5ecb1c165bba0943b8045f67b815415a79afbac8e0e2b2f62ada65e2a9578dfa

Analysis

max time kernel
148s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
05/06/2024, 03:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f4e8de91a95148d69be9d136d4c137be513fb9afce19178d727e8d4102474690.xls
Size

307KB
MD5

da661ecf5a13944be08d4f39d7060b31
SHA1

f4f2a2dbebd38c5f4e0694d20e77d045f9521762
SHA256

f4e8de91a95148d69be9d136d4c137be513fb9afce19178d727e8d4102474690
SHA512

159b066727b5829b91d7c571411a1489d94c996eacec48593aea1d7cf3e8c7e806348a8a61dc1068801c88957a789fb9245726197d683e36a30dccb486a4c44e
SSDEEP

6144:X0W8j030Q4eIoCCvJpHwb268cJIKP0EtXg03Y2ZAOZ+az2hNIP0f:EW8zQ4bnCvnwb268/Eamwz

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2364	EXCEL.EXE
3424	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeAuditPrivilege	3424	WINWORD.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2364	EXCEL.EXE
2364	EXCEL.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
2364	EXCEL.EXE
2364	EXCEL.EXE
2364	EXCEL.EXE
2364	EXCEL.EXE
2364	EXCEL.EXE
2364	EXCEL.EXE
2364	EXCEL.EXE
2364	EXCEL.EXE
2364	EXCEL.EXE
2364	EXCEL.EXE
2364	EXCEL.EXE
2364	EXCEL.EXE
3424	WINWORD.EXE
3424	WINWORD.EXE
3424	WINWORD.EXE
3424	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3424 wrote to memory of 4296	3424	WINWORD.EXE	97
PID 3424 wrote to memory of 4296	3424	WINWORD.EXE	97

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\f4e8de91a95148d69be9d136d4c137be513fb9afce19178d727e8d4102474690.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2364

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3424
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:4296

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:3652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
861e41a8d4acc609bcb047a7e9a86547

SHA1
32b37c6a1053b5366489d2c54db8bfc796e39f25

SHA256
cea28cfa521dcaa940f311c85cd55265b6a6820534f7df286f4b24d915b2b5c7

SHA512
5d1804229808c5a09b659ca2f43be902c00c0a3d3c14e6e909355ffc3f1b001eb202eadbc16b5adfb298777f69c5dd45e70e6a7bb9dc40aec5b76de9cad5a27a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Filesize
471B

MD5
d084efd793d2a58b6d4b2d6aa50a2da6

SHA1
89d85893352c0c04761d6ad43f23fbca2985afe2

SHA256
16d2c152e787d3c5f11607e678e0942e7794cfa629632be4220620662a0010df

SHA512
495a0f67363b8f96e0adb13f56ae9c02b1d8657cda18aa1f616b57f8aadfa74c57a7fc751254452bedd84782116de1e637d9b2cc3beb4a12ca641584dcef31ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
bc693ad5da749beba466d1e8c9102565

SHA1
5cb91255cef5c17ed8a1820b1a62b2622b3dc22b

SHA256
7ae49c7b6489bf8f97a7d2c3d60282e4143423abe0d647eb0649da5772da9c26

SHA512
5489297d36aef0ec3a2a76ca715e37e4c86cc3b6a23cc8a12c8eb008881e9bd7f77e297bc993e4af087394bda0acea73166f8642e254a5606ab14f6ab03d8702

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
392B

MD5
76d1540b3a6effa4aa37860fe9980f91

SHA1
709ba6d24a11c76b8034ce460bd1b074563337e3

SHA256
364268f55e22dc31321abb49377c8d14871ca8ec77a317fb09291cdda0431dcf

SHA512
12df4120d42e655730d7afd87dd1aa0947883977ec45cd44dd3edfc7c01c76fb6430a65a65de774b0ba720e91faa520290ce43325ea7404002dda8aef828783e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Filesize
412B

MD5
ff00dd2c70386d61a46230f1e45efbf0

SHA1
9e61d4b75e1f94b40a7f74f32ce098b723303e3a

SHA256
1ce80470f5410ca9ad113c2ce22b55160cd31a58a9827145a925af3e087fa6e1

SHA512
f11bd8f1b8d32f47c3b8baf1a933249e82167c000492bec36d44f3c849e1e80fdca2442bab56e8ad059d8e398d3a036b9dcbeae482c02320def44f467bbf12ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\24CE929F-0DD0-44DF-AE26-26A45DAE8065

Filesize
161KB

MD5
430a8189c846abaa12edf7637f84107c

SHA1
84136e46921650c09fb8d61741359f7736af24c4

SHA256
e2a3b5d0ad508c4da42f3779770644121397018d4befab037b488d05ec3dcbaa

SHA512
df564a9c2d8290afb481dd079259ebd4bb983bab9eb5f0613c223511233940f90d6d35742a99396eac42685a3e6231adb9a8e12e2e10328964f6f5f8b4e929ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

Filesize
21KB

MD5
36e83e8b248501f9e51eb1a059ebc888

SHA1
6f819151e3bf5188d32b882bf5915c3f1c9e6f2f

SHA256
590c42edad9493cb20c08f94cc0ce420b218235c5fd21dcc0796edafaff98d2e

SHA512
dff97a75a31e74a459b5ec8b41711195d2967be98f607e64eb318a9a19d4e46ebb0d8c6e46ce88f0c6f196368379c04f7998b68f68651baa6838eee31b2135ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
2c80b4ab600623b736b1628f77922be5

SHA1
db84999003f552223880c84fb399f7c69ab94d98

SHA256
bcf24907f0792d63455b154783436a62a9b232aab4e143e94af5ed69b974a425

SHA512
585cdf968ff12c1454a9684a5f5e14a3fef4ca54b3cc2faa92ae673f393c66cb4aefaf659c9859908918c03517b94cbded990c44220c9ac95660a25e39139649

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
1043956136d4a4b1555fe6fb7c2f5a56

SHA1
9f7f2aa3b9f62e534d5c3eb64aa183159e560479

SHA256
d504e9ae5ef7e5b3f9c0d035a73d9c2a96e3591570f7ca15e70aaeba00596f9a

SHA512
e46455c6b0af710440c16b98745bd331df41ad94e6602c2a32135cc7369f02a9e4cd28c6eb48eb84536542d1d6d913f7ecbdef7a6ddf7f1d061cc7d1ce4252d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\W5OVUPOF\lionsarekingofjunglewhounderstandhowfastweareworkingonthejungleasakinglionsalwaysdoingattitudetounderstandheistheonlykinghave__entireworldkingsofjungle[1].doc

Filesize
41KB

MD5
6781a0a5abf2165abf919905d302fad5

SHA1
27030e5da2074aed190aabb34062cd7c98c15ff9

SHA256
e6b4ddcb82f3e9c6e014cdb42530f31440aa0b59dde38b0a568e865a5b362933

SHA512
15171faf1688a044ed4d4bf9aaff8e04b35b8e5ea6b2d876d9c28cbca06532dd5b4102249b27b70c9c1d227aa98e4ccb8db039ab6dcc4870070c25a8786b0670

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCD9DEA.tmp\iso690.xsl

Filesize
263KB

MD5
ff0e07eff1333cdf9fc2523d323dd654

SHA1
77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

SHA256
3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

SHA512
b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
229B

MD5
32e68ca3cdd3bae2e7994e7d976da4a9

SHA1
d3ad9f8aec7bddde097c13aaec95059b2f546cd4

SHA256
332d40f6834fb30d9907b2145b07e90f88049c8ad414d15af3399204424ccad4

SHA512
2c7c2bef849edec38c8aeb35bd587508af9e36edda466e7cb899181ca8898d54cf94f84fd058c0faffb9cec5ed552636738cd150774555f44c173fae467730de

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
5KB

MD5
e4dcd371334fa3cb9e97ba197d60909e

SHA1
a0894b823334187e15af3e5aa3d2b89030a283d6

SHA256
2656be5a0b299ba7113daac5a8a32dabaf8d9bd81b8b70d910fbf09e69ba1509

SHA512
f01e60adccb0abf712248900485928bec115f42e00c2c52082e83255f60e4a38543418fb9b6f19054d7d78f355fb766da15e8ea206658ab230ad9c255e15ad00

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
fdf44ab6a8a9be429f0da35280aec5a1

SHA1
c8d29c6f3e83a452bc9e64681ec330a8eb3d47ea

SHA256
aa8a67b92b1ec4ace0d0fefbc5c9669525133a87c4fb3bd32ae432d0c1cc892d

SHA512
10257b6a9fc45e71588e2cad33a1b0f5abbe7a9f54d71c6a604c105016620b121d506130466174ed7024d1c001469e2dad0417258f30355942a8cf5b7abee2a7

Download Submit
memory/2364-13-0x00007FF8337D0000-0x00007FF8339C5000-memory.dmp

Filesize
2.0MB

Download
memory/2364-9-0x00007FF7F17F0000-0x00007FF7F1800000-memory.dmp

Filesize
64KB

Download
memory/2364-1-0x00007FF7F3850000-0x00007FF7F3860000-memory.dmp

Filesize
64KB

Download
memory/2364-18-0x00007FF7F17F0000-0x00007FF7F1800000-memory.dmp

Filesize
64KB

Download
memory/2364-574-0x00007FF8337D0000-0x00007FF8339C5000-memory.dmp

Filesize
2.0MB

Download
memory/2364-2-0x00007FF7F3850000-0x00007FF7F3860000-memory.dmp

Filesize
64KB

Download
memory/2364-6-0x00007FF8337D0000-0x00007FF8339C5000-memory.dmp

Filesize
2.0MB

Download
memory/2364-5-0x00007FF83386D000-0x00007FF83386E000-memory.dmp

Filesize
4KB

Download
memory/2364-7-0x00007FF8337D0000-0x00007FF8339C5000-memory.dmp

Filesize
2.0MB

Download
memory/2364-8-0x00007FF8337D0000-0x00007FF8339C5000-memory.dmp

Filesize
2.0MB

Download
memory/2364-4-0x00007FF7F3850000-0x00007FF7F3860000-memory.dmp

Filesize
64KB

Download
memory/2364-11-0x00007FF8337D0000-0x00007FF8339C5000-memory.dmp

Filesize
2.0MB

Download
memory/2364-17-0x00007FF8337D0000-0x00007FF8339C5000-memory.dmp

Filesize
2.0MB

Download
memory/2364-16-0x00007FF8337D0000-0x00007FF8339C5000-memory.dmp

Filesize
2.0MB

Download
memory/2364-15-0x00007FF8337D0000-0x00007FF8339C5000-memory.dmp

Filesize
2.0MB

Download
memory/2364-14-0x00007FF8337D0000-0x00007FF8339C5000-memory.dmp

Filesize
2.0MB

Download
memory/2364-0-0x00007FF7F3850000-0x00007FF7F3860000-memory.dmp

Filesize
64KB

Download
memory/2364-12-0x00007FF8337D0000-0x00007FF8339C5000-memory.dmp

Filesize
2.0MB

Download
memory/2364-10-0x00007FF8337D0000-0x00007FF8339C5000-memory.dmp

Filesize
2.0MB

Download
memory/2364-3-0x00007FF7F3850000-0x00007FF7F3860000-memory.dmp

Filesize
64KB

Download
memory/3424-42-0x00007FF8337D0000-0x00007FF8339C5000-memory.dmp

Filesize
2.0MB

Download
memory/3424-45-0x00007FF8337D0000-0x00007FF8339C5000-memory.dmp

Filesize
2.0MB

Download
memory/3424-47-0x00007FF8337D0000-0x00007FF8339C5000-memory.dmp

Filesize
2.0MB

Download
memory/3424-46-0x00007FF8337D0000-0x00007FF8339C5000-memory.dmp

Filesize
2.0MB

Download
memory/3424-44-0x00007FF8337D0000-0x00007FF8339C5000-memory.dmp

Filesize
2.0MB

Download
memory/3424-43-0x00007FF8337D0000-0x00007FF8339C5000-memory.dmp

Filesize
2.0MB

Download
memory/3424-41-0x00007FF8337D0000-0x00007FF8339C5000-memory.dmp

Filesize
2.0MB

Download
memory/3424-577-0x00007FF8337D0000-0x00007FF8339C5000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads