33234512d5289f9bfee04f9b1186805430af2caafe29a6a17be45bed3f5b12da

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 10:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

20240506_12082.xls
Size

310KB
MD5

82867f01d83d7b77d04e3c6e78d15be5
SHA1

78028bb5558df37006e71b5d783fec631249731a
SHA256

33234512d5289f9bfee04f9b1186805430af2caafe29a6a17be45bed3f5b12da
SHA512

ad0dd12169a0e256017c337179494548b071d0a509afe17d0ff985a4a669147b9f141eafe00a3d8f8cf16dd3c75c5ca34ed67e1135eef2c4cbecf9f79a656b0c
SSDEEP

6144:nqFzL5LIT47HSmC/EHmxS6hBBBqzfGgx8vXJsk3CCAz1t6oimIQ:nqFzu4LSm9HWScfsrGgx8veICCAzyoia

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2428	EXCEL.EXE
452	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeAuditPrivilege	452	WINWORD.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
2428	EXCEL.EXE
2428	EXCEL.EXE
2428	EXCEL.EXE
2428	EXCEL.EXE
2428	EXCEL.EXE
2428	EXCEL.EXE
2428	EXCEL.EXE
2428	EXCEL.EXE
2428	EXCEL.EXE
2428	EXCEL.EXE
2428	EXCEL.EXE
2428	EXCEL.EXE
452	WINWORD.EXE
452	WINWORD.EXE
452	WINWORD.EXE
452	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 452 wrote to memory of 4748	452	WINWORD.EXE	86
PID 452 wrote to memory of 4748	452	WINWORD.EXE	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\20240506_12082.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2428

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:452
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:4748

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:4352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
25e25ce89e6314217a90ce2ccca52f01

SHA1
b700ae160c8693d3d09cd7fe6167eecfb59fe091

SHA256
9d3856c55b78249597f0799305393e02816d164dd2e97f6ff42684c8049ef89a

SHA512
e5bce059149da7674d88569e265a1bd23605dade1e1787ce151e52ef8cd0a3fe05d7fe2ca23bb2a016fbaa5fd4ee95ce56f6394d791d19c75bba90ad39e3992e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187

Filesize
471B

MD5
1b5fef4c7891a613225aa2fa541a31e2

SHA1
2d6b316244b986db2ddca90f65ef26a80d0039b9

SHA256
35865cdae301bc28b595cb5a0a334237a4fbc575cb6ea4f0af0e71d86381f46d

SHA512
d91e5f15f8c0a4fe6aa558cec3f8be5e18ea2660cbc699476341cf98fe52af5191b43b009982588ab4922fdb49fa0d8eef82cfbdea9b5650872685e4ee2a7e6c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
7e9c3b7c6bd12f3d45065cfe84104430

SHA1
c372344239e360ff4e8c477de6abdd3f3298d871

SHA256
47136221e7992ba4a9b765440350166948716288d3b84a3173bf452091855d6d

SHA512
932649c0b1098f67ad25b4361b510247495054b9ae61fc338d891eba5784193a757c9474c4219e9d3c2f889210b6c3beb6749822b67be097dc47367c85e42e6b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
392B

MD5
34f21a6887749b7b849773669f533e26

SHA1
50e2bfdc25b61a27935b734b32d8626323dce909

SHA256
12ece172eeed23b9d51665a133447db857a1cd219a0900b09c5e5c7d196df6df

SHA512
97e8281f60dd639878e95afad77d9aca8b33816ba64d918533f10dab6e9f715934caee06b29701c84517b566c2961860ba8097b0fca14a8aa115b12c558b19c5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187

Filesize
412B

MD5
440d767fa959a1c28831086770b8eb4a

SHA1
a02306b2fcaeca5880c85c4079ff49bdecfa6a0e

SHA256
54e4f26a2fc8932e5918363b0a2a7349933ca77338382df5d0bd0385f08dc91a

SHA512
c328d46fdcca5f70d8e3535211d5f48f23a4264d33f932625d0117c43849ebc42da8736ffe49fbe09ac316f2931b3f0b30d4bac037d0ff72122885e8dd6e4efc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\AB49F3A4-B613-4D02-B17A-20592EE38A75

Filesize
168KB

MD5
a39cb7879c3d0b259e4df744e4d0dbf0

SHA1
6fb6b5de7fe1e8e25a7716153cd32e92b5f23c3a

SHA256
7e5defba9a39f17501088e6cb2b311331f4c8ac2425d43376ed239cf8126fefe

SHA512
a92d83d0f134957ac59c298a0aea91d4f6484df69d92ebc4e5232a77eb4917ead729a2d7a37feacff508052d47ad92e8dfff8100df7ca05b7ee8c8695f46285a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

Filesize
21KB

MD5
0a7fee2ed9f384c1e85bbe5512398b5f

SHA1
753b2ff5e7eb56eaebca464e3b52fd11f8730b97

SHA256
41eebe86f484d7fdded8376552b82be1398a12006cf8ef00ad6c4cc44ec1ef22

SHA512
8ded375a72f806c874a418ff8274598b48ba540250a9fe1a5ff24e1fe7c37c7288bd1d4b23f36c6b3ae9898bf6367383eb80aa8e3da355b867a8fae6fb31f74a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
d7e6275eb08c54a62b759a9c856b5942

SHA1
c8e1c5fd825e7088da9ff5b722ac72b39079a38a

SHA256
124b088fb0bebac2e10e82dfff3ffd61a39989b7d1ebbd3055ddeb16ab8db1cc

SHA512
609178a14ae28e1f1f592f5c4a5c7ad9b9c77d580ee39f543347857b8d323d9eb9d48282e15582bbbe0e0dfd9c7c7a7f957d2c6590827d0716c32a60ff7fe649

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
50cc7f0c9758007187ca1fb64cd62bde

SHA1
eb081200702bea5667f88bc24c89078a4f0748cc

SHA256
18126ed8b305508dc14800bd4fe16aec41659645c41e51cdd5fb4fdd9b4cfb8b

SHA512
098083a1819fd67f22fb9c7467ec7a307a036e849f6f1c89a678b1149e1bc56e7421d23868e5002ebbf31750a24fd590c9ac1a2f1002d65410b07083590bb0bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VLW1SL5J\dcn.cn.cn.cn.cncncn[1].doc

Filesize
199KB

MD5
43ebbcdae38676d860c97356801aca3d

SHA1
7377392abe4e0d5959b074b26709977466a8ca1e

SHA256
c27f247d5153bdb32ac33ce57d498f13cee3c9bd04daa47e59ce0e40ed192fd2

SHA512
257c58cc6796f0466e483f8813337855ca02ed5a22dcdacbe4410a504d9ddb0991a2e01fd97308d77624bd05779cdbabbe1c9487fc015c73c1d9866fd6ac34f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCDB309.tmp\sist02.xsl

Filesize
245KB

MD5
f883b260a8d67082ea895c14bf56dd56

SHA1
7954565c1f243d46ad3b1e2f1baf3281451fc14b

SHA256
ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

SHA512
d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
230B

MD5
e1ed03bc2f09bba727ff5ff435c8e47c

SHA1
fc6fa41b18fe1d74b01772f704b3c78bfb3eedad

SHA256
8430b3295d7e280a1e71a24c48f4f76f09d0e83ef9d8e9437e9057c7bf5c905f

SHA512
df945b5a9ce22036584488a19cafcde328f14a816b322490a747cc7bf97ce3825be326e0e7fe340f31cdcbb0f0f6d19cec6867991d10903d83340a01dc27a8c1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
5KB

MD5
1a40ba37e0635c7dacbdf77906931f13

SHA1
82460d09c7b1ff7e35e24e3bd3e1f0da2810d831

SHA256
727a58f8c0b1a8ec3bab1e553778ae9c83e83b4aa37a47362178c15482213e44

SHA512
260ae969d8fed417efdda8dca6a70865c6bd7b4e229c924135dc5bc2f90c2ad508a0a557085611113cf1c7681403ce48cc33c7ea86962d3a3789597a20aa4305

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
c41caefdcbd8397e4b873c1d1b69c79c

SHA1
8fc57eadbcaec21a3b1d0897947b22f50d50edcd

SHA256
6db16fbad66389935d2e4344209f99ff3961f65cce062ea57579016fa4cd3d9e

SHA512
a9b734aa8173cabaf7f0f584cd97582a5c3e4eac91a7f8e9265c92e350ac27b78173b0736501910b085ac4ea1048a1197481137a6ff1749d4ef104c978fbfc55

Download Submit
memory/452-44-0x00007FFDD1270000-0x00007FFDD1465000-memory.dmp

Filesize
2.0MB

Download
memory/452-45-0x00007FFDD1270000-0x00007FFDD1465000-memory.dmp

Filesize
2.0MB

Download
memory/452-580-0x00007FFDD1270000-0x00007FFDD1465000-memory.dmp

Filesize
2.0MB

Download
memory/452-46-0x00007FFDD1270000-0x00007FFDD1465000-memory.dmp

Filesize
2.0MB

Download
memory/452-48-0x00007FFDD1270000-0x00007FFDD1465000-memory.dmp

Filesize
2.0MB

Download
memory/452-42-0x00007FFDD1270000-0x00007FFDD1465000-memory.dmp

Filesize
2.0MB

Download
memory/452-43-0x00007FFDD1270000-0x00007FFDD1465000-memory.dmp

Filesize
2.0MB

Download
memory/452-47-0x00007FFDD1270000-0x00007FFDD1465000-memory.dmp

Filesize
2.0MB

Download
memory/2428-16-0x00007FFDD1270000-0x00007FFDD1465000-memory.dmp

Filesize
2.0MB

Download
memory/2428-12-0x00007FFDD1270000-0x00007FFDD1465000-memory.dmp

Filesize
2.0MB

Download
memory/2428-0-0x00007FFD912F0000-0x00007FFD91300000-memory.dmp

Filesize
64KB

Download
memory/2428-5-0x00007FFD912F0000-0x00007FFD91300000-memory.dmp

Filesize
64KB

Download
memory/2428-17-0x00007FFD8EA90000-0x00007FFD8EAA0000-memory.dmp

Filesize
64KB

Download
memory/2428-18-0x00007FFDD1270000-0x00007FFDD1465000-memory.dmp

Filesize
2.0MB

Download
memory/2428-19-0x00007FFDD1270000-0x00007FFDD1465000-memory.dmp

Filesize
2.0MB

Download
memory/2428-14-0x00007FFDD1270000-0x00007FFDD1465000-memory.dmp

Filesize
2.0MB

Download
memory/2428-15-0x00007FFDD1270000-0x00007FFDD1465000-memory.dmp

Filesize
2.0MB

Download
memory/2428-10-0x00007FFD8EA90000-0x00007FFD8EAA0000-memory.dmp

Filesize
64KB

Download
memory/2428-11-0x00007FFDD1270000-0x00007FFDD1465000-memory.dmp

Filesize
2.0MB

Download
memory/2428-1-0x00007FFDD130D000-0x00007FFDD130E000-memory.dmp

Filesize
4KB

Download
memory/2428-7-0x00007FFDD1270000-0x00007FFDD1465000-memory.dmp

Filesize
2.0MB

Download
memory/2428-9-0x00007FFDD1270000-0x00007FFDD1465000-memory.dmp

Filesize
2.0MB

Download
memory/2428-8-0x00007FFDD1270000-0x00007FFDD1465000-memory.dmp

Filesize
2.0MB

Download
memory/2428-6-0x00007FFD912F0000-0x00007FFD91300000-memory.dmp

Filesize
64KB

Download
memory/2428-2-0x00007FFDD1270000-0x00007FFDD1465000-memory.dmp

Filesize
2.0MB

Download
memory/2428-3-0x00007FFD912F0000-0x00007FFD91300000-memory.dmp

Filesize
64KB

Download
memory/2428-496-0x00007FFDD1270000-0x00007FFDD1465000-memory.dmp

Filesize
2.0MB

Download
memory/2428-533-0x00007FFDD130D000-0x00007FFDD130E000-memory.dmp

Filesize
4KB

Download
memory/2428-534-0x00007FFDD1270000-0x00007FFDD1465000-memory.dmp

Filesize
2.0MB

Download
memory/2428-4-0x00007FFD912F0000-0x00007FFD91300000-memory.dmp

Filesize
64KB

Download
memory/2428-13-0x00007FFDD1270000-0x00007FFDD1465000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads