e10773ee1226f0dc4b6b9d8a1e41bbf1375d9df12333b316a9dcff3f26107497

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
06/06/2024, 14:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1561073.xls
Size

280KB
MD5

f9e7fc5d4ec23e40355b3dc5cc56bfc8
SHA1

bea7dd0814fc2698f0a223257f54b5e85e013337
SHA256

e10773ee1226f0dc4b6b9d8a1e41bbf1375d9df12333b316a9dcff3f26107497
SHA512

2b073e1ea57893c56553b13c1ebc86efc76735f298260e1b6ef4cd170750abfef1031daa65b5cae2412fab31984dcb559c42c68780773b27bd5dd8d6a9ca2282
SSDEEP

6144:UqFzL5LIT47Hi8kEBF5OkUwueWdEMIW4LCCNU:UqFzu4Li8kEBjbXWQW7U

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4868	EXCEL.EXE
3604	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeAuditPrivilege	3604	WINWORD.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
4868	EXCEL.EXE
4868	EXCEL.EXE
4868	EXCEL.EXE
4868	EXCEL.EXE
4868	EXCEL.EXE
4868	EXCEL.EXE
4868	EXCEL.EXE
4868	EXCEL.EXE
4868	EXCEL.EXE
4868	EXCEL.EXE
4868	EXCEL.EXE
4868	EXCEL.EXE
3604	WINWORD.EXE
3604	WINWORD.EXE
3604	WINWORD.EXE
3604	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3604 wrote to memory of 1520	3604	WINWORD.EXE	98
PID 3604 wrote to memory of 1520	3604	WINWORD.EXE	98

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\1561073.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4868

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3604
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1520

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:4656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

Filesize
471B

MD5
9a33e47e7aebd693196b8bf9792cbb90

SHA1
1d394b6bfcc38c07e8089af395db97fee2ff4be8

SHA256
527457f8675abf811fbd82504158906fad839fa1d973222c0187e5383dc81729

SHA512
2ea7d90b8f6fb8ef64d6e3a36f4af478d53186887616d558653af6a37e4b56e1f02884dc0833b216b2b21e3dae0f6e12ada04bcbb628f0147b6158d0a5108e6c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

Filesize
420B

MD5
924b268cef78d57c1e0574d1d6587f0d

SHA1
5432ae7274c043426f5fdadcd68c91b4e874e7de

SHA256
d1ed0577a382449f740f00f47ecbdfaf3c6d5cdad9188d338ce9b0726e5e0c26

SHA512
df6d522c7b32b42933635bdc7f9f496660b08fa0ef920f300a28f98fcd6ec875d16e2a8b0b941db6a618b845dca613f8c07df9407348d07ea7fe704363fd36c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\FAB79460-E6FF-4FA1-9C38-B379C6B08F05

Filesize
161KB

MD5
c526ab06fa6aad239b0242ced31f6dab

SHA1
95b41e1105edddf865dbda4156077ee271ba1b02

SHA256
df33aa873fb20eaac1fed0304a2df560268822938128c64e00ecd34bc5a7b05a

SHA512
85028b1bdf1b256091cff4c3b9dde8b679ce19f07a02518907987dfac3f91e9d1e7197170c8285b82dd578d3dd8dd62adba5baab74268a7a73215b725c3b0d6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

Filesize
21KB

MD5
56925507b61b2dc6e4ed601a3a0db017

SHA1
68b33daca5fa7e93fcb9304035711f1fdd8ba08b

SHA256
716ad4e4d1a47ef86fe804d302f73c842865fac35e1aee426e9a47728bcff8b6

SHA512
5260b93937f5513fe52c19a2cad4d71b56245047f2ad1db5435f7d30e4f3ee22d8dd65e200795d30d283dc231a17b29762533e1f67dcf277beaed35dbd666401

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
a6e8139f63b95e929dce7e4d68f2d5f5

SHA1
605ffbd337f4f571866a6cdd88236d92396d992e

SHA256
cd29fe6ca5f7a4bd87d10e34ad83d139d4283ece111822a89e1133c97bfac773

SHA512
9851b1eb5f9f4eb17f08b75581039f82de9472d7358943830da75d8cb617db700c42f8bb0b487ca0b26b371d723e4405f18033273582be8190c2f60f3ad34447

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
91c701fbdbd290727d1af8e1e409ee57

SHA1
02b7563f9f532166bc3ed0e2b168042dc45fe954

SHA256
ef398d3630142b3afa2bdd6d6d2f23fdcbd019936c7ad26ffea26a21cbf8afe1

SHA512
f2c5f1b9cf1987c1b3d85987e9f55e3d78ac948c54d72029de523be492b920c380168b4f9f2aaddc95f57c8978d3468798bab33674e958584186bc7db4389935

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\2IX84YPE\lionsarekingofthejunglewhotrulywanttogetbackwithentirethingsgogreattotheforestwhichahdnlingentirethingstounderstand__lionsisthekingofjungle[1].doc

Filesize
39KB

MD5
c5af2617421f885a9772a4b51b80cb2a

SHA1
7e5b7ccfbfe3fac37bfd204d116050153a1736a6

SHA256
6cebb118dffe733c6f4001741eed2c2f58995c94e4a8eade0757d0bd07fcecd7

SHA512
4bc31df72497bc263a6d6f34d404653bc688d44539655424407c40f72aaa9c0a2074312ef797f666545cdcd37bebfd1c44591bcbb433860c20561921aaa20630

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
231B

MD5
f1afacfb7b080e5ae0f28c74b27c1336

SHA1
1b829f9fe003d1cae149677fd959d79f0b7966b0

SHA256
5d69523829848e2791b51fce5a283f131757bdae6d4c918d2d72417095422c59

SHA512
dc1d89278aba75b66bcb9e45544a8c9cfe9ec67bab1c5e34f75b896ab24901f5a6dde93128648b9748c383244b0a929ad5110b137f7ff1b51170722ce61d5bd9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851227[[fn=sist02]].xsl

Filesize
245KB

MD5
f883b260a8d67082ea895c14bf56dd56

SHA1
7954565c1f243d46ad3b1e2f1baf3281451fc14b

SHA256
ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

SHA512
d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
86bdbcf45b35435a2784c0f08fd0dfae

SHA1
d7abb9a2c3791c1c0d780eb96a7e0c91f940c02a

SHA256
158dc38dd39b737ffde2ffd4d1dc2abf70c14d0ba699e72715f6d71be0f5c16d

SHA512
d51fcc162493a100a3050258f7fc88066e44175ad4fc117c76177270863f06b937be174483c31e731851f8ee78152ba26e12a9e631bbfcde233803597297b581

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
5KB

MD5
e11b36010599b22c11c2a157ef99a79e

SHA1
62f1599914383fa6d8bad6800c4b180ddaa41fd6

SHA256
eeae6b114d5c5b441f0ac2f7c8dd127f2267a16c0f64018612a7836c1f4845c6

SHA512
d8fc91bc85a0acece260ecac65e94d222978daa8098613441068c818580fe821e232cf8195e1418b8dc1cc665ca60d1fea73deae7826a22f550b39ff18ce20d0

Download Submit
memory/3604-38-0x00007FFFD84D0000-0x00007FFFD86C5000-memory.dmp

Filesize
2.0MB

Download
memory/3604-567-0x00007FFFD84D0000-0x00007FFFD86C5000-memory.dmp

Filesize
2.0MB

Download
memory/3604-43-0x00007FFFD84D0000-0x00007FFFD86C5000-memory.dmp

Filesize
2.0MB

Download
memory/3604-44-0x00007FFFD84D0000-0x00007FFFD86C5000-memory.dmp

Filesize
2.0MB

Download
memory/3604-42-0x00007FFFD84D0000-0x00007FFFD86C5000-memory.dmp

Filesize
2.0MB

Download
memory/3604-41-0x00007FFFD84D0000-0x00007FFFD86C5000-memory.dmp

Filesize
2.0MB

Download
memory/3604-40-0x00007FFFD84D0000-0x00007FFFD86C5000-memory.dmp

Filesize
2.0MB

Download
memory/4868-1-0x00007FFF98550000-0x00007FFF98560000-memory.dmp

Filesize
64KB

Download
memory/4868-12-0x00007FFFD84D0000-0x00007FFFD86C5000-memory.dmp

Filesize
2.0MB

Download
memory/4868-20-0x00007FFFD84D0000-0x00007FFFD86C5000-memory.dmp

Filesize
2.0MB

Download
memory/4868-18-0x00007FFFD84D0000-0x00007FFFD86C5000-memory.dmp

Filesize
2.0MB

Download
memory/4868-17-0x00007FFFD84D0000-0x00007FFFD86C5000-memory.dmp

Filesize
2.0MB

Download
memory/4868-14-0x00007FFFD84D0000-0x00007FFFD86C5000-memory.dmp

Filesize
2.0MB

Download
memory/4868-22-0x00007FFFD84D0000-0x00007FFFD86C5000-memory.dmp

Filesize
2.0MB

Download
memory/4868-23-0x00007FFFD84D0000-0x00007FFFD86C5000-memory.dmp

Filesize
2.0MB

Download
memory/4868-19-0x00007FFFD84D0000-0x00007FFFD86C5000-memory.dmp

Filesize
2.0MB

Download
memory/4868-16-0x00007FFFD84D0000-0x00007FFFD86C5000-memory.dmp

Filesize
2.0MB

Download
memory/4868-15-0x00007FFFD84D0000-0x00007FFFD86C5000-memory.dmp

Filesize
2.0MB

Download
memory/4868-13-0x00007FFF96100000-0x00007FFF96110000-memory.dmp

Filesize
64KB

Download
memory/4868-11-0x00007FFFD84D0000-0x00007FFFD86C5000-memory.dmp

Filesize
2.0MB

Download
memory/4868-21-0x00007FFFD84D0000-0x00007FFFD86C5000-memory.dmp

Filesize
2.0MB

Download
memory/4868-0-0x00007FFF98550000-0x00007FFF98560000-memory.dmp

Filesize
64KB

Download
memory/4868-6-0x00007FFFD84D0000-0x00007FFFD86C5000-memory.dmp

Filesize
2.0MB

Download
memory/4868-7-0x00007FFFD84D0000-0x00007FFFD86C5000-memory.dmp

Filesize
2.0MB

Download
memory/4868-5-0x00007FFFD856D000-0x00007FFFD856E000-memory.dmp

Filesize
4KB

Download
memory/4868-8-0x00007FFFD84D0000-0x00007FFFD86C5000-memory.dmp

Filesize
2.0MB

Download
memory/4868-9-0x00007FFFD84D0000-0x00007FFFD86C5000-memory.dmp

Filesize
2.0MB

Download
memory/4868-10-0x00007FFF96100000-0x00007FFF96110000-memory.dmp

Filesize
64KB

Download
memory/4868-3-0x00007FFF98550000-0x00007FFF98560000-memory.dmp

Filesize
64KB

Download
memory/4868-87-0x00007FFFD84D0000-0x00007FFFD86C5000-memory.dmp

Filesize
2.0MB

Download
memory/4868-2-0x00007FFF98550000-0x00007FFF98560000-memory.dmp

Filesize
64KB

Download
memory/4868-4-0x00007FFF98550000-0x00007FFF98560000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads