261a3d632d4b42abe4ff190b7c39feaeabc7405c790f2b7c25de0678f77ff4a3

Analysis

max time kernel
149s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
06-06-2024 14:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Moto Parts Specifications 10000pcs.xls
Size

280KB
MD5

8c5389452b99db45d0950da9e78f979c
SHA1

037c5e32e127136e230392048e2a45bc68fd9aef
SHA256

261a3d632d4b42abe4ff190b7c39feaeabc7405c790f2b7c25de0678f77ff4a3
SHA512

d7b6c1f864bdc7fbc67dbcacb26c5186bbc44c4448d7de7253616b81e48227dbea0b9eb9fb3947d7851e48a429f1c188aaccde67e4b9f3110c280dd7989c6d0e
SSDEEP

6144:NqFzL5LIT47HuES6/dvL0DS6n9oOfpRKf/saZ/V/6:NqFzu4LFXvoGY7Kf/5/

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3712	EXCEL.EXE
1828	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeAuditPrivilege	1828	WINWORD.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
3712	EXCEL.EXE
3712	EXCEL.EXE
3712	EXCEL.EXE
3712	EXCEL.EXE
3712	EXCEL.EXE
3712	EXCEL.EXE
3712	EXCEL.EXE
3712	EXCEL.EXE
3712	EXCEL.EXE
3712	EXCEL.EXE
3712	EXCEL.EXE
3712	EXCEL.EXE
1828	WINWORD.EXE
1828	WINWORD.EXE
1828	WINWORD.EXE
1828	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1828 wrote to memory of 4396	1828	WINWORD.EXE	99
PID 1828 wrote to memory of 4396	1828	WINWORD.EXE	99

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Moto Parts Specifications 10000pcs.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3712

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1828
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:4396

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:4536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Filesize
471B

MD5
be0f80225826889a820e84d22d8b3438

SHA1
7dfdd3ad6d5149b1e6a0f1aec907b947a1248087

SHA256
13b3a9d744988146e7c4d4cd27c4b2cce75495fc39cb90d8df16ff80438ce1e1

SHA512
6124217bb9f9e793da57f74ad7f852d2552b0f6ae1448a710b4356db2359798540f4b25506300307c48be3b1f2ad3b65bc8776072a028ed6aeb5cbea22785975

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Filesize
412B

MD5
ca6c9e232f1d4c3fef25a106ef6304e4

SHA1
57676997ef244e4de54e816daa560b319b3d42f9

SHA256
cf6faec1fe52a03130573e5632df60db48ae1f42a1774d708ef7b584fa3a93ec

SHA512
1ac55545e427cd53bbe955c4b69d9fcfe030527dddd3620ccacfe9269214e5c957fc139081a55e9e807e15f87909220acc9af36a4d3dac31e94e34d6a4382290

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\B9EABF8F-EE42-4B29-842F-FB88248AC3F0

Filesize
161KB

MD5
9642a4fa237510127a1c9608693f1b08

SHA1
83058677b6c29dacb763de4486a37f06e91befbe

SHA256
f335dc729c2dbe968d3af17536ffe5a06ec3bf4d974822a97fdfdde2f4d2c053

SHA512
281736581725f56a9b44a6bbc67a1b13d6e07c789a4f9454be0bb4f4169be49a00c47ac758a5765385432100dbad79b7896860935e2cdac1f9acea6c3207ac8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

Filesize
21KB

MD5
1cd949ba5bc6867e0fd6f6c9e17c808a

SHA1
5fd9f0b7f6a6f256f8a754ba4ead507bf8040cd7

SHA256
654674002dfb5eb282071c6fc8572f0b5a1839790cfbad7614656f7b6ee50d4a

SHA512
cf9af4405e26e7f2a13f5228e8e301a391eab897a823718a0d89141b1a38f4707450e6bd1c166752f3472b4bd897512d5b9b3600f527d958feea1b66b6b14536

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
1451ce42a37d0afe2b8e11568839e771

SHA1
986f559c1e20018fa8839b12e6ddc4e4f9941d29

SHA256
94cbbdbe53a939f35aae1b9cfcf2d2e72606390587ebddea8f7cf6a98f4998ce

SHA512
2daedd02bde8c3e8b992a54d9f9b1bc560970f9bcfadab1850ddc464bbede74975f443d109e4d18f305626ce2cfe2f26ea887b78cfbdd9d606272216ce83feb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
f7d035ffaac4e12754ec8527cfd58705

SHA1
e20d38bc948f052a422cbdba60da367941c8a6e9

SHA256
16fdb4b1511b9a928a3cec3097523c9d7da269d613ee6df01688a31da7215792

SHA512
93f1071818a66c79f324291dcf0f860df107c9dce64dde53e3f9cd6c99d029ebbc2a85df23465999a4b07edf52efa01ebcd1a8ec5a0ee53dc19e6016e9678cc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\2IX84YPE\lionsarekingogthejunglewhorulestheentireforestandlionsgreattounderstandtheyaregreattoundersetandlionsarekindofthejungle__lionsarekingofjungle[1].doc

Filesize
35KB

MD5
56b4ddf6c247124f9bc633b06b169a84

SHA1
f6d0dfca950ccd1fcb92ed511afba92db7edc843

SHA256
67ad0f57895b9963fff217941c49d4eb97023d65fd5b3d36ab936c24fa35a6f0

SHA512
6b9e14c704e944b576091f0339e874ed679eeb6d2eba55bb65826fa66d7cb0856d20e1a99cb3cb40599b1065586a138aacf64617490c1c7a237e67ed61b980a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCDA3DB.tmp\gb.xsl

Filesize
262KB

MD5
51d32ee5bc7ab811041f799652d26e04

SHA1
412193006aa3ef19e0a57e16acf86b830993024a

SHA256
6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97

SHA512
5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
234B

MD5
0cba7429226b7a0d1f9d7389c8a677fc

SHA1
9a47fa78a8e95c9d039e032993502b2df237be7e

SHA256
44f21abc623d9f390bd3b2efece3625beeb3da3fcaa0b4e42763d55167d0bca8

SHA512
d3a60bea6d85e50c762b3229b137b7132e24c0c9ec0d69036d4b22426441034871cbd1a11a02888873a82700f130b74a4f255a6bf1668adf76cf541baba4a2a7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
5KB

MD5
55128b804ef47e30af025124c07d4a78

SHA1
339b13e828586952ec99a70b2e66ca66d3e2da4b

SHA256
cbfd6fa8d079569aa0c43f12ba9dad1edcf28d9e448ab2b66172d14cdf9e6c82

SHA512
a53854d5491dc123e0a19edd8adfe28cec5c8b37df0d986af7f8ff7b0054f74a229bd6718bd9a0c7f451e52f7bbb4dd5d31116572b1388d36852453a22afbbd1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
55634edf163ac426d1a13bc0c364fdcb

SHA1
e7591f78229fcb91cc4b48d865c9e425a37c7cd4

SHA256
bbd114c294cad8999068eb500b2ac3ae5a7eae27111c321520d564276dba099a

SHA512
5ce291b9fbbb664cff96f9690364e5b27af493463405cc5268d05add74b49657a7679fd623504c12b05e47341c54c74883e2ab74d6e7ffa9c6f53a153c4ab44c

Download Submit
memory/1828-33-0x00007FF935AB0000-0x00007FF935CA5000-memory.dmp

Filesize
2.0MB

Download
memory/1828-30-0x00007FF935AB0000-0x00007FF935CA5000-memory.dmp

Filesize
2.0MB

Download
memory/1828-29-0x00007FF935AB0000-0x00007FF935CA5000-memory.dmp

Filesize
2.0MB

Download
memory/1828-28-0x00007FF935AB0000-0x00007FF935CA5000-memory.dmp

Filesize
2.0MB

Download
memory/1828-31-0x00007FF935AB0000-0x00007FF935CA5000-memory.dmp

Filesize
2.0MB

Download
memory/1828-566-0x00007FF935AB0000-0x00007FF935CA5000-memory.dmp

Filesize
2.0MB

Download
memory/1828-32-0x00007FF935AB0000-0x00007FF935CA5000-memory.dmp

Filesize
2.0MB

Download
memory/3712-1-0x00007FF935B4D000-0x00007FF935B4E000-memory.dmp

Filesize
4KB

Download
memory/3712-6-0x00007FF935AB0000-0x00007FF935CA5000-memory.dmp

Filesize
2.0MB

Download
memory/3712-11-0x00007FF935AB0000-0x00007FF935CA5000-memory.dmp

Filesize
2.0MB

Download
memory/3712-9-0x00007FF8F32D0000-0x00007FF8F32E0000-memory.dmp

Filesize
64KB

Download
memory/3712-12-0x00007FF8F32D0000-0x00007FF8F32E0000-memory.dmp

Filesize
64KB

Download
memory/3712-8-0x00007FF935AB0000-0x00007FF935CA5000-memory.dmp

Filesize
2.0MB

Download
memory/3712-7-0x00007FF935AB0000-0x00007FF935CA5000-memory.dmp

Filesize
2.0MB

Download
memory/3712-10-0x00007FF935AB0000-0x00007FF935CA5000-memory.dmp

Filesize
2.0MB

Download
memory/3712-4-0x00007FF8F5B30000-0x00007FF8F5B40000-memory.dmp

Filesize
64KB

Download
memory/3712-73-0x00007FF935AB0000-0x00007FF935CA5000-memory.dmp

Filesize
2.0MB

Download
memory/3712-5-0x00007FF8F5B30000-0x00007FF8F5B40000-memory.dmp

Filesize
64KB

Download
memory/3712-2-0x00007FF8F5B30000-0x00007FF8F5B40000-memory.dmp

Filesize
64KB

Download
memory/3712-3-0x00007FF8F5B30000-0x00007FF8F5B40000-memory.dmp

Filesize
64KB

Download
memory/3712-521-0x00007FF935B4D000-0x00007FF935B4E000-memory.dmp

Filesize
4KB

Download
memory/3712-0-0x00007FF8F5B30000-0x00007FF8F5B40000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads