191a46b3849f0cc60ac2e0a3387585dd9c34e2b28cb66bffdbda08238ee53710

General

Target

Ref19920830281982938RT.xls
Size

308KB
MD5

f5051793b6c98a29efba84f3821d1e30
SHA1

b6b446e72525796444ae132fbb6af6788f08c5de
SHA256

191a46b3849f0cc60ac2e0a3387585dd9c34e2b28cb66bffdbda08238ee53710
SHA512

f8be2d2f6596deb0aac8d4770ba3cde80a39f3abdda9f9c32e0fd337c3a127fb518220bfad65528d29b9c4fa23a2312cadc08f9e2a3ababf1c9be4d44db9a9f6
SSDEEP

6144:QKHTwu2pQHTIIwJsl5mAwKTwVbE7s9NEfUuqMQTZabPYDX:5QAExhKTWESoQTUPYD

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEWINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEWINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid process

4664 EXCEL.EXE
3984 WINWORD.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WINWORD.EXE

description pid process

Token: SeAuditPrivilege 3984 WINWORD.EXE

description	pid	process
Token: SeAuditPrivilege	3984	WINWORD.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid	process
4664	EXCEL.EXE
4664	EXCEL.EXE
4664	EXCEL.EXE
4664	EXCEL.EXE
4664	EXCEL.EXE
4664	EXCEL.EXE
4664	EXCEL.EXE
4664	EXCEL.EXE
4664	EXCEL.EXE
4664	EXCEL.EXE
3984	WINWORD.EXE
4664	EXCEL.EXE
4664	EXCEL.EXE
3984	WINWORD.EXE
3984	WINWORD.EXE
3984	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 3984 wrote to memory of 2228	3984	WINWORD.EXE	splwow64.exe
PID 3984 wrote to memory of 2228	3984	WINWORD.EXE	splwow64.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Ref19920830281982938RT.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4664

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3984

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:2228

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:4904

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3948 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
1⤵
PID:3808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\242E473D-995D-4DE6-B016-C3005A86C689

Filesize
161KB

MD5
cf18c73314fa2cf084508221934f259c

SHA1
05d06b4bb9d56935e1fd3e73662a2b354f7abc4e

SHA256
0bb77ada6be41b155bdad23c58f1073a80c6127490a05667b3b27fe0a1f94b9d

SHA512
a4f4140b78e2eab8c9c2c48cc7cf2a1a58bbbf4c102cc0c773b4b45db676939aca1743626086e87f69208f79d4dba6f95b4b12a30d1eacd6dee609e07e2c046e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
e69494e1fadb8298332d3704b2abd718

SHA1
35d3d264d4fa2a6db5a4c030babbb4208948d064

SHA256
0bb4d9fa00201a424976c18f003ac7c06a8b8545351fe798e84b49b81c2f3a97

SHA512
9dd851870b17b6260e899deb8e26cd0d5dc18ab8053f2646317042603fd3e2cdf9229eb31179fddf8d360280b1f84716cd00b15c0b18128ca472a60c112bf054

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
7d7108e62cd754459dc88e028ff5a947

SHA1
efe2ef67dcdf690bf47604b5c8c50e8c3794f32e

SHA256
50b8c8560afcd2c88f57dbc288e8dcb668b6fb87f7ebe8741813855d4348e5e9

SHA512
d16ea51a9d6f743116420bca2ba9d4a0665601212884faeef45c17ef61b418cd7e28be6ccb03778c798bb931c55457b3f58ae8f16d3dfac9494151fd2e3e1dbd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BHC2O5WS\lioniskingandtigerisalsotryingforkingbutdifferentistheattitudeofthistwoanimalaredifferentlionsisalwaysalionitsucantcomparewith__anyotherbecauselionbeauties[1].doc

Filesize
34KB

MD5
d92d4f4a1d9dd4151b48dba9c911be5e

SHA1
41391287e7442a0629bebcee4a09b5c751c3334a

SHA256
4bb44d988825a04032c6e4ed62a631698dddee523cb1efe0ad6422492b939463

SHA512
5e422753e2ddac52698bd07582404effd943acabb9d48ef3f37d6ead1ec6c1883329c597208b6e963dd172c3514a89cdf2ccbf395147646bedcdf976f5eb4663

Download Submit
memory/3984-103-0x00007FFC81410000-0x00007FFC81420000-memory.dmp

Filesize
64KB

Download
memory/3984-100-0x00007FFC81410000-0x00007FFC81420000-memory.dmp

Filesize
64KB

Download
memory/3984-61-0x00007FFCC1390000-0x00007FFCC1585000-memory.dmp

Filesize
2.0MB

Download
memory/3984-101-0x00007FFC81410000-0x00007FFC81420000-memory.dmp

Filesize
64KB

Download
memory/3984-33-0x00007FFCC1390000-0x00007FFCC1585000-memory.dmp

Filesize
2.0MB

Download
memory/3984-102-0x00007FFC81410000-0x00007FFC81420000-memory.dmp

Filesize
64KB

Download
memory/3984-107-0x00007FFCC1390000-0x00007FFCC1585000-memory.dmp

Filesize
2.0MB

Download
memory/3984-36-0x00007FFCC1390000-0x00007FFCC1585000-memory.dmp

Filesize
2.0MB

Download
memory/3984-37-0x00007FFCC1390000-0x00007FFCC1585000-memory.dmp

Filesize
2.0MB

Download
memory/3984-35-0x00007FFCC1390000-0x00007FFCC1585000-memory.dmp

Filesize
2.0MB

Download
memory/4664-19-0x00007FFC7F3B0000-0x00007FFC7F3C0000-memory.dmp

Filesize
64KB

Download
memory/4664-7-0x00007FFCC1390000-0x00007FFCC1585000-memory.dmp

Filesize
2.0MB

Download
memory/4664-15-0x00007FFCC1390000-0x00007FFCC1585000-memory.dmp

Filesize
2.0MB

Download
memory/4664-17-0x00007FFC7F3B0000-0x00007FFC7F3C0000-memory.dmp

Filesize
64KB

Download
memory/4664-0-0x00007FFC81410000-0x00007FFC81420000-memory.dmp

Filesize
64KB

Download
memory/4664-11-0x00007FFCC1390000-0x00007FFCC1585000-memory.dmp

Filesize
2.0MB

Download
memory/4664-13-0x00007FFCC1390000-0x00007FFCC1585000-memory.dmp

Filesize
2.0MB

Download
memory/4664-14-0x00007FFCC1390000-0x00007FFCC1585000-memory.dmp

Filesize
2.0MB

Download
memory/4664-12-0x00007FFCC1390000-0x00007FFCC1585000-memory.dmp

Filesize
2.0MB

Download
memory/4664-9-0x00007FFC81410000-0x00007FFC81420000-memory.dmp

Filesize
64KB

Download
memory/4664-10-0x00007FFCC1390000-0x00007FFCC1585000-memory.dmp

Filesize
2.0MB

Download
memory/4664-16-0x00007FFCC1390000-0x00007FFCC1585000-memory.dmp

Filesize
2.0MB

Download
memory/4664-45-0x00007FFCC1390000-0x00007FFCC1585000-memory.dmp

Filesize
2.0MB

Download
memory/4664-50-0x00007FFCC142D000-0x00007FFCC142E000-memory.dmp

Filesize
4KB

Download
memory/4664-51-0x00007FFCC1390000-0x00007FFCC1585000-memory.dmp

Filesize
2.0MB

Download
memory/4664-8-0x00007FFCC1390000-0x00007FFCC1585000-memory.dmp

Filesize
2.0MB

Download
memory/4664-54-0x00007FFCC1390000-0x00007FFCC1585000-memory.dmp

Filesize
2.0MB

Download
memory/4664-6-0x00007FFC81410000-0x00007FFC81420000-memory.dmp

Filesize
64KB

Download
memory/4664-5-0x00007FFCC1390000-0x00007FFCC1585000-memory.dmp

Filesize
2.0MB

Download
memory/4664-4-0x00007FFCC1390000-0x00007FFCC1585000-memory.dmp

Filesize
2.0MB

Download
memory/4664-1-0x00007FFCC142D000-0x00007FFCC142E000-memory.dmp

Filesize
4KB

Download
memory/4664-2-0x00007FFC81410000-0x00007FFC81420000-memory.dmp

Filesize
64KB

Download
memory/4664-3-0x00007FFC81410000-0x00007FFC81420000-memory.dmp

Filesize
64KB

Download
memory/4664-112-0x00007FFCC1390000-0x00007FFCC1585000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads