2feab58698094b0d257ef35fca431f020a8d08d622bb629d0cc9e681a1af0a81

Analysis

max time kernel
149s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
25-05-2024 01:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2feab58698094b0d257ef35fca431f020a8d08d622bb629d0cc9e681a1af0a81.xls
Size

244KB
MD5

097581fd59cba7e6f3ef2623c380ffcb
SHA1

d941e4a177de4815cfe667f0282f0ee8eaabde0a
SHA256

2feab58698094b0d257ef35fca431f020a8d08d622bb629d0cc9e681a1af0a81
SHA512

6628fc508369c4b622e790084b8e379ed432d2985cb2375cd90528bb6ef89568131d8ebec4a62f1202c56170a98bd2c766f937c336e09f011992f6760112a61a
SSDEEP

6144:ue4UcLe0JOqPQZR8MDdATCR3tSul0W8ETwFN3sm4Lc7qRcz0DLdvU:EUP/qPQZR8MxAm/SbW8E8N394oeuMLq

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEWINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEEXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid process

2760 EXCEL.EXE
1916 WINWORD.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WINWORD.EXE

description pid process

Token: SeAuditPrivilege 1916 WINWORD.EXE

description	pid	process
Token: SeAuditPrivilege	1916	WINWORD.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid	process
2760	EXCEL.EXE
2760	EXCEL.EXE
2760	EXCEL.EXE
2760	EXCEL.EXE
2760	EXCEL.EXE
2760	EXCEL.EXE
2760	EXCEL.EXE
2760	EXCEL.EXE
2760	EXCEL.EXE
2760	EXCEL.EXE
2760	EXCEL.EXE
2760	EXCEL.EXE
1916	WINWORD.EXE
1916	WINWORD.EXE
1916	WINWORD.EXE
1916	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 1916 wrote to memory of 1108	1916	WINWORD.EXE	splwow64.exe
PID 1916 wrote to memory of 1108	1916	WINWORD.EXE	splwow64.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\2feab58698094b0d257ef35fca431f020a8d08d622bb629d0cc9e681a1af0a81.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2760

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1916

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1108

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:4564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Filesize
471B

MD5
f25f119a4094034e3bbc09d46d5e1bb8

SHA1
79483410d5504c12e7f69a6cb91eff935bd0b3c2

SHA256
777e4ab76436cbb867cde029717efcfaed2fd27365fc0e812513f1537e62cdeb

SHA512
9d3b9dd091a128ca1e4f3045e5aefa9e73a24a41830eb936102c9f1f68cafc74ed1d7150a9b1a5d3d21802d7bc38e4f919e94088aa1499fbc955e6e74c042a91

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Filesize
412B

MD5
49852ac3d4ad4362b4f9cd0a668ff6b3

SHA1
26912a011d862f3ad4ab90c65e1091a1819cf0b7

SHA256
5aed9e14f85e84ce3d996b9738987ff03d3dd80ec6bebd4c30c63139313819bd

SHA512
220563184c8fed57100b86eee7c56574f06119359dda8f5cb338373693e8e7d7a983ff110c13d587d52fec9f2b14a9c5c8beb29585f375c90a213f037f30d703

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\8350DAB7-33F6-49C8-9242-0BD57C167B42

Filesize
161KB

MD5
45added659853efa4440e0c73ef902f4

SHA1
adab5fa07b30a6585ee551165a9f56e862a05939

SHA256
4a36179ca8a24aa2458ea423cfc318fa06e613e156f94678d4363816088d684c

SHA512
007d118c7f709c160ee64dc8691b003dd9b2ed4badbac177fcf2a8e2e92c6364e0c2ee8f84bafe4d404e86be918a927bd919a1de08bb6bb13d7d76f38015a0ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

Filesize
21KB

MD5
ba2c6fa5090df21ccceb578245e1a9b4

SHA1
eeee1482617e144ececfe08e8d6445ef7814681a

SHA256
aa4a45542624fdb09ae9bf1e323482c8fcc3475b99648b6fd0d5dcb63dfc41c6

SHA512
5e590092d9c57b771933588dcae204098817819034c772f19372fb19b1a577d92d6de1d0b5a30310176357d232f5c484f3b85f93c16842c02dd2f382b455d53a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
f45db174099c511c728efeab52ad3aff

SHA1
1cefebb8ce61918483f2fd9fe2bcbe72616f0dd6

SHA256
e0828938dcb353f70bc5b10991e3c3d873c40386dd45e24bf9585c7d2ffa78bc

SHA512
c8ddbd7429d486d663b9d7edfde0c17e76943be9b9a12b4b9289a0d8f59c042696cf0a96e203bb81347df62bfe3519540cbde4b2ad7e3a56bf0ecf1f8513e533

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
6f9252218fced0b667eb245e3b526c43

SHA1
e4ca209a2c28633101526de152479cf347de8d63

SHA256
f32f2647c32cdcaad1931b83326934d00df481cd8434800c11b6aaedf9ced453

SHA512
2697f759db9694f3bf0ef2bbed6427b6107407d9a1e3b7709afe69edec7e1eca52993cb24c806d083899fa05d0c825fbcb7b05f66248b6cd85bdad94006b20b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\79ZXHV21\lionsaregetbacktothejungleforentirethingstochangewearelionkingofthejungletigersaregreatthingstounderstandjunglelionskingofjungletigers___stillalsolionsarekingof[1].doc

Filesize
32KB

MD5
b3234164e902c2d69997868bb0132582

SHA1
f90cffc0516ba2c2b335a9056a8f21390a511c8c

SHA256
84befb8b2d76dca0155593dd04a6858bb84bd96e6d8991dcaba4ca1f177f5fac

SHA512
54d08dce0177e35067bbf8b2fce801ecddaf649e8206150974f2e4b92f947e10b90a05ca4c2599a6ca80507909d4804b48c2aaf817dec8d2b53b6b5154e0bf46

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCDC014.tmp\gb.xsl

Filesize
262KB

MD5
51d32ee5bc7ab811041f799652d26e04

SHA1
412193006aa3ef19e0a57e16acf86b830993024a

SHA256
6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97

SHA512
5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
228B

MD5
4b9957a613ae70f31f38b61deb060f3e

SHA1
a8d8c827b1898f9b740f2249e2b4644cec39399f

SHA256
35538e6fd4ec83bf0e56c8d1a70369dcfc9d9e9bd2278e1ffda9898b3658a4a2

SHA512
c9eb29c95794b96652c9ffbf50ad6a1f564237b95f29ac6bec6c2e3d34b779c06b01fb05cfacc392ca377efbcf4001f6d4bf3ac7436276815a7b1c856ee1a104

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
5KB

MD5
5297c6d6d2dd21d5cf33720dd77b47ff

SHA1
d814de1d6a71d157e796b2b9fb5875ad2354f7fd

SHA256
2b7dce53baa029f1805ebeac04e7faa1d2a03d716cfe62104bda0ddf9ef37a3e

SHA512
67536242fc215d5511959e428c45112b1990aa6a5039fe39e7a53a305e56e3ab791d7054f3b082c4373d5bf6506faccf99bc9e9bee3903a2d98b7bf795f6f126

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
023ff9a6628a5b8b31042953cacdba26

SHA1
e8a7cd470a39f153b6da70c10ccc1294661eacd9

SHA256
6a71967788caa00b6fb9f962cf46ea6d280ea3dae4a7ad43027192c9131e63c0

SHA512
2db2e0b809c0368869d2f7315abf4b08a29f9b4fffcbc8c9e27bd14e5e2e9e000ee114dbd581d8cf538c6077aec6ecbd5ff43f7194de77c18e950cded8355158

Download Submit
memory/1916-34-0x00007FFC1FD90000-0x00007FFC1FF85000-memory.dmp

Filesize
2.0MB

Download
memory/1916-567-0x00007FFC1FD90000-0x00007FFC1FF85000-memory.dmp

Filesize
2.0MB

Download
memory/1916-41-0x00007FFC1FD90000-0x00007FFC1FF85000-memory.dmp

Filesize
2.0MB

Download
memory/1916-39-0x00007FFC1FD90000-0x00007FFC1FF85000-memory.dmp

Filesize
2.0MB

Download
memory/1916-38-0x00007FFC1FD90000-0x00007FFC1FF85000-memory.dmp

Filesize
2.0MB

Download
memory/1916-40-0x00007FFC1FD90000-0x00007FFC1FF85000-memory.dmp

Filesize
2.0MB

Download
memory/1916-37-0x00007FFC1FD90000-0x00007FFC1FF85000-memory.dmp

Filesize
2.0MB

Download
memory/2760-9-0x00007FFC1FD90000-0x00007FFC1FF85000-memory.dmp

Filesize
2.0MB

Download
memory/2760-13-0x00007FFC1FD90000-0x00007FFC1FF85000-memory.dmp

Filesize
2.0MB

Download
memory/2760-11-0x00007FFBDD4E0000-0x00007FFBDD4F0000-memory.dmp

Filesize
64KB

Download
memory/2760-18-0x00007FFBDD4E0000-0x00007FFBDD4F0000-memory.dmp

Filesize
64KB

Download
memory/2760-15-0x00007FFC1FD90000-0x00007FFC1FF85000-memory.dmp

Filesize
2.0MB

Download
memory/2760-16-0x00007FFC1FD90000-0x00007FFC1FF85000-memory.dmp

Filesize
2.0MB

Download
memory/2760-17-0x00007FFC1FD90000-0x00007FFC1FF85000-memory.dmp

Filesize
2.0MB

Download
memory/2760-12-0x00007FFC1FD90000-0x00007FFC1FF85000-memory.dmp

Filesize
2.0MB

Download
memory/2760-14-0x00007FFC1FD90000-0x00007FFC1FF85000-memory.dmp

Filesize
2.0MB

Download
memory/2760-10-0x00007FFC1FD90000-0x00007FFC1FF85000-memory.dmp

Filesize
2.0MB

Download
memory/2760-0-0x00007FFBDFE10000-0x00007FFBDFE20000-memory.dmp

Filesize
64KB

Download
memory/2760-3-0x00007FFBDFE10000-0x00007FFBDFE20000-memory.dmp

Filesize
64KB

Download
memory/2760-8-0x00007FFC1FD90000-0x00007FFC1FF85000-memory.dmp

Filesize
2.0MB

Download
memory/2760-5-0x00007FFBDFE10000-0x00007FFBDFE20000-memory.dmp

Filesize
64KB

Download
memory/2760-6-0x00007FFC1FD90000-0x00007FFC1FF85000-memory.dmp

Filesize
2.0MB

Download
memory/2760-7-0x00007FFC1FD90000-0x00007FFC1FF85000-memory.dmp

Filesize
2.0MB

Download
memory/2760-4-0x00007FFC1FE2D000-0x00007FFC1FE2E000-memory.dmp

Filesize
4KB

Download
memory/2760-1-0x00007FFBDFE10000-0x00007FFBDFE20000-memory.dmp

Filesize
64KB

Download
memory/2760-566-0x00007FFC1FD90000-0x00007FFC1FF85000-memory.dmp

Filesize
2.0MB

Download
memory/2760-2-0x00007FFBDFE10000-0x00007FFBDFE20000-memory.dmp

Filesize
64KB

Download