89f6a3e0a694c061bdf9286c3fea4223dc25ce92f5e44caac37803af104a92dc

General

Target

89f6a3e0a694c061bdf9286c3fea4223dc25ce92f5e44caac37803af104a92dc.xls
Size

408KB
MD5

dd879dd94f21390ba67b8d21901d352a
SHA1

9e51c02883b1e9822756e52c40cd62e0f47666a4
SHA256

89f6a3e0a694c061bdf9286c3fea4223dc25ce92f5e44caac37803af104a92dc
SHA512

299a94ec13febd50cea534c77642bc301b2e9c9d6621dddaf00cc4e958a2662ebbf158c25791d73bb3192963ffdd53c57561754bea466cd4955b4f52639ebd50
SSDEEP

12288:EqFzu4Lj7aF1C/p3m5tCD5+0ZDYryCkzu2lves:9zu4Ljm3CR1ZDYr21hf

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEWINWORD.EXE

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEEXCEL.EXE

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid	Process
1800	EXCEL.EXE
2372	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WINWORD.EXE

description	pid	Process
Token: SeAuditPrivilege	2372	WINWORD.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

EXCEL.EXE

pid	Process
1800	EXCEL.EXE
1800	EXCEL.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid	Process
1800	EXCEL.EXE
1800	EXCEL.EXE
1800	EXCEL.EXE
1800	EXCEL.EXE
1800	EXCEL.EXE
1800	EXCEL.EXE
1800	EXCEL.EXE
1800	EXCEL.EXE
1800	EXCEL.EXE
1800	EXCEL.EXE
1800	EXCEL.EXE
1800	EXCEL.EXE
2372	WINWORD.EXE
2372	WINWORD.EXE
2372	WINWORD.EXE
2372	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

WINWORD.EXE

description	pid	Process	procid_target
PID 2372 wrote to memory of 2460	2372	WINWORD.EXE	105
PID 2372 wrote to memory of 2460	2372	WINWORD.EXE	105

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\89f6a3e0a694c061bdf9286c3fea4223dc25ce92f5e44caac37803af104a92dc.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1800

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2460

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4072 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8
1⤵
PID:1568

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:3752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Filesize
471B

MD5
d084efd793d2a58b6d4b2d6aa50a2da6

SHA1
89d85893352c0c04761d6ad43f23fbca2985afe2

SHA256
16d2c152e787d3c5f11607e678e0942e7794cfa629632be4220620662a0010df

SHA512
495a0f67363b8f96e0adb13f56ae9c02b1d8657cda18aa1f616b57f8aadfa74c57a7fc751254452bedd84782116de1e637d9b2cc3beb4a12ca641584dcef31ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Filesize
412B

MD5
865da29c5d72a3be1dfbb50831aaea6a

SHA1
39305481fc81d916e5b7f55923a2820d6b6761aa

SHA256
3a4388e6c8aad7459a7e640c9e89735ddbd7115f6e14b7b7e2dcc1d397ce09a5

SHA512
1cec85d23c8ec5d6dd6129241e52963897b2a6161ac1fd8369d5ae2988215b45659c3bcd4457151683a7368ec79fa4c8cc53ef8475e517f2337660602d7d1fb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\144EDD9E-7C3A-487A-8D7A-5CAA09C53DF8

Filesize
161KB

MD5
9e39f51053bb786e877a828b787abd6b

SHA1
433939fc44bdfe6524e3539af3a9de43544dafa3

SHA256
70a32965ac5a79a7d9ceec442aee014105d63e61817d0216f82fd50322db7894

SHA512
fc4bd1758ff15078f89622e037e9ae504b970e17a802528b98e739379cf3f9b4aa94131f24edaac6af87212f1d5bc1e723bbd723353b9ddfd3e2b733616d381c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
0bbb755ba14ae27460f48a02c8175644

SHA1
203865e80fc284ef1441e43a81dcf3f4de171cec

SHA256
382ff97c9563f539947ff1ff85d3ea533cf3b94f0873ed5d1d0b8526257f182c

SHA512
d9d224494e2ef5e220eb9acd81e5143d366161f0e5dfeb6cdcdce795c916bf256914df222785d745dd9a49705b75450981a3dc474d67a8d7de2434c7cbcbf543

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
194fe9f0cd19107b034d875633d48164

SHA1
a8e0b32feec8ef66b1d4500403df27063bd9fc4f

SHA256
d6fe8d6fcb3da2846d5fd4d00d6dd9905bbd5e4bc00c50830f0c3dc03ec2bb32

SHA512
4be5fa4d80fa4c91ec64c074749c8f32c2e5cbee74d70699660b9e3aea88d500ab67e0b631e11905e77f5e0e00b020d4491fd92c0aa47d83bd2b14f22d1964b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8ZO46T3J\lionsarekingofjungleinthisworldwideforestandeveryoneknowthatlionsaretrulythekingofjungleentiregloval__lionkingofthejungleforestture[1].doc

Filesize
27KB

MD5
e13564472ea764ea770184d941109717

SHA1
592678a1961bdb26503f8ba278d247ab4592c3c0

SHA256
e8857bcb01131dbaa46095e83738b82bfefaff4815ce11bbdfc1de30d146269b

SHA512
a13c0e03c40d02e7aa07fc755f9d3c1aff291cdb4fe54c7eb418109636c42babfd0c58760c514038f59ff604ff145a910deefc32a94d82ea3fa645f4a2f2d3d1

Download Submit
memory/1800-12-0x00007FFA09AD0000-0x00007FFA09CC5000-memory.dmp

Filesize
2.0MB

Download
memory/1800-2-0x00007FF9C9B50000-0x00007FF9C9B60000-memory.dmp

Filesize
64KB

Download
memory/1800-10-0x00007FFA09AD0000-0x00007FFA09CC5000-memory.dmp

Filesize
2.0MB

Download
memory/1800-9-0x00007FFA09AD0000-0x00007FFA09CC5000-memory.dmp

Filesize
2.0MB

Download
memory/1800-0-0x00007FF9C9B50000-0x00007FF9C9B60000-memory.dmp

Filesize
64KB

Download
memory/1800-14-0x00007FFA09AD0000-0x00007FFA09CC5000-memory.dmp

Filesize
2.0MB

Download
memory/1800-15-0x00007FFA09AD0000-0x00007FFA09CC5000-memory.dmp

Filesize
2.0MB

Download
memory/1800-16-0x00007FFA09AD0000-0x00007FFA09CC5000-memory.dmp

Filesize
2.0MB

Download
memory/1800-17-0x00007FFA09AD0000-0x00007FFA09CC5000-memory.dmp

Filesize
2.0MB

Download
memory/1800-18-0x00007FFA09AD0000-0x00007FFA09CC5000-memory.dmp

Filesize
2.0MB

Download
memory/1800-13-0x00007FFA09AD0000-0x00007FFA09CC5000-memory.dmp

Filesize
2.0MB

Download
memory/1800-19-0x00007FF9C74B0000-0x00007FF9C74C0000-memory.dmp

Filesize
64KB

Download
memory/1800-11-0x00007FFA09AD0000-0x00007FFA09CC5000-memory.dmp

Filesize
2.0MB

Download
memory/1800-7-0x00007FFA09AD0000-0x00007FFA09CC5000-memory.dmp

Filesize
2.0MB

Download
memory/1800-21-0x00007FFA09AD0000-0x00007FFA09CC5000-memory.dmp

Filesize
2.0MB

Download
memory/1800-20-0x00007FFA09AD0000-0x00007FFA09CC5000-memory.dmp

Filesize
2.0MB

Download
memory/1800-28-0x00007FF9C74B0000-0x00007FF9C74C0000-memory.dmp

Filesize
64KB

Download
memory/1800-112-0x00007FFA09AD0000-0x00007FFA09CC5000-memory.dmp

Filesize
2.0MB

Download
memory/1800-47-0x00007FFA09AD0000-0x00007FFA09CC5000-memory.dmp

Filesize
2.0MB

Download
memory/1800-48-0x00007FFA09B6D000-0x00007FFA09B6E000-memory.dmp

Filesize
4KB

Download
memory/1800-49-0x00007FFA09AD0000-0x00007FFA09CC5000-memory.dmp

Filesize
2.0MB

Download
memory/1800-6-0x00007FFA09AD0000-0x00007FFA09CC5000-memory.dmp

Filesize
2.0MB

Download
memory/1800-5-0x00007FF9C9B50000-0x00007FF9C9B60000-memory.dmp

Filesize
64KB

Download
memory/1800-4-0x00007FFA09AD0000-0x00007FFA09CC5000-memory.dmp

Filesize
2.0MB

Download
memory/1800-1-0x00007FFA09B6D000-0x00007FFA09B6E000-memory.dmp

Filesize
4KB

Download
memory/1800-8-0x00007FF9C9B50000-0x00007FF9C9B60000-memory.dmp

Filesize
64KB

Download
memory/1800-3-0x00007FF9C9B50000-0x00007FF9C9B60000-memory.dmp

Filesize
64KB

Download
memory/1800-109-0x00007FF9C9B50000-0x00007FF9C9B60000-memory.dmp

Filesize
64KB

Download
memory/1800-108-0x00007FF9C9B50000-0x00007FF9C9B60000-memory.dmp

Filesize
64KB

Download
memory/1800-111-0x00007FF9C9B50000-0x00007FF9C9B60000-memory.dmp

Filesize
64KB

Download
memory/1800-110-0x00007FF9C9B50000-0x00007FF9C9B60000-memory.dmp

Filesize
64KB

Download
memory/2372-64-0x00007FFA09AD0000-0x00007FFA09CC5000-memory.dmp

Filesize
2.0MB

Download
memory/2372-45-0x00007FFA09AD0000-0x00007FFA09CC5000-memory.dmp

Filesize
2.0MB

Download
memory/2372-117-0x00007FFA09AD0000-0x00007FFA09CC5000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads