93b2af1c877bb2c7acd39d3ff5f770bea880bf66477e4e9b0a1d21d1d213cb7c

Analysis

max time kernel
148s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
12-06-2024 01:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

93b2af1c877bb2c7acd39d3ff5f770bea880bf66477e4e9b0a1d21d1d213cb7c.xls
Size

967KB
MD5

30c72d7387b2033675119cc82906bbb8
SHA1

e3c3f070b85f9c991069b408e7147bd1b19882bb
SHA256

93b2af1c877bb2c7acd39d3ff5f770bea880bf66477e4e9b0a1d21d1d213cb7c
SHA512

3368a3bb66f88dde45120e072b9a04a36d799961dcb230785745ba5ee916ebf8272fc2fb896a935ddfcc636fe7e09e0711fa0f663674eb08461fde44a6602f69
SSDEEP

24576:SUP/mMxAF77GF0SNjs6ivPQbA2j3AOk6N1Y:SGsNk0SNjs5PAVUl

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

MsoSync.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	5064	3444	MsoSync.exe	WINWORD.EXE

Checks processor information in registry 2 TTPs 9 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MsoSync.exeEXCEL.EXEWINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	MsoSync.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	MsoSync.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MsoSync.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEWINWORD.EXEMsoSync.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	MsoSync.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	MsoSync.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	MsoSync.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid process

1464 EXCEL.EXE
3444 WINWORD.EXE
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

WINWORD.EXEMsoSync.exe

description pid process

Token: SeAuditPrivilege 3444 WINWORD.EXE
Token: SeAuditPrivilege 5064 MsoSync.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

MsoSync.exe

pid process

5064 MsoSync.exe
5064 MsoSync.exe
5064 MsoSync.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

MsoSync.exe

pid process

5064 MsoSync.exe
5064 MsoSync.exe
5064 MsoSync.exe

description	pid	process
Token: SeAuditPrivilege	3444	WINWORD.EXE
Token: SeAuditPrivilege	5064	MsoSync.exe

pid	process
5064	MsoSync.exe
5064	MsoSync.exe
5064	MsoSync.exe

pid	process
5064	MsoSync.exe
5064	MsoSync.exe
5064	MsoSync.exe

Suspicious use of SetWindowsHookEx 18 IoCs

Processes:

EXCEL.EXEWINWORD.EXEMsoSync.exe

pid	process
1464	EXCEL.EXE
1464	EXCEL.EXE
1464	EXCEL.EXE
1464	EXCEL.EXE
1464	EXCEL.EXE
1464	EXCEL.EXE
1464	EXCEL.EXE
1464	EXCEL.EXE
1464	EXCEL.EXE
1464	EXCEL.EXE
1464	EXCEL.EXE
1464	EXCEL.EXE
3444	WINWORD.EXE
3444	WINWORD.EXE
3444	WINWORD.EXE
3444	WINWORD.EXE
3444	WINWORD.EXE
5064	MsoSync.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 3444 wrote to memory of 3612	3444	WINWORD.EXE	splwow64.exe
PID 3444 wrote to memory of 3612	3444	WINWORD.EXE	splwow64.exe
PID 3444 wrote to memory of 5064	3444	WINWORD.EXE	MsoSync.exe
PID 3444 wrote to memory of 5064	3444	WINWORD.EXE	MsoSync.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\93b2af1c877bb2c7acd39d3ff5f770bea880bf66477e4e9b0a1d21d1d213cb7c.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1464

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4088,i,10925946972013221578,8820669985803190952,262144 --variations-seed-version --mojo-platform-channel-handle=4252 /prefetch:8
1⤵
PID:1624

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3444

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:3612

C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe
"C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe"
2⤵
- Process spawned unexpected child process
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5064

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:2080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
Filesize
717B

MD5
822467b728b7a66b081c91795373789a

SHA1
d8f2f02e1eef62485a9feffd59ce837511749865

SHA256
af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

SHA512
bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1B1495DD322A24490E2BF2FAABAE1C61
Filesize
299B

MD5
5ae8478af8dd6eec7ad4edf162dd3df1

SHA1
55670b9fd39da59a9d7d0bb0aecb52324cbacc5a

SHA256
fe42ac92eae3b2850370b73c3691ccf394c23ab6133de39f1697a6ebac4bedca

SHA512
a5ed33ecec5eecf5437c14eba7c65c84b6f8b08a42df7f18c8123ee37f6743b0cf8116f4359efa82338b244b28938a6e0c8895fcd7f7563bf5777b7d8ee86296

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
Filesize
192B

MD5
fb62b490c16acb6db6dbf8f712a07b80

SHA1
7203a569b67305af70e63bef9dc699c8e0b81a31

SHA256
9aa7fd934272bfc2fa52a74258e28c0d7394d7907d068ed5b421ffc0d737b5fe

SHA512
219fe61dbcd702ceb2a417a6cf022450f875b3ff3f396ca997543bc0c3708b81ec161d8872129dadd6047c8c3893c078219a52a29d6b0b61e277244a0f675ed6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1B1495DD322A24490E2BF2FAABAE1C61
Filesize
192B

MD5
eb383899116909a4bb8c147b1ea49786

SHA1
1836239756277338ffcbe1c37dec3c69b8cd80c4

SHA256
1e8328bec1865381381189c0b5a4d53d292c1df707b4d15541c2ccfa35b5e390

SHA512
60132378767aea27c516714100bc46174eaf5ad4b9d302209103caadf007d1cc0815f1b6e6da02cba5d4d85b323e9342216d0b48bfe47a8b9c2c7b0f6a03630b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.accdb
Filesize
512KB

MD5
25662c7252a46fed5241b2df0ad9307d

SHA1
ba46f739f1f6838d67b4e19c37af9166104766d8

SHA256
eda96b2d88d7f16d0bfb425367a97852f9a30217275dbf6ecb90edb5b0bdab89

SHA512
cae6187041fd31051a9020bda81831ddd7e614cebbc79677d36d19a13ce280f9f2b7e61cbb6fb0217b6f69872bbeb0c11109bda118a1af5a49d4c67867fd4579

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.laccdb
Filesize
128B

MD5
012aec72f19dc950db49f3748f8358db

SHA1
d67b98aaa536be7806bb9324d78f47d777b7d419

SHA256
a0b5b245713f82d851c67af9b752a79b63a794f830999a303c5b38db7e1a0bc0

SHA512
f1e987f15a7d8919fddb086ee6274348adf9509b41bdbbb14254d0f7e21f8ece79944dfdaa13244139d252fd91be619f38e45b40ecc83bf052703b9ad20998f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog
Filesize
21KB

MD5
43baac88a95c67ca4fb75e246cba9953

SHA1
1aa44a220cb6035fd4574840312ae682d54a7abd

SHA256
28efef361445ed02c0777869a6eb1fd531a00ee2c63426b2ae69bd957ee478f2

SHA512
b7ae4f7eb96f30910f055a4c2a5fa23d181c50eefb42155da0aa25b998c2e82a6284c274d28e6c82ac6433d3c1c37531aba302ecec9cd8adde7487c4ba39c5ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize
2KB

MD5
dfb999ed88ab0d0974192b64e93566e0

SHA1
f42490125067eb9fb0005029a0237686659ba3e3

SHA256
dda0828d2df906129ec1e14c9e93468d223c2cdd874a3a332270eaf1fb9211fe

SHA512
350e87aa02780836620a7ba1a72d0ccfa00b32b1346fe241b15b2660069daebcb43650731869180549b5b8a60936dd019fe4a8c7443d86fe72195eef961d672e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize
2KB

MD5
52a3476d70dd2fae6c3dfde2ee96d53a

SHA1
3a279aa7483a41c8cb398d6cd3c6b253a47d859f

SHA256
f3309bbbdb6c2ee4ddd41af4289369515fe56bd2b24961555824c98a00bf45ce

SHA512
f86d8fb73458826cfbc19fe7587c5cfcf7bcd1c1ea647d25c5e7ab1e704c612161639c5b8bd806235325434bc4d17f731aa3f40320db0c058dfed17a48d61b8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\SYNNS6ZU\lionsareveryinterstingcharacteroneverytimetounderstandthewayofhowitsfinetogetmebackintheforestsuchagreat__lionsarekingofjungle[1].doc
Filesize
104KB

MD5
fe30d755f7243a16d47bf6f37b929cd2

SHA1
a3d84850f11e67516e21914997944d19e41d2bf2

SHA256
5d7601529aeeebfd4e2f2a4f5320d7f276200b3f04bbb414c66345f586a23b0f

SHA512
b040f620da8c2766c6c73cb6f6e3c5d913e77f5b5ed3931d46cd6cbad74d434581e40d57fa98ef506e3344479e7bc259b091b05b11f1d854528e3ae393d3879c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
Filesize
232B

MD5
0a0c2646e2e2865992c4a97b1be7c7ad

SHA1
cb95f3dcad6ac8cb263348a7f342b087a7376268

SHA256
1d9bedb38d024d07a463a39f5ccabbe37517e605db031ad9691588dc0be907b3

SHA512
de3adda85672d1f4d7cdc391741ea4ef698ab7a0f07f9c17ac7444d542ae50dc8685a486a75e730e8d7078d7b23d96711acc98f3c952e51695e19a60d4ce7d5c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize
5KB

MD5
528552f84f64826a5e2953bb4881321f

SHA1
0203dd8fcf7c822324faa8895ef33177453a42df

SHA256
348ece281340d0158ea6ceba52060c2ec5e4a0a2e7a9ba95effc8e260956df42

SHA512
db4a7636dc6aacbf0e4173610f238ecb913f94563040d47a3124b03aac6412c93c795fe0b53aa733245378d74bcaa04802dd1d7828a6245d74083111d403d72c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize
3KB

MD5
0967153bb0a295475a00f37608cc2473

SHA1
b15fc48e6691e845e98aaac46a60521d1478f30a

SHA256
cc0fa1f15c01a6480f7a2c28c3ac1b1d36f2d422bfb47afb1f40dd425cea94ea

SHA512
5f63d7258a24d4dbeae5961a66129bcbd3702450286be25c812d3cb42630dfaf90fa3b9efcf5e428bcadf5ee196d0981a240d35474f78f26fb581302ea8a85a8

Download Submit
memory/1464-11-0x00007FFFBF650000-0x00007FFFBF660000-memory.dmp

Filesize
64KB

Download
memory/1464-12-0x00007FF801F30000-0x00007FF802125000-memory.dmp

Filesize
2.0MB

Download
memory/1464-16-0x00007FF801F30000-0x00007FF802125000-memory.dmp

Filesize
2.0MB

Download
memory/1464-13-0x00007FF7C0060000-0x00007FF7C0070000-memory.dmp

Filesize
64KB

Download
memory/1464-20-0x00007FF801F30000-0x00007FF802125000-memory.dmp

Filesize
2.0MB

Download
memory/1464-19-0x00007FF801F30000-0x00007FF802125000-memory.dmp

Filesize
2.0MB

Download
memory/1464-18-0x00007FF801F30000-0x00007FF802125000-memory.dmp

Filesize
2.0MB

Download
memory/1464-17-0x00007FF801F30000-0x00007FF802125000-memory.dmp

Filesize
2.0MB

Download
memory/1464-4-0x00007FF7C1FB0000-0x00007FF7C1FC0000-memory.dmp

Filesize
64KB

Download
memory/1464-15-0x00007FF801F30000-0x00007FF802125000-memory.dmp

Filesize
2.0MB

Download
memory/1464-14-0x00007FFFBF650000-0x00007FFFBF660000-memory.dmp

Filesize
64KB

Download
memory/1464-2-0x00007FF7C1FB0000-0x00007FF7C1FC0000-memory.dmp

Filesize
64KB

Download
memory/1464-3-0x00007FF7C1FB0000-0x00007FF7C1FC0000-memory.dmp

Filesize
64KB

Download
memory/1464-10-0x00007FF801F30000-0x00007FF802125000-memory.dmp

Filesize
2.0MB

Download
memory/1464-5-0x00007FF801FCD000-0x00007FF801FCE000-memory.dmp

Filesize
4KB

Download
memory/1464-6-0x00007FF801F30000-0x00007FF802125000-memory.dmp

Filesize
2.0MB

Download
memory/1464-7-0x00007FF801F30000-0x00007FF802125000-memory.dmp

Filesize
2.0MB

Download
memory/1464-8-0x00007FF801F30000-0x00007FF802125000-memory.dmp

Filesize
2.0MB

Download
memory/1464-9-0x00007FF801F30000-0x00007FF802125000-memory.dmp

Filesize
2.0MB

Download
memory/1464-73-0x00007FF801F30000-0x00007FF802125000-memory.dmp

Filesize
2.0MB

Download
memory/1464-0-0x00007FF7C1FB0000-0x00007FF7C1FC0000-memory.dmp

Filesize
64KB

Download
memory/1464-1-0x00007FF7C1FB0000-0x00007FF7C1FC0000-memory.dmp

Filesize
64KB

Download
memory/3444-40-0x00007FF801F30000-0x00007FF802125000-memory.dmp

Filesize
2.0MB

Download
memory/3444-88-0x00007FF801F30000-0x00007FF802125000-memory.dmp

Filesize
2.0MB

Download
memory/3444-37-0x00007FF801F30000-0x00007FF802125000-memory.dmp

Filesize
2.0MB

Download
memory/5064-100-0x00007FF7C1FB0000-0x00007FF7C1FC0000-memory.dmp

Filesize
64KB

Download
memory/5064-98-0x00007FF7C1FB0000-0x00007FF7C1FC0000-memory.dmp

Filesize
64KB

Download
memory/5064-96-0x00007FF7C1FB0000-0x00007FF7C1FC0000-memory.dmp

Filesize
64KB

Download
memory/5064-94-0x00007FF7C1FB0000-0x00007FF7C1FC0000-memory.dmp

Filesize
64KB

Download
memory/5064-93-0x00007FFFBF8F0000-0x00007FFFBF900000-memory.dmp

Filesize
64KB

Download
memory/5064-112-0x00007FF7C1FB0000-0x00007FF7C1FC0000-memory.dmp

Filesize
64KB

Download
memory/5064-113-0x00007FF7C1FB0000-0x00007FF7C1FC0000-memory.dmp

Filesize
64KB

Download
memory/5064-111-0x00007FF7C1FB0000-0x00007FF7C1FC0000-memory.dmp

Filesize
64KB

Download
memory/5064-109-0x00007FF7C1FB0000-0x00007FF7C1FC0000-memory.dmp

Filesize
64KB

Download