544fd96fa98b592051e4d150804bd7fd3562cc6b7ca4dd8d8c6f30c106350c62

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
09/07/2024, 10:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

offertfrfrgan.xls
Size

250KB
MD5

a3cf9e49b576180f453b4195a4fda171
SHA1

172a2b533ed72156c4408af1494e0c0cc1972fba
SHA256

544fd96fa98b592051e4d150804bd7fd3562cc6b7ca4dd8d8c6f30c106350c62
SHA512

4b9937f2948bdde4e761cbedf7fa60d08dd7876f2af2fbbf517fc81eeb43999df7c2229ad4808a669f4c0ae0cca499b9a8f4a2a2ef06bec9bd1e3af637ec4ef8
SSDEEP

6144:Kuu1rzqdxZnkV6DYu78zmUC+qzVfSYWNxE13rC1OVysKll:KuuVzCZS6D/78zPCfFdUxEJ2U

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4048	EXCEL.EXE
3620	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeAuditPrivilege	3620	WINWORD.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
4048	EXCEL.EXE
4048	EXCEL.EXE
4048	EXCEL.EXE
4048	EXCEL.EXE
4048	EXCEL.EXE
4048	EXCEL.EXE
4048	EXCEL.EXE
4048	EXCEL.EXE
4048	EXCEL.EXE
4048	EXCEL.EXE
4048	EXCEL.EXE
4048	EXCEL.EXE
3620	WINWORD.EXE
3620	WINWORD.EXE
3620	WINWORD.EXE
3620	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3620 wrote to memory of 4908	3620	WINWORD.EXE	89
PID 3620 wrote to memory of 4908	3620	WINWORD.EXE	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\offertfrfrgan.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4048

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3620
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:4908

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:1512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
7fb5fa1534dcf77f2125b2403b30a0ee

SHA1
365d96812a69ac0a4611ea4b70a3f306576cc3ea

SHA256
33a39e9ec2133230533a686ec43760026e014a3828c703707acbc150fe40fd6f

SHA512
a9279fd60505a1bfeef6fb07834cad0fd5be02fd405573fc1a5f59b991e9f88f5e81c32fe910f69bdc6585e71f02559895149eaf49c25b8ff955459fd60c0d2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
1bfe0a81db078ea084ff82fe545176fe

SHA1
50b116f578bd272922fa8eae94f7b02fd3b88384

SHA256
5ba8817f13eee00e75158bad93076ab474a068c6b52686579e0f728fda68499f

SHA512
37c582f3f09f8d80529608c09041295d1644bcc9de6fb8c4669b05339b0dd870f9525abc5eed53ad06a94b51441275504bc943c336c5beb63b53460ba836ca8d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
ef3502dd2a1ad1049afe6c2c09e1970b

SHA1
f57a0f303313d8d634a6d1bae18050bac1cae5b0

SHA256
31eb3223aabbbcd8808eef08e02229d8f5bc97ecb0cb8562cbb08c5ef39653f3

SHA512
cc4fa2a08fbdb512f9a0d4b84b4b5f36df80941c6f71751790ce32b487c9dc0d15bb8ba09860651ff70ca13d8b1001d4f3fe7459889da2db5edd304f50d855e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
bcd0d59a81bbe7018b178bd82fecadb4

SHA1
ac96f85e4238dc8f2c34794784116e99dd531934

SHA256
52babd2928ad6eb319669185c7eed591df77e66ce325e006ca6c26ceb54ffb6c

SHA512
a27a7785679b1ea345c3a81812157dd539fc5412e511ada16f07c01f58ec84c4b04a46f44000ec3b6abcb167674a73a9895bde19193f84cb12a9f9d805b647eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\F818EE0E-7DAA-4454-A8B7-4A35C36CFE9D

Filesize
168KB

MD5
855bc8562adec9b573fb1f937d410481

SHA1
304380ae1537405ec022e55898d28fc4e4148092

SHA256
9a80f7afd582f222f8f15c7644905b6c86e662f94115b3687ea94003f949d6ce

SHA512
d86e45aa5d218ba833f3c03a966ee08b84693f8c4574b4f6ccf439f31dcf543f7ef5f0ab4f1b749a73e46447f964f4e86977cf4407b6ee9122d9bd444a466fee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

Filesize
11KB

MD5
15252bca13bbcc2b0a45b7f9fa207e35

SHA1
3ee61c50b42e2fa437e4d0fabd1b89eb2defcda2

SHA256
2c99e6558508a5c04e0575a7668916e61581f82c537d2da961b199939a70106b

SHA512
b485ec691cc5761bb5310b2c0766b72aeaf20138a2e18841c5b7aa11ef24cf6d6eef02fd0ba9126835552a75f7f12ab93f658e5df31e8c2e9beab5b41bdf2949

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
0f1f15b19018163c1316de0b3f37b6ae

SHA1
6a3eda65b4bce4ace543588de64aaf26cfa78e23

SHA256
2aacdf53d135f08991c8967c005c2245f6f608feff9401ee90682043239b1a67

SHA512
e60efa95bf7cdd3167fa992c032a7623947c708c75e304a6eb9801442a92ddaedcf3e0dae77af37cce5bfc88c92d8c85d5e9e240c42d15e001d01a1a235182d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
d51ec25db0eb70a846a303d2f138de1c

SHA1
442457cc9f86e56e509644a0c28db11a9df6fc3c

SHA256
2b32acdceec0ded0f2be876d648a6cf7f3ee73a9ad82b13fa43a3c0a659b7f57

SHA512
7c66f59c434d30762b6a6534b8879cbde6738e82a840cdca8bbfd1c297c2518c61e62571e763541a603a9420e4371a9c0105f2b7beee7d36d71ab1a4c8d76d39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8P5ERGGJ\fgd.fgd.fgdfgd.dfgd[1].doc

Filesize
114KB

MD5
8d234d694685ef558303f59db56e0056

SHA1
c69487910ae2ed7752777906b7bf9070a5be4383

SHA256
2d4338fca2036c2acf76079eb68168b183661c41129514e8f2cf4e615717fd40

SHA512
05ceb80af49047569fd587d6696ff66b17cf0e0723975e753c25f6de5e1034982fe02f9cc39edb8336fa705e1d72073a3fc6daace1677568cc0579cbe98b70ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCDCA81.tmp\sist02.xsl

Filesize
245KB

MD5
f883b260a8d67082ea895c14bf56dd56

SHA1
7954565c1f243d46ad3b1e2f1baf3281451fc14b

SHA256
ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

SHA512
d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
215B

MD5
80dd7c06ddbfbc08cd5484f60a713f8e

SHA1
b702b095cc74b95a2160a1609ba9d72e047ea38b

SHA256
633e9c05a747d3814898802f885515b3ee5f7dce4a259931682f099043e54812

SHA512
21e0b6ce20ca3bb0fe15a41f3958b467ec2d8e75e4a1802ed7dc1835351118dfe6ebc4c5133112df68236b2231589d08bc23ea06082681788d6cd981c2d43b33

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
1c95ad2f8201e2343da9e5f2a14fb169

SHA1
5fbb793351564d248a93c085e43f7ffb73891cfe

SHA256
11b58fee045d12b6ebdeaf48e303abfe70335391ad5a51cf12a5c8c6a79432ae

SHA512
0618b1e85198da8073e4bec7b8a2e67cf5b484b8e0e74fa233605b46505bd237273772952fb843661cc50b8ff3efc003c6db722a0bd2a37485863042e3b47bf6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
1KB

MD5
39ed12fd81d5f0fdf1b31b58fad2025d

SHA1
594207d74024c0b6d6ddc8681ddc08defda52549

SHA256
9daf707d5a098e58f1d3c5a3a0c2963e053662874dffa6b5e49609730bc3bbd3

SHA512
06af1fc31166e4c49a53ddb9d1059219b89af915ec4519478ad503aeb3b09f75b6afbfe9bbd6c24442e12c5001327f11315ffba5f1bc03837ca1ff5f517edbc1

Download Submit
memory/3620-41-0x00007FF89C1B0000-0x00007FF89C3A5000-memory.dmp

Filesize
2.0MB

Download
memory/3620-47-0x00007FF89C1B0000-0x00007FF89C3A5000-memory.dmp

Filesize
2.0MB

Download
memory/3620-574-0x00007FF89C1B0000-0x00007FF89C3A5000-memory.dmp

Filesize
2.0MB

Download
memory/3620-49-0x00007FF89C1B0000-0x00007FF89C3A5000-memory.dmp

Filesize
2.0MB

Download
memory/3620-44-0x00007FF89C1B0000-0x00007FF89C3A5000-memory.dmp

Filesize
2.0MB

Download
memory/3620-45-0x00007FF89C1B0000-0x00007FF89C3A5000-memory.dmp

Filesize
2.0MB

Download
memory/3620-46-0x00007FF89C1B0000-0x00007FF89C3A5000-memory.dmp

Filesize
2.0MB

Download
memory/3620-48-0x00007FF89C1B0000-0x00007FF89C3A5000-memory.dmp

Filesize
2.0MB

Download
memory/4048-16-0x00007FF89C1B0000-0x00007FF89C3A5000-memory.dmp

Filesize
2.0MB

Download
memory/4048-10-0x00007FF89C1B0000-0x00007FF89C3A5000-memory.dmp

Filesize
2.0MB

Download
memory/4048-14-0x00007FF89C1B0000-0x00007FF89C3A5000-memory.dmp

Filesize
2.0MB

Download
memory/4048-17-0x00007FF89C1B0000-0x00007FF89C3A5000-memory.dmp

Filesize
2.0MB

Download
memory/4048-19-0x00007FF89C1B0000-0x00007FF89C3A5000-memory.dmp

Filesize
2.0MB

Download
memory/4048-21-0x00007FF89C1B0000-0x00007FF89C3A5000-memory.dmp

Filesize
2.0MB

Download
memory/4048-20-0x00007FF89C1B0000-0x00007FF89C3A5000-memory.dmp

Filesize
2.0MB

Download
memory/4048-18-0x00007FF89C1B0000-0x00007FF89C3A5000-memory.dmp

Filesize
2.0MB

Download
memory/4048-11-0x00007FF89C1B0000-0x00007FF89C3A5000-memory.dmp

Filesize
2.0MB

Download
memory/4048-12-0x00007FF89C1B0000-0x00007FF89C3A5000-memory.dmp

Filesize
2.0MB

Download
memory/4048-13-0x00007FF8599D0000-0x00007FF8599E0000-memory.dmp

Filesize
64KB

Download
memory/4048-0-0x00007FF85C230000-0x00007FF85C240000-memory.dmp

Filesize
64KB

Download
memory/4048-9-0x00007FF89C1B0000-0x00007FF89C3A5000-memory.dmp

Filesize
2.0MB

Download
memory/4048-8-0x00007FF8599D0000-0x00007FF8599E0000-memory.dmp

Filesize
64KB

Download
memory/4048-5-0x00007FF89C24D000-0x00007FF89C24E000-memory.dmp

Filesize
4KB

Download
memory/4048-7-0x00007FF89C1B0000-0x00007FF89C3A5000-memory.dmp

Filesize
2.0MB

Download
memory/4048-6-0x00007FF89C1B0000-0x00007FF89C3A5000-memory.dmp

Filesize
2.0MB

Download
memory/4048-4-0x00007FF85C230000-0x00007FF85C240000-memory.dmp

Filesize
64KB

Download
memory/4048-3-0x00007FF85C230000-0x00007FF85C240000-memory.dmp

Filesize
64KB

Download
memory/4048-2-0x00007FF85C230000-0x00007FF85C240000-memory.dmp

Filesize
64KB

Download
memory/4048-1-0x00007FF85C230000-0x00007FF85C240000-memory.dmp

Filesize
64KB

Download
memory/4048-573-0x00007FF89C1B0000-0x00007FF89C3A5000-memory.dmp

Filesize
2.0MB

Download
memory/4048-15-0x00007FF89C1B0000-0x00007FF89C3A5000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads