57b1e7f094836b89c613e86a12966702169ead968058ac24c738b891bb8fa01e

Analysis

max time kernel
149s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
09/07/2024, 10:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Sipariş onayı.xls
Size

1.1MB
MD5

94d52f7b132f459b88ba2b9c6ed076cb
SHA1

6970a28538c35aa1c20b32a855e40c85842025d7
SHA256

57b1e7f094836b89c613e86a12966702169ead968058ac24c738b891bb8fa01e
SHA512

c8a18dab02481a7d226d9d3a71b38087e3406e089051995c1be66e49dcb5b715212ab3eb8a36fe7925a32cb79d6baa98ba0ed2cdb8ea5803d5c1e5fe80b8b594
SSDEEP

24576:48q+k+xbyN3g3yBO128OA2BFzfOSr4hBBzcIPuV8rv4zBkS3QHVO:dq+k+yOUJvSSr4N4IzvT+QH

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1920	EXCEL.EXE
1648	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeAuditPrivilege	1648	WINWORD.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
1920	EXCEL.EXE
1920	EXCEL.EXE
1920	EXCEL.EXE
1920	EXCEL.EXE
1920	EXCEL.EXE
1920	EXCEL.EXE
1920	EXCEL.EXE
1920	EXCEL.EXE
1920	EXCEL.EXE
1920	EXCEL.EXE
1920	EXCEL.EXE
1920	EXCEL.EXE
1648	WINWORD.EXE
1648	WINWORD.EXE
1648	WINWORD.EXE
1648	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1648 wrote to memory of 2312	1648	WINWORD.EXE	88
PID 1648 wrote to memory of 2312	1648	WINWORD.EXE	88

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Sipariş onayı.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1920

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1648
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2312

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:2012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
b5cb610c294a6618c6043081054508f0

SHA1
5751c85ee092b7c30c93b1f1ea2baf890bd99d4a

SHA256
8040a50a5ab1e6859d1ae14b1a9f84cf0fc328a0d9face70ec27ac8e6abe8cef

SHA512
314a5c9e63275ab2d41b445f5b4cf1b9d17c06652c63ce44c0d7a25cc912a836bba7018e7d6efdbd7fb8350337f486cb56f463009cb52cf67fda28507bc2bf87

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
f134071cf1c013ec1715fc7e82482c2c

SHA1
7cd764a5c56d94a317eb7fea0920a17da7d63235

SHA256
d1af1594e1e75a9783ed475e5dfb46df5bf3df0ee6b1495bbda19cde27298e58

SHA512
3052060a35a49ac56ca1be31ef2bd522337cf4bf73c66f58fbe7a1c7e30a7220dfd714ee5df3bd24c538374ca103719482eaf6260eb33a29332c4ba4cf06ed5c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
392B

MD5
7f27ebed4efece6c8ccabcb152f3e922

SHA1
dc5ce5d50ce4e4ccc89512ffa60ba4512abc1479

SHA256
4b6ab5e876175d2beb5ba452d3f1361e9fcfa83d62033c7c5e5c1ab4202eab73

SHA512
8eb1b4bb80c139c60968b6e91f17773d702b2af85f0edaa494b3b9b4a9a67d344a5b9a564b0c54746d076bc9e154c7acaa149f8d03ca4e09ed4f0e9d5d24c0b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\68353CEE-0857-48DC-9632-6CB67E009DEA

Filesize
168KB

MD5
932191e687887d41a0c7cba1bb90f060

SHA1
c997f4c66de243c5db8b9826b558050f4932eca4

SHA256
6d74296aa409d68c2ebee62286aca8363cc6fab72995baccbf0ad53040d279b0

SHA512
80c8d89adc2667ec92dc6dbb533ec72db954b456478b36ae735ca737133cdd7b3ef6d2c8956b6df113668df80277cec76ce11270d1078e3cea1e87214044ad4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

Filesize
8KB

MD5
0cf71203a729b2ec262775d1b31023e5

SHA1
9c88981f1c88b034cb5de048ce911563b06b4415

SHA256
cedc2f099a8320e1969ca9fc36b3fa1e575ca24c4f75b8570182ac925cc926cc

SHA512
4f851136e3f02313e14dd29c3c03bd3cae21c87727cb8a1c200e9aaf44ce9c82148968999f0c405db31bcbe7502d3fce09f3ade14d94654938e4d8883a5dfafb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
f941199c50d6498cb461de02089f8ac5

SHA1
f48f10ab32939db35cdddac1decd3da4733bb167

SHA256
8168c0b64ae19356c3bcb69c15aedbbae9623a7d68eb19418b94f3bddcccb1ad

SHA512
d80efb129553fa442f69eaaa7b1a4050bd7c116dbff4e3176014f012fc0b9ccc39754b2bc21525041a92e52660fb771927b5816bffb85c0d82ec072290d4ade0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
e645a0cb0d33b355c96ef529e03b733d

SHA1
3678c74cb562c1104d0c8d907b7a8ca1498b79e8

SHA256
073c4f577374db464efb4fe25fe1cfa0d95a60b0a82a413deb5c13333a60c92f

SHA512
8a12c316adef3179d7cab9a4540945fc7202261bbe921f246dc0294ca9cb817594f83984c914c86913eab5843c72961ce49da020f9e06afbcd747670b62cba7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\9X9HPJHY\we.we.we.we.wee[1].doc

Filesize
221KB

MD5
dec81947f9c288a6337b7eb4b8dec580

SHA1
587afe240a9013b8a6fd0d2a574f2ce814fd40b3

SHA256
008c8d4399750dba2733ce354ec97453535e8f00d293368a46c6e5514ebde20f

SHA512
ca82e253009b29a6f2ad7143818c0a4209c56d3bb1aa01f70532a6a1c111399c3acf5b791cb4913fe94430013a0b7b377fb7f4ed65a60d14e60f7fa216006bbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCDE180.tmp\iso690.xsl

Filesize
263KB

MD5
ff0e07eff1333cdf9fc2523d323dd654

SHA1
77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

SHA256
3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

SHA512
b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
335B

MD5
54864202aa05f27bbf5ebc31e6885152

SHA1
616f74e3271020045074d8e86f0e7e4fff2df4ca

SHA256
72bf405cd75be73e9d02fbb62161b01b32928be5c9f323c9ca93389c52bbdd87

SHA512
f190d1d92e2f4fb906793a2f5ae86120495dda607ea4f392c699c828404c10cff85e7ff02c20b959ed457c1e46c2486a3e06e0441c201a56b7a08b9df5890342

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
3KB

MD5
bfd07c8c6dbba55089796f053384633e

SHA1
c1daaeb863687045023cabb5b58fdf33bc42ce68

SHA256
371538de6c6341cfd33c49fa791b40e80079a304b354af1c17eb92909738bba7

SHA512
106fa2a72025228138be2aa7dc53490d702dc22854bc0698cb7f4860729b77cb2af9402356e7bb4811f7c1c463eb6ac2789283bb5abd11fef23c915fe2912e17

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
2KB

MD5
03bc20fca8ef0ec3cb95ee2915d4cf2a

SHA1
d38ff23d9e6719b996a1ec1275f6fb98976e117a

SHA256
40dcb5d9bfefe0acd0cf0e77fd839a1d888c619a8edf97a27cc3199224a681fb

SHA512
90740b251a8a5500754582c7ad59dfd813deed18292214498c4eee6c313c65268b62e7d31173c8c7b60f408a285f858089affd2c4ec15ab59efd7832b300025f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
677B

MD5
bbce81eaf1c53adf2fca06e55e2457a8

SHA1
02286025c776455aa9a350e7a5b415001b091320

SHA256
265e0dc7bf15b6c022471f3ea6945fe7282a2fa3e5c113e3633757a24812517a

SHA512
c5aceaefa9d861110fa4a4702aefb832523b2e911a6ce9f7c7e00be5ddc48c582aa14a02cf2364f65715a0a9b7760b6ff1405df884593a945d68edd514bb060e

Download Submit
memory/1648-37-0x00007FFAC4870000-0x00007FFAC4A65000-memory.dmp

Filesize
2.0MB

Download
memory/1648-42-0x00007FFAC4870000-0x00007FFAC4A65000-memory.dmp

Filesize
2.0MB

Download
memory/1648-215-0x00007FFAC4870000-0x00007FFAC4A65000-memory.dmp

Filesize
2.0MB

Download
memory/1648-45-0x00007FFAC4870000-0x00007FFAC4A65000-memory.dmp

Filesize
2.0MB

Download
memory/1648-41-0x00007FFAC4870000-0x00007FFAC4A65000-memory.dmp

Filesize
2.0MB

Download
memory/1648-34-0x00007FFAC4870000-0x00007FFAC4A65000-memory.dmp

Filesize
2.0MB

Download
memory/1648-43-0x00007FFAC4870000-0x00007FFAC4A65000-memory.dmp

Filesize
2.0MB

Download
memory/1648-38-0x00007FFAC4870000-0x00007FFAC4A65000-memory.dmp

Filesize
2.0MB

Download
memory/1920-14-0x00007FFAC4870000-0x00007FFAC4A65000-memory.dmp

Filesize
2.0MB

Download
memory/1920-11-0x00007FFAC4870000-0x00007FFAC4A65000-memory.dmp

Filesize
2.0MB

Download
memory/1920-9-0x00007FFA82260000-0x00007FFA82270000-memory.dmp

Filesize
64KB

Download
memory/1920-12-0x00007FFAC4870000-0x00007FFAC4A65000-memory.dmp

Filesize
2.0MB

Download
memory/1920-16-0x00007FFAC4870000-0x00007FFAC4A65000-memory.dmp

Filesize
2.0MB

Download
memory/1920-17-0x00007FFAC4870000-0x00007FFAC4A65000-memory.dmp

Filesize
2.0MB

Download
memory/1920-15-0x00007FFAC4870000-0x00007FFAC4A65000-memory.dmp

Filesize
2.0MB

Download
memory/1920-13-0x00007FFAC4870000-0x00007FFAC4A65000-memory.dmp

Filesize
2.0MB

Download
memory/1920-10-0x00007FFAC4870000-0x00007FFAC4A65000-memory.dmp

Filesize
2.0MB

Download
memory/1920-0-0x00007FFA848F0000-0x00007FFA84900000-memory.dmp

Filesize
64KB

Download
memory/1920-6-0x00007FFAC4870000-0x00007FFAC4A65000-memory.dmp

Filesize
2.0MB

Download
memory/1920-7-0x00007FFAC4870000-0x00007FFAC4A65000-memory.dmp

Filesize
2.0MB

Download
memory/1920-8-0x00007FFAC4870000-0x00007FFAC4A65000-memory.dmp

Filesize
2.0MB

Download
memory/1920-5-0x00007FFAC490D000-0x00007FFAC490E000-memory.dmp

Filesize
4KB

Download
memory/1920-4-0x00007FFA848F0000-0x00007FFA84900000-memory.dmp

Filesize
64KB

Download
memory/1920-3-0x00007FFA848F0000-0x00007FFA84900000-memory.dmp

Filesize
64KB

Download
memory/1920-1-0x00007FFA848F0000-0x00007FFA84900000-memory.dmp

Filesize
64KB

Download
memory/1920-2-0x00007FFA848F0000-0x00007FFA84900000-memory.dmp

Filesize
64KB

Download
memory/1920-214-0x00007FFAC4870000-0x00007FFAC4A65000-memory.dmp

Filesize
2.0MB

Download
memory/1920-18-0x00007FFA82260000-0x00007FFA82270000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads