d439c00cac4bb1b5908e9646e2169f384a1efcea0d77f

SHA512
d4c188542a9997371df008270781953614ab22c8814cc8b2388c4e281ee86f39e09087e6423dba1410b4e4dec6e5ccc02fb5ee7d986aee9f18991efe5d1493c6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187

Filesize
412B

MD5
c73e67d3205fd3901be06fbc5f53c1c4

SHA1
0ade9e612ba5ae2b2c63bfe9e8786d2f7836b957

SHA256
3dfe2070a19593aa0fcb85199d43e7abc552027c8e7986e6a90774098d8f2052

SHA512
695692cbbfab3fc1830cbf450d4fe9423ceab3ea76de9a103b0e872b5b4d9f6ec7ec51c48da742099fde57c4cf1e74a39dac150e2ee02a127bd1924a3e7e080c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\3B773004-923E-4580-80BB-652811FA0EC5

Filesize
161KB

MD5
85a0b0c6e02363ef89e8be4e45fd18b1

SHA1
7bd7e762290d69f620d0508e938db60f3cc15b49

SHA256
4960ecef26c0bd27df85316b9e76f31b80c547086ab75f0e4f8245fdf21a39b3

SHA512
b8d175287a9d9ace58988e99980dcea5b02e082332e6ccb5b97932025d1c045344f8eff41d33905839d5d805c25af5064b565ceb6d2c22aca5c2653bed0eda72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

Filesize
21KB

MD5
a1e6bc604bc90cd0ec957a760e008e56

SHA1
b96dc794ebff2a893f55284f69aa5f5755183eb3

SHA256
4044da5d69a742f1bc691a87500231ab537a2cbbdd95b44aea9c298d167b1350

SHA512
83394983b32c6975a3e2d977831cdd41187017ed5d20a720834b0dbda270779d61e35012a7e563790b356746115def91d5723a40931728421e5e0aa83eb87b3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
03dfa293209190f2e0c557c7ce65d050

SHA1
3c300d9f82a1514a3b595e60df19d3edc67908e7

SHA256
cff44b34a9924849a34bd7457eff4d2420ecc39c9740d9ab31c6214f29c22204

SHA512
ef3e3bca4bc97481ea51510a1738b955157c83aaec3f99ad1c833b02fbe3a800787ef1bdd94707020a2fcf17fb6ebf9a06e1cc15e378c90e0ea2ddbe190e304d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
4dcb3a1f13af175cf8bdd8d36f7021d3

SHA1
32409021c4c64cefa5b30b28d59c3841784f65e8

SHA256
4e252bbc7f985b67409df0ce4eed2c767f4b517d3553b81b1b1d966364c8730c

SHA512
b7abbbf37f61e294d7ce5b52c2c3ad10ee29064263187886aa2a74e1c512745e4fc421c1684d8c2957121a8bddf257b9c76eb850edc1b4241a50339a2b8908b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\2IX84YPE\lionsaregetbacktothejungleforentirethingstochangewearelionkingofthejungletigersaregreatthingstounderstandjunglelionskingofjungletigers___stillalsolionsarekingof[1].doc

Filesize
32KB

MD5
b3234164e902c2d69997868bb0132582

SHA1
f90cffc0516ba2c2b335a9056a8f21390a511c8c

SHA256
84befb8b2d76dca0155593dd04a6858bb84bd96e6d8991dcaba4ca1f177f5fac

SHA512
54d08dce0177e35067bbf8b2fce801ecddaf649e8206150974f2e4b92f947e10b90a05ca4c2599a6ca80507909d4804b48c2aaf817dec8d2b53b6b5154e0bf46

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCD912C.tmp\gb.xsl

Filesize
262KB

MD5
51d32ee5bc7ab811041f799652d26e04

SHA1
412193006aa3ef19e0a57e16acf86b830993024a

SHA256
6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97

SHA512
5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
228B

MD5
4b9957a613ae70f31f38b61deb060f3e

SHA1
a8d8c827b1898f9b740f2249e2b4644cec39399f

SHA256
35538e6fd4ec83bf0e56c8d1a70369dcfc9d9e9bd2278e1ffda9898b3658a4a2

SHA512
c9eb29c95794b96652c9ffbf50ad6a1f564237b95f29ac6bec6c2e3d34b779c06b01fb05cfacc392ca377efbcf4001f6d4bf3ac7436276815a7b1c856ee1a104

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
15f05569701815667814701f3bd832a9

SHA1
246f73425dc1237afc281f186d24a59993edb067

SHA256
37f4944249d8aa02cd55588f79821a22c2149d2c5c0ed3ed60d543f5a0832aa5

SHA512
40b445b4acc38707a62202f9c7e77e66418d2902cb57276e4d83a5b0341d54aa94b57573038a27a242cf445ce1e2d7822d9827deeeffcf71953812c49889799b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
5KB

MD5
2e9eda99f9c4a7f274f9d8d3da588d61

SHA1
35816e2fc3205c15862b6ef1970c51e519f4a4b5

SHA256
a3bac1437d1a6f0d2a001f72731a84f4016d08caf7b4109be8b2466d0948f911

SHA512
09b1bd5f1b0a71cb972bfb9cb0303c96517f49d655ba6c6b99d99f2ca98dc88bd96a2f167900cf09339a9966212ad5f8bb4deba13ed2e3ba0f805238cf0f6dc3

Download Submit
memory/812-28-0x00007FFE04650000-0x00007FFE04845000-memory.dmp

Filesize
2.0MB

Download
memory/812-561-0x00007FFE04650000-0x00007FFE04845000-memory.dmp

Filesize
2.0MB

Download
memory/812-31-0x00007FFE04650000-0x00007FFE04845000-memory.dmp

Filesize
2.0MB

Download
memory/812-30-0x00007FFE04650000-0x00007FFE04845000-memory.dmp

Filesize
2.0MB

Download
memory/812-29-0x00007FFE04650000-0x00007FFE04845000-memory.dmp

Filesize
2.0MB

Download
memory/4820-12-0x00007FFDC1E80000-0x00007FFDC1E90000-memory.dmp

Filesize
64KB

Download
memory/4820-7-0x00007FFE04650000-0x00007FFE04845000-memory.dmp

Filesize
2.0MB

Download
memory/4820-5-0x00007FFE046ED000-0x00007FFE046EE000-memory.dmp

Filesize
4KB

Download
memory/4820-3-0x00007FFDC46D0000-0x00007FFDC46E0000-memory.dmp

Filesize
64KB

Download
memory/4820-16-0x00007FFE04650000-0x00007FFE04845000-memory.dmp

Filesize
2.0MB

Download
memory/4820-17-0x00007FFE04650000-0x00007FFE04845000-memory.dmp

Filesize
2.0MB

Download
memory/4820-15-0x00007FFE04650000-0x00007FFE04845000-memory.dmp

Filesize
2.0MB

Download
memory/4820-14-0x00007FFDC1E80000-0x00007FFDC1E90000-memory.dmp

Filesize
64KB

Download
memory/4820-13-0x00007FFE04650000-0x00007FFE04845000-memory.dmp

Filesize
2.0MB

Download
memory/4820-1-0x00007FFDC46D0000-0x00007FFDC46E0000-memory.dmp

Filesize
64KB

Download
memory/4820-0-0x00007FFDC46D0000-0x00007FFDC46E0000-memory.dmp

Filesize
64KB

Download
memory/4820-9-0x00007FFE04650000-0x00007FFE04845000-memory.dmp

Filesize
2.0MB

Download
memory/4820-10-0x00007FFE04650000-0x00007FFE04845000-memory.dmp

Filesize
2.0MB

Download
memory/4820-11-0x00007FFE04650000-0x00007FFE04845000-memory.dmp

Filesize
2.0MB

Download
memory/4820-8-0x00007FFE04650000-0x00007FFE04845000-memory.dmp

Filesize
2.0MB

Download
memory/4820-6-0x00007FFE04650000-0x00007FFE04845000-memory.dmp

Filesize
2.0MB

Download
memory/4820-4-0x00007FFDC46D0000-0x00007FFDC46E0000-memory.dmp

Filesize
64KB

Download
memory/4820-560-0x00007FFE04650000-0x00007FFE04845000-memory.dmp

Filesize
2.0MB

Download
memory/4820-2-0x00007FFDC46D0000-0x00007FFDC46E0000-memory.dmp

Filesize
64KB

Download