e8414dd64dbd95608d21a7b6171b875454f19a7f317f9cf6690448628fdfcf24

Analysis

max time kernel
148s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
06-06-2024 08:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DHL AWB# 7954365333.xls
Size

280KB
MD5

6ebcf0b1e040ec839f51640a35fa75f4
SHA1

84594217603fec2be41887b9361f565cbbd536b8
SHA256

e8414dd64dbd95608d21a7b6171b875454f19a7f317f9cf6690448628fdfcf24
SHA512

9aee1cab6c9af209b2408aade2b6122b399ca58594f8fa7453cbd6e6dec422014f1c3eff6db0055a12719c856709d4512db3376f02260dca4d665ad8c1c84c9f
SSDEEP

6144:qqFzL5LIT47HtxcbELOS8bBidbu7wGkMV4fonU8ZfI:qqFzu4LEb8OSgBugwZMEWUq

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEEXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEWINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid process

1692 EXCEL.EXE
4784 WINWORD.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WINWORD.EXE

description pid process

Token: SeAuditPrivilege 4784 WINWORD.EXE

description	pid	process
Token: SeAuditPrivilege	4784	WINWORD.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid	process
1692	EXCEL.EXE
1692	EXCEL.EXE
1692	EXCEL.EXE
1692	EXCEL.EXE
1692	EXCEL.EXE
1692	EXCEL.EXE
1692	EXCEL.EXE
1692	EXCEL.EXE
1692	EXCEL.EXE
1692	EXCEL.EXE
1692	EXCEL.EXE
1692	EXCEL.EXE
4784	WINWORD.EXE
4784	WINWORD.EXE
4784	WINWORD.EXE
4784	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 4784 wrote to memory of 912	4784	WINWORD.EXE	splwow64.exe
PID 4784 wrote to memory of 912	4784	WINWORD.EXE	splwow64.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\DHL AWB# 7954365333.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1692

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4784

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:912

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:1368

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04
Filesize
471B

MD5
be0f80225826889a820e84d22d8b3438

SHA1
7dfdd3ad6d5149b1e6a0f1aec907b947a1248087

SHA256
13b3a9d744988146e7c4d4cd27c4b2cce75495fc39cb90d8df16ff80438ce1e1

SHA512
6124217bb9f9e793da57f74ad7f852d2552b0f6ae1448a710b4356db2359798540f4b25506300307c48be3b1f2ad3b65bc8776072a028ed6aeb5cbea22785975

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04
Filesize
412B

MD5
0445a30cd4d409ffb32ea6a59857c08c

SHA1
d3269a880fd6b5eae85929d973ac761f03d2a925

SHA256
5ee93e0fa6790b9e6d574ac15b74600f4fee75dbcf47c5c282c50f1d14389682

SHA512
25ae858becf47902c6f06874bfbc4297f642b4d5acf1be8fad1435ddfcba5cc485a617be117854a2ad8040d402c512a7322d2cefa7f8dbc3c09cc380f77beeff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\39657CB2-847E-44ED-9EAD-79053DA7E288
Filesize
161KB

MD5
1300c187a17fe9a120d0a9a6e9a5804a

SHA1
38cb00c536112fc3910da5cd60fc6b471686991f

SHA256
dfed9426d51a4aca9c567a636c222b406aa4323ec50645d7b76dd12c37d6b42a

SHA512
e3249047c81ba7cd96d3740b3e7472958c45de208a1fe2f66052839aa98a8c017388d42d257b982c5f9adbc1c65786c59605f134918d68010b46b1c98b6bb14b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog
Filesize
21KB

MD5
3e185dd8a4daa94cc545c4eef165adb3

SHA1
87d7d3b6d1c6fc6bc83433b71e59606380572744

SHA256
670392311358fefc8fd402471331fe13b29fb84dba9a8e02815b5d0a4a1f80a9

SHA512
8cce3296f5f2ba35a71eb96ecacb78bf9d87eaa0d01717d4564c4c76e965a0a530d2e726ee1075d78b7530204f6ec84e1800421c797f2b5c4c84e21b91392dee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize
2KB

MD5
5ce29ca13e3e5fd5b1e82a5984e9cac4

SHA1
b5ad0b9c4ecb6add44841d729201554be95bc680

SHA256
172927c44ec650d2584af67784d9083a95a6e3c98f9eaf78111454ac711a6f7a

SHA512
cf2ee78a8b617718641292f5379427acf677d9293d85edce442e5a56873f3f8567678c082a1a42cf97490847f004d9c875fd103a633825c019c3013e56115cc8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize
2KB

MD5
9be17053c299ccdede9a872da9b9c7ce

SHA1
05e13c756698b817e88a1eee377eea3da5307e41

SHA256
8531eb844d79637be738a3416d359b08ba9bcb21d371f5066e0f2215322ea3f1

SHA512
b1a135075ac15dae16313a3c754346dc90af46f643c85eb14386b8b32cb5d39c92a6438768e96728979ea1009299e4bc5c35764a7e911f420441938705258008

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GOWSKSPC\lionunderstandjunglenotabletorulealonebecauseitsverydifficulttogetitbackwithentirethingsitstrulyagreatplantogetitbackandgreat___lionisgreatanimalalways[1].doc
Filesize
80KB

MD5
9794997a7de536d9c61f86baef3cfa43

SHA1
a0af705fbcdbc8198de8ef06052d719ed377d8de

SHA256
9e6021a26a5156279da3919429e9dcffa6dd21debcad2a255606b1da6a2f7dd9

SHA512
eacc6d5e07ea3ab7e0c4807ab4dbb5cbc77130da75cab423f07ed1dbb2fd17b7664f1db3fd5d15469e1ea63d557d91a4171243b928cbde41c0df567debd0fbbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCD9BF6.tmp\sist02.xsl
Filesize
245KB

MD5
f883b260a8d67082ea895c14bf56dd56

SHA1
7954565c1f243d46ad3b1e2f1baf3281451fc14b

SHA256
ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

SHA512
d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
Filesize
232B

MD5
86b410bb4ab604c39e2f6b762b709987

SHA1
ecf379964ea519f0218cae5654a344dd8324edc2

SHA256
1e76ff4177d1af78589440972a017b6a7c12a76c500bdd5f9da0b92a19ba303c

SHA512
3ba40bf5bab18cfd0579fc66c3e521dae516e3701a0b3a71d7f0ac9865d44a9ced35ac6a63b16d65c71ec436d7692dbfc34999f2055fd14ab7d39227656c0270

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize
3KB

MD5
65ec72d210b1e48d70b79560d5d568f0

SHA1
da4644b007307273bb58eb21fba3fc1ffa2f7dfb

SHA256
77fee80f2dc053e54cc9f31ce12f108c0256cab676cdfd561268eb94681cd3df

SHA512
99b77cf9a14f5afc9f005c10b4229289eb3c35dc00a0ab9e4b4dda87d078f40ab81a3fb6b5157bfbf8d713233f6290f4f3df24c35810ce5eccd96e5a85dad91b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize
5KB

MD5
b6cc8e48e8b4c58e6eafd4fe410443fe

SHA1
260fd465bb65336ac10dcf92b31486b8b6d030e5

SHA256
1525d8628bcd15c002f37e591c227949d14fcdd49eb85d796d847b96ca2ab62d

SHA512
b402b9cc522bd77c40510af4c22df15687e5771dea3f2c778ebd22d01f663215f215fdf26e798024e1cc1249ef8d24c06e1627e2e8824ae9fcfe8cd0a0c51074

Download Submit
memory/1692-8-0x00007FFA49210000-0x00007FFA49405000-memory.dmp

Filesize
2.0MB

Download
memory/1692-4-0x00007FFA09290000-0x00007FFA092A0000-memory.dmp

Filesize
64KB

Download
memory/1692-15-0x00007FFA49210000-0x00007FFA49405000-memory.dmp

Filesize
2.0MB

Download
memory/1692-12-0x00007FFA49210000-0x00007FFA49405000-memory.dmp

Filesize
2.0MB

Download
memory/1692-11-0x00007FFA49210000-0x00007FFA49405000-memory.dmp

Filesize
2.0MB

Download
memory/1692-559-0x00007FFA49210000-0x00007FFA49405000-memory.dmp

Filesize
2.0MB

Download
memory/1692-2-0x00007FFA09290000-0x00007FFA092A0000-memory.dmp

Filesize
64KB

Download
memory/1692-1-0x00007FFA09290000-0x00007FFA092A0000-memory.dmp

Filesize
64KB

Download
memory/1692-5-0x00007FFA492AD000-0x00007FFA492AE000-memory.dmp

Filesize
4KB

Download
memory/1692-14-0x00007FFA49210000-0x00007FFA49405000-memory.dmp

Filesize
2.0MB

Download
memory/1692-10-0x00007FFA07100000-0x00007FFA07110000-memory.dmp

Filesize
64KB

Download
memory/1692-9-0x00007FFA49210000-0x00007FFA49405000-memory.dmp

Filesize
2.0MB

Download
memory/1692-0-0x00007FFA09290000-0x00007FFA092A0000-memory.dmp

Filesize
64KB

Download
memory/1692-7-0x00007FFA49210000-0x00007FFA49405000-memory.dmp

Filesize
2.0MB

Download
memory/1692-6-0x00007FFA49210000-0x00007FFA49405000-memory.dmp

Filesize
2.0MB

Download
memory/1692-3-0x00007FFA09290000-0x00007FFA092A0000-memory.dmp

Filesize
64KB

Download
memory/1692-13-0x00007FFA07100000-0x00007FFA07110000-memory.dmp

Filesize
64KB

Download
memory/4784-34-0x00007FFA49210000-0x00007FFA49405000-memory.dmp

Filesize
2.0MB

Download
memory/4784-33-0x00007FFA49210000-0x00007FFA49405000-memory.dmp

Filesize
2.0MB

Download
memory/4784-32-0x00007FFA49210000-0x00007FFA49405000-memory.dmp

Filesize
2.0MB

Download
memory/4784-27-0x00007FFA49210000-0x00007FFA49405000-memory.dmp

Filesize
2.0MB

Download
memory/4784-560-0x00007FFA49210000-0x00007FFA49405000-memory.dmp

Filesize
2.0MB

Download