Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
28-05-2024 07:05
Static task
static1
Behavioral task
behavioral1
Sample
P02405912916 .xls
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
P02405912916 .xls
Resource
win10v2004-20240508-en
General
-
Target
P02405912916 .xls
-
Size
307KB
-
MD5
a0542b78900219b359325abd36386b47
-
SHA1
d09019d751dc0de0ca3397eb150d6ec6bcf8edff
-
SHA256
13d02298461e48cb0983570112f5c55d1cfe965fae0b8b320cfac7fde28621a3
-
SHA512
36eecfe3e8e7533aae5d5fd7e7ace1c6c61b5720abcf5f3ca849155010f1ebf629e98feee0b72bb511d7dd70c6d87a586452cc1cbc64a4405b4247d7e1c2a432
-
SSDEEP
6144:b0W8bTwBwKs4Dzl7Az6/XgGc9bR3LwLee57eLcqKimkkfb5F:IW8fw2iDz1Az6/G9bR3M15yLtKph
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4356 EXCEL.EXE 4792 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeAuditPrivilege 4792 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 16 IoCs
pid Process 4356 EXCEL.EXE 4356 EXCEL.EXE 4356 EXCEL.EXE 4356 EXCEL.EXE 4356 EXCEL.EXE 4356 EXCEL.EXE 4356 EXCEL.EXE 4356 EXCEL.EXE 4356 EXCEL.EXE 4356 EXCEL.EXE 4356 EXCEL.EXE 4356 EXCEL.EXE 4792 WINWORD.EXE 4792 WINWORD.EXE 4792 WINWORD.EXE 4792 WINWORD.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 4792 wrote to memory of 3652 4792 WINWORD.EXE 92 PID 4792 wrote to memory of 3652 4792 WINWORD.EXE 92 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\P02405912916 .xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4356
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4792 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:3652
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:1464
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04
Filesize471B
MD52871dee453b96277e243698d0f613b81
SHA170414e9430664fe1f4c32a7a72e11a34555440a3
SHA2565fd2d245f69c579ae2ca68d0ee634e57b1659b9ba658fa517c2bdc8e38ce01e0
SHA512f3945e8aa01c23e10855413418afd4aea461bf6ee441eeb11d283e2d3e8c17bc0fee45a1d250b2e1a68b4e43c01fe3ed93184017b0f71b59a45f9dd071b20ee7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04
Filesize412B
MD5971289f457a548684869e646f4866db8
SHA1eba352de02c79679c5c79ba424b6054b257a09b3
SHA25691bfd21e20e3c4ca207984ccadbbd91ff1f34a3e78147152acc6f67e4beffacb
SHA512b28abd09a2eddeb107771489ce7a8bd15331cd87df0d46f74384401695dbd105ef37ce7249c62a9c8d241772d3b874c983ca4447225c7efcd650f4966c1cfb9d
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\B27BE03B-B4BD-4D09-AD72-98F1C5B566EF
Filesize161KB
MD5ee1a9646a293f201c1f349ca1efff3e2
SHA13064ff1f7846ed34f6dd65bb77150631544e0b49
SHA2568210e8c2753b4582296cfdeb8bb5f05d83f291c4e0489eea3b2d04ec8ebe91a4
SHA5122bc2f2cfa20e394fcab1436edffab17bfead6cffac6eecd223222d17a6a288e480bf1c6e1f270dc80cbef3a7e553d90bdccaad7abe6f341f583e378aa500f86a
-
Filesize
21KB
MD56bb062c4f8d012654b8b7d85b75d0e41
SHA15bc4a645734970e9f63967e0a3c1e1fa477fcbb9
SHA2569806b98295e8141ef45147bca50e85a7f6b7124b38aed5f1ae96177d7cb1e3ac
SHA512422a63262421578383705773771ceaf804fb7913b35791619f3ee802d2834f2c9314aef94439b4b59ac49e38ad2d3fad492bc3a27a0eff753c33b5bb3d60ac04
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize2KB
MD5e31ad0d7f33fa2af73e89c1660aeaefa
SHA1e26e3b5c8136d7f4bdd698cb7e7f58c5b463a6a1
SHA256be7d79f9c6627dd4c090b2ee26625210a68fed826296ae96aadbc94f8abea192
SHA51297c9eac2e660014b0dadd03e11ae8ee153a688a76aac09e6495ca928a17150b977818ed9f3eefe4dbef84dcfcb944a501b5250c561a55ff4280171977587250e
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize2KB
MD56c04447a7945cc62f0f3d8f50bf47895
SHA1e8b7310a783f8d987e54073b1b2c51a6205236ea
SHA256a1574200a1be4b9c4e0e7362e92b320788febd3caf7a75ac43ef71524146058f
SHA512dad88b45bd75f48c3882695b53da6f3de10577a91bf238a61001d3c9d3e748165dd815aafc953186531ed074c0051376190f30c136764d0a1afd8da79b0bc073
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\AKI8W8FH\lioniskingandtigerisalsotryingforkingbutdifferentistheattitudeofthistwoanimalaredifferentlionsisalwaysalionitsucantcomparewith__anyotherbecauselionbeauty[1].doc
Filesize46KB
MD5e1f38ac4318814b4f2006f9311702fbb
SHA19d4fce1aeaba9167eb9d6dc7de05dfbad1e47ef8
SHA2563e79fc95acbfbe53ef642e5b88edb806c45c6624634ec9b8a355d16dc72c078a
SHA5124d5f16200181e69b14500ff86937b23d9d7493429580605e55a5f697f1e3c45ab66a92aaf1f66e834601a7777e16b22432fe7a862aa56327c97558c1c93315d7
-
Filesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
Filesize
228B
MD567884d733398d6774c976bf171e74f48
SHA11e186e42ce8e9f0aa6ad1eae9c7f81e8d31c8dfb
SHA256bd42da2a258a0a4698f8dc7765ffe6b9612b5278abd07784526dfe7590da591c
SHA512d5f67d7baa58e55fdf8dd9af9dadf3ddca74dd1e2c8ec1006d12612f327fd42fd591962cedd37e7732e455ded24500c2db1b845402e4e66b988093bafc0f60f0
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD595950041d912c9c0abd7cb5fd86dfd5d
SHA136849524ee6fe8bd150c3899cb90f04d26407511
SHA256b637ce23edc4471e2e48d5bf2a9f06ca4a01a22536d984186a5c0c6771447010
SHA512b1b35c50c89caf8b3a239b5fda73e64ba88c7a0db8106403a1fa8bef1f12c1ef99ed123561e0e72d49123926caddf17719b3a8f20ee3cb589c1279c6b912b111
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize5KB
MD5736ea5a30b40e8d478f99f385ea6314a
SHA197f664f424231297793e05d74a12248cf7549176
SHA2564cddefa1924d4591c74d885b5017cfe69083198a0f33a9478aed4012433e985d
SHA512c07e5eea5eafe707f49f96381bfc75ec4e73b2446ca012e352e6404c18a97157d1d08c10f33e0335b68ee506fefd30ca90dc7bf98d01c2799a804d851b4f27fb