89f6a3e0a694c061bdf9286c3fea4223dc25ce92f5e44caac37803af104a92dc

Analysis

max time kernel
149s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
05-06-2024 16:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

89f6a3e0a694c061bdf9286c3fea4223dc25ce92f5e44caac37803af104a92dc.xls
Size

408KB
MD5

dd879dd94f21390ba67b8d21901d352a
SHA1

9e51c02883b1e9822756e52c40cd62e0f47666a4
SHA256

89f6a3e0a694c061bdf9286c3fea4223dc25ce92f5e44caac37803af104a92dc
SHA512

299a94ec13febd50cea534c77642bc301b2e9c9d6621dddaf00cc4e958a2662ebbf158c25791d73bb3192963ffdd53c57561754bea466cd4955b4f52639ebd50
SSDEEP

12288:EqFzu4Lj7aF1C/p3m5tCD5+0ZDYryCkzu2lves:9zu4Ljm3CR1ZDYr21hf

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEEXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEWINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid process

4080 EXCEL.EXE
444 WINWORD.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WINWORD.EXE

description pid process

Token: SeAuditPrivilege 444 WINWORD.EXE

description	pid	process
Token: SeAuditPrivilege	444	WINWORD.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid	process
4080	EXCEL.EXE
4080	EXCEL.EXE
4080	EXCEL.EXE
4080	EXCEL.EXE
4080	EXCEL.EXE
4080	EXCEL.EXE
4080	EXCEL.EXE
4080	EXCEL.EXE
4080	EXCEL.EXE
4080	EXCEL.EXE
4080	EXCEL.EXE
4080	EXCEL.EXE
444	WINWORD.EXE
444	WINWORD.EXE
444	WINWORD.EXE
444	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 444 wrote to memory of 1116	444	WINWORD.EXE	splwow64.exe
PID 444 wrote to memory of 1116	444	WINWORD.EXE	splwow64.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\89f6a3e0a694c061bdf9286c3fea4223dc25ce92f5e44caac37803af104a92dc.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4080

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:444
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1116

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
2207fdb9365e8bf6f92021690a873e34

SHA1
34d9c78071ae453464bc054fd6f1dd33b95691fb

SHA256
fc907f09ce3123611eee9b93542d7b495678c4ddbeac54ed6f5f152e881e8411

SHA512
d48a61791bd4ae61ff8ac9c0ebd74a29a3f7eb5961036aa08ba8eae783c1dfab133bb2e94a29b0a29171ee2969e0c13df80b22c2962d420de61a12f2ce6b4a9a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Filesize
471B

MD5
d084efd793d2a58b6d4b2d6aa50a2da6

SHA1
89d85893352c0c04761d6ad43f23fbca2985afe2

SHA256
16d2c152e787d3c5f11607e678e0942e7794cfa629632be4220620662a0010df

SHA512
495a0f67363b8f96e0adb13f56ae9c02b1d8657cda18aa1f616b57f8aadfa74c57a7fc751254452bedd84782116de1e637d9b2cc3beb4a12ca641584dcef31ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
e432fa5d8d324be038b86798d3f249c5

SHA1
6da3e77c6ca9368bab281abedde8d7526952ba3a

SHA256
31a6a4c90161c19eb578f7d7be768d18d6288e2ba832fa2946573c9692c76274

SHA512
6569a2f71d60d0d8ec9dc6050a89843fe4efeeeb33fb02942eabdc4a57fe3eaf12e9c4ac5db525663c81534c1456f79aad268df7696b076ee1c79c27a22db100

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
392B

MD5
3d6eb6a20416073f6d772459a7ea9281

SHA1
f02152330f3140c194bc28205ec13de84abf88ad

SHA256
67e0cc2a50d377f808655ad76553ddf75ad144306ef0c6b8da247448f2c8a4d2

SHA512
8b43380ab9e523da8e289ffdbb6aaa188468744b596c2b20b3a75be510e51f62372b8cd81c17c0a31a49299a42d2dcac7f72397efc59728ab84eeb5e493f9961

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Filesize
412B

MD5
fee3e1e17bf3d852d93130224e00b448

SHA1
f89448471df532a7da7f35e46f90f93c50e75dbf

SHA256
88af88c1f8aed3828b3810564ef7a0e4af5042e3d018bb13e896eafcaae9b2c3

SHA512
3380e7141ae67ca24268e9155a1614ba4d22e1b3d9ef910b9670d4f8ef7dfd75e6f2c33b1e5f41e5baa6923cd3c7df43747ee09d2438ba3d32530d73a51db53e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\60F1AFA3-8996-49D3-BD9F-A67ADC180D1F

Filesize
161KB

MD5
a241d37eb23f37fcfc4ee4c9c98119d3

SHA1
0c87670cb2c53afcfb1e2af2f9a93eca7bd12e62

SHA256
02c9b882b431a31202410a3f55a565d3855cf59093f5063e7271f84de0d6d3fe

SHA512
8e8d4d9fa5dc9fef7f66a9cc36821868211dfa02e823d03c550a22a53ab0bd17f77aeae11fe39c1b7563346c25acaccc665166d58127b0faa66c6062b7bc7b48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

Filesize
21KB

MD5
fbea624c44d6c0f784af51cd6e8ee5dd

SHA1
43b4055f343dbf13940cc7214bfc83806e7bbccd

SHA256
5990e0e151fcde71709fb6d907b72954be2c38b926ed0d0d7650c4742f9c1469

SHA512
b115be472ab770af6d9b23d0f1ea75557927751d8959d78438dcfdf03620a8ce0af3ad8176146214f2e1b7dbb50b92ecad9e3e7f609b8f2719a3cc5949a2afb3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
6cb30bc12420ef8c17a168324ba989e3

SHA1
2779e7d780ded989c59ec36de2409f22b9cae43b

SHA256
3de2814ea0d072ad8818d80692c2a917bd9c6ba8804f452b56a3c8fda7a10e88

SHA512
7edbfa3da6457033b15bb7a7943bbb9293064e6b48e3118a3d0feb4bb9fba022b19a0e124c95f8931d7491caffbe4f98f6d0c39f49f5f8c0a22968405eb2a1a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
a8ba4aeec295d016ada69f876a80ea9c

SHA1
ceec170abc47116fcb3fc8bad76731b0f1d43423

SHA256
1644b857375dedf8e476d18ef5d44eb8c0d8084d29684babb2227a1c0ccf5df4

SHA512
a0bc542e7cab1cf067869cb6479aba9cf24d0e2a37ef879301bc7accda74cbb45b9a1c8627ec81529b5da4d23eab9dbff7bc2f3d1a52f837c415bf5d8aea02b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\5E28C2A2.doc

Filesize
27KB

MD5
e13564472ea764ea770184d941109717

SHA1
592678a1961bdb26503f8ba278d247ab4592c3c0

SHA256
e8857bcb01131dbaa46095e83738b82bfefaff4815ce11bbdfc1de30d146269b

SHA512
a13c0e03c40d02e7aa07fc755f9d3c1aff291cdb4fe54c7eb418109636c42babfd0c58760c514038f59ff604ff145a910deefc32a94d82ea3fa645f4a2f2d3d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCD8772.tmp\iso690.xsl

Filesize
263KB

MD5
ff0e07eff1333cdf9fc2523d323dd654

SHA1
77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

SHA256
3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

SHA512
b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
229B

MD5
481c145f7c31f51bad7729e5d14ce7e0

SHA1
982a030e12a3d355809f167f61e06a9b03f2743c

SHA256
5cff8cff8b716ee9befe9249dcd14df279106d682eab4c121ab29a1fec610583

SHA512
e2c2eb1d408896227f95cf8eab372d332bbc1ca151b4fbd6431b1db12d2a4192a7ea8fefc24420333c8949e9df363b149278902c6c5d6c2b0c6c1d90b17f14e8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
5KB

MD5
10ad9bb6007c23e48a893f39cb7db8bf

SHA1
0c7f2f22b454a40236b52473c4000c381642db4f

SHA256
97e637950044884fc5e98da0b7abedea4ff7464d434ab28b62322be54395148c

SHA512
5e9f47b25f6ca7aa4fc4fc1506ca5c7ca5845125920220aca8918206f2924faa130b0acbe09a50bacb25dd6f04000b9cc1c822ba5b1800c6309e22622b2fac6f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
98d274b69b802eebad6cb7cf4045d83b

SHA1
4f14e0bb9dfed9b55e7fda240ab6893c9d49db93

SHA256
345a6fee6c972ab5981a439786ba0962dcc0906f22e9762f58946aca290b1aa1

SHA512
459ea1466f9b813faae9c8639609344e03bd2fc7e62149bdc3e2c63cfdfaa90b80a388b3828769be04cb549ea214bb58a6aee7636eaa53a5f63400fbc9ef893e

Download Submit
memory/444-42-0x00007FF945A30000-0x00007FF945C25000-memory.dmp

Filesize
2.0MB

Download
memory/444-574-0x00007FF945A30000-0x00007FF945C25000-memory.dmp

Filesize
2.0MB

Download
memory/444-44-0x00007FF945A30000-0x00007FF945C25000-memory.dmp

Filesize
2.0MB

Download
memory/4080-11-0x00007FF945A30000-0x00007FF945C25000-memory.dmp

Filesize
2.0MB

Download
memory/4080-0-0x00007FF905AB0000-0x00007FF905AC0000-memory.dmp

Filesize
64KB

Download
memory/4080-14-0x00007FF945A30000-0x00007FF945C25000-memory.dmp

Filesize
2.0MB

Download
memory/4080-18-0x00007FF945A30000-0x00007FF945C25000-memory.dmp

Filesize
2.0MB

Download
memory/4080-20-0x00007FF945A30000-0x00007FF945C25000-memory.dmp

Filesize
2.0MB

Download
memory/4080-19-0x00007FF945A30000-0x00007FF945C25000-memory.dmp

Filesize
2.0MB

Download
memory/4080-17-0x00007FF945A30000-0x00007FF945C25000-memory.dmp

Filesize
2.0MB

Download
memory/4080-15-0x00007FF945A30000-0x00007FF945C25000-memory.dmp

Filesize
2.0MB

Download
memory/4080-13-0x00007FF903A50000-0x00007FF903A60000-memory.dmp

Filesize
64KB

Download
memory/4080-12-0x00007FF945A30000-0x00007FF945C25000-memory.dmp

Filesize
2.0MB

Download
memory/4080-10-0x00007FF945A30000-0x00007FF945C25000-memory.dmp

Filesize
2.0MB

Download
memory/4080-16-0x00007FF945A30000-0x00007FF945C25000-memory.dmp

Filesize
2.0MB

Download
memory/4080-7-0x00007FF945A30000-0x00007FF945C25000-memory.dmp

Filesize
2.0MB

Download
memory/4080-8-0x00007FF903A50000-0x00007FF903A60000-memory.dmp

Filesize
64KB

Download
memory/4080-9-0x00007FF945A30000-0x00007FF945C25000-memory.dmp

Filesize
2.0MB

Download
memory/4080-5-0x00007FF945ACD000-0x00007FF945ACE000-memory.dmp

Filesize
4KB

Download
memory/4080-6-0x00007FF945A30000-0x00007FF945C25000-memory.dmp

Filesize
2.0MB

Download
memory/4080-4-0x00007FF905AB0000-0x00007FF905AC0000-memory.dmp

Filesize
64KB

Download
memory/4080-3-0x00007FF905AB0000-0x00007FF905AC0000-memory.dmp

Filesize
64KB

Download
memory/4080-1-0x00007FF905AB0000-0x00007FF905AC0000-memory.dmp

Filesize
64KB

Download
memory/4080-573-0x00007FF945A30000-0x00007FF945C25000-memory.dmp

Filesize
2.0MB

Download
memory/4080-2-0x00007FF905AB0000-0x00007FF905AC0000-memory.dmp

Filesize
64KB

Download