5080e38aaf9a00af84a5baf06d1eeb1881dd24a389ff719add6b7b650d1ddaea

Analysis

max time kernel
147s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
23-07-2024 06:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PG_320_MPI SRL_20240607_100526.xls
Size

1.0MB
MD5

f75d330398f3c1726675357616731264
SHA1

a7fb3d4e0a71bc522df5334d1d2efb92207f1065
SHA256

5080e38aaf9a00af84a5baf06d1eeb1881dd24a389ff719add6b7b650d1ddaea
SHA512

ef036ae3d6b6ba092e2e3cf8f224b0953cc27d35a975b0b22ec28dde9d91754379b16d36fb5736fb74f877d75f57c370cdc9eef9fa7f09af2d253d16d605ac08
SSDEEP

24576:LYIK07NB11N0TCpToIw6Duf+074LHb6yreOXU0DyYP2rKP035S:LhKi/2WtDE74L2yr/9DyGM35S

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2536	EXCEL.EXE
1144	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeAuditPrivilege	1144	WINWORD.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
2536	EXCEL.EXE
2536	EXCEL.EXE
2536	EXCEL.EXE
2536	EXCEL.EXE
2536	EXCEL.EXE
2536	EXCEL.EXE
2536	EXCEL.EXE
2536	EXCEL.EXE
2536	EXCEL.EXE
2536	EXCEL.EXE
2536	EXCEL.EXE
2536	EXCEL.EXE
1144	WINWORD.EXE
1144	WINWORD.EXE
1144	WINWORD.EXE
1144	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1144 wrote to memory of 5056	1144	WINWORD.EXE	95
PID 1144 wrote to memory of 5056	1144	WINWORD.EXE	95

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\PG_320_MPI SRL_20240607_100526.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2536

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1144
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:5056

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:4968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\93E1D4E7-7C48-4A2E-90C0-824B7644C487

Filesize
169KB

MD5
cedec1a2dfafb6f281fa443d15de8593

SHA1
f745c0ca4f1e7ec791c053c3865b8b4d4c125a7c

SHA256
6a97932b12eef3deb0d638ea475ad4dc461dfea93467d1b38a26c5765c2ee16b

SHA512
60ccfcb468455e0afc2bc82b281bf33c92f3f1f802cc9f24d49292b4b317a20b0e5be1b03ef489665a700bbb370198451068069704b4ec918166865b32acd218

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

Filesize
5KB

MD5
e0212b56aa61b67b5c897d0f745b8711

SHA1
c612e91f18810064edfe33763de839ae9a06d331

SHA256
549914984aea941417b5d892324f801ef38c6541f2827d393a81aa536894e2d7

SHA512
368e99db62a4971d64e3fa3d14cc980d89394417194548c5919ff973e60633f6b068de078e5c96c9dadf2f914d0244bfdf12548c8eae2232fbf002eb29022fab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\mip.policies.sqlite3

Filesize
36KB

MD5
1caaa0f3f122769c9630a265ecf62b35

SHA1
c155c00bf28ab3a966f2052b2c9657e48ad332b6

SHA256
9c0a87aea9bf3191bb0d048a7de016d4cab13427c1612484a7c94dfce22ad38b

SHA512
9b74622376a6ba4ecd9f378a758398eaf61d55084c584fe665750ad4ae702f78b0eb02171e83eb925a365760cfbc1bb2b267bbcf5d8a00afec2b302197c89719

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
a10f215793be1ec7d324b446c8231f78

SHA1
fd466534ba3d44b9d303decbcfe166f4426182c6

SHA256
547d5d22406c0806326983325ae1035892e69acc32f498e6decc9331ad12f81c

SHA512
e98ef576715bb516db7cf76a23b1a1447b1498671f4981e979d473e626b3be2a6c871e6333b3cd8b0f4aa359d579b1b6fed9a68f12336c14c1892ba7668f784c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
7e051e80b736cc2bef1664246f6fdc98

SHA1
8da2b0fc1b069a411c86a85efca38e585361556a

SHA256
d147e9cca5339c1fab2f10c11a9f293989715b9e14cd288404d4ceaba9de9ed5

SHA512
e9bcbd83f65aaf5bd925d98457c6de4752a9b0ce3e94f32117e66f1ecced81188c6b2f736b52bf1e65391a2fb939faf114f3c844205d2d1600667588f8865638

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\AF6HG05X\simplethingshappeningnewthingstobegetinbackmywordsintheworldthingstogetbackheresheisgreatthingstobeinline________________sheiswhattogetbacksheisgreat[1].doc

Filesize
110KB

MD5
e628ee1f2b81b8972f53e2b2785d97a1

SHA1
0fa0fe5809f166d707fdcf3a2a866b92a761a92b

SHA256
8fc89bf19f14cfd251b0023a624d9be2eaf9a41328e7d5c6f1c703fea07c841d

SHA512
cfb5abf034fb4105fa1f5b23f40b3070427bb862c701fab29457caf15f1f100be6103d783380490cf6afddc7291db17a75f6ab1e19a82e2650072a94eebb6093

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCDC1EE.tmp\gb.xsl

Filesize
262KB

MD5
51d32ee5bc7ab811041f799652d26e04

SHA1
412193006aa3ef19e0a57e16acf86b830993024a

SHA256
6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97

SHA512
5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
36B

MD5
8e053ce94aec69e4205073819747b09b

SHA1
f09aad87877f279f5e5fae7f8460d7212548052d

SHA256
6a19db6e777633b67d0bd9495419c802368f741a0203324f61dc30a15854221e

SHA512
da91d2a505f1a6d9cca97bee71a8ad5b44255bc6df6e93b7ce6812786f74296feea32f39821ccaa6c1b5b2210e37cd494197e0871330e6c40178608f06a08084

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KDA61XNGVFA6FOH10LHE.temp

Filesize
1KB

MD5
c95013fd8d95f0fe0340986f84b8ee83

SHA1
de538265cb19e82289ab4e1db9845e758c9e4ccf

SHA256
5ee9b862ad71da3049a603298091869596deacc9a81d87c2c0bbca0a5e20c3d7

SHA512
af264e08a156b058e8af903f9b34267115c1476422255d06ac774b6297d617acb14b2d89da9d0d0e51877ca7b9e94d4c469da5db6b43090fcfaa680b30ed1dfa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
24B

MD5
4fcb2a3ee025e4a10d21e1b154873fe2

SHA1
57658e2fa594b7d0b99d02e041d0f3418e58856b

SHA256
90bf6baa6f968a285f88620fbf91e1f5aa3e66e2bad50fd16f37913280ad8228

SHA512
4e85d48db8c0ee5c4dd4149ab01d33e4224456c3f3e3b0101544a5ca87a0d74b3ccd8c0509650008e2abed65efd1e140b1e65ae5215ab32de6f6a49c9d3ec3ff

Download Submit
memory/1144-34-0x00007FF8A00D0000-0x00007FF8A02C5000-memory.dmp

Filesize
2.0MB

Download
memory/1144-583-0x00007FF8A00D0000-0x00007FF8A02C5000-memory.dmp

Filesize
2.0MB

Download
memory/1144-42-0x00007FF8A00D0000-0x00007FF8A02C5000-memory.dmp

Filesize
2.0MB

Download
memory/1144-41-0x00007FF8A00D0000-0x00007FF8A02C5000-memory.dmp

Filesize
2.0MB

Download
memory/1144-38-0x00007FF8A00D0000-0x00007FF8A02C5000-memory.dmp

Filesize
2.0MB

Download
memory/1144-40-0x00007FF8A00D0000-0x00007FF8A02C5000-memory.dmp

Filesize
2.0MB

Download
memory/1144-39-0x00007FF8A00D0000-0x00007FF8A02C5000-memory.dmp

Filesize
2.0MB

Download
memory/1144-37-0x00007FF8A00D0000-0x00007FF8A02C5000-memory.dmp

Filesize
2.0MB

Download
memory/2536-13-0x00007FF85E0F0000-0x00007FF85E100000-memory.dmp

Filesize
64KB

Download
memory/2536-0-0x00007FF860150000-0x00007FF860160000-memory.dmp

Filesize
64KB

Download
memory/2536-18-0x00007FF8A00D0000-0x00007FF8A02C5000-memory.dmp

Filesize
2.0MB

Download
memory/2536-19-0x00007FF8A00D0000-0x00007FF8A02C5000-memory.dmp

Filesize
2.0MB

Download
memory/2536-4-0x00007FF860150000-0x00007FF860160000-memory.dmp

Filesize
64KB

Download
memory/2536-9-0x00007FF8A00D0000-0x00007FF8A02C5000-memory.dmp

Filesize
2.0MB

Download
memory/2536-15-0x00007FF8A00D0000-0x00007FF8A02C5000-memory.dmp

Filesize
2.0MB

Download
memory/2536-16-0x00007FF8A00D0000-0x00007FF8A02C5000-memory.dmp

Filesize
2.0MB

Download
memory/2536-17-0x00007FF8A00D0000-0x00007FF8A02C5000-memory.dmp

Filesize
2.0MB

Download
memory/2536-14-0x00007FF85E0F0000-0x00007FF85E100000-memory.dmp

Filesize
64KB

Download
memory/2536-10-0x00007FF8A00D0000-0x00007FF8A02C5000-memory.dmp

Filesize
2.0MB

Download
memory/2536-20-0x00007FF8A00D0000-0x00007FF8A02C5000-memory.dmp

Filesize
2.0MB

Download
memory/2536-11-0x00007FF8A00D0000-0x00007FF8A02C5000-memory.dmp

Filesize
2.0MB

Download
memory/2536-12-0x00007FF8A00D0000-0x00007FF8A02C5000-memory.dmp

Filesize
2.0MB

Download
memory/2536-8-0x00007FF8A00D0000-0x00007FF8A02C5000-memory.dmp

Filesize
2.0MB

Download
memory/2536-6-0x00007FF8A00D0000-0x00007FF8A02C5000-memory.dmp

Filesize
2.0MB

Download
memory/2536-7-0x00007FF860150000-0x00007FF860160000-memory.dmp

Filesize
64KB

Download
memory/2536-5-0x00007FF8A00D0000-0x00007FF8A02C5000-memory.dmp

Filesize
2.0MB

Download
memory/2536-3-0x00007FF8A016D000-0x00007FF8A016E000-memory.dmp

Filesize
4KB

Download
memory/2536-1-0x00007FF860150000-0x00007FF860160000-memory.dmp

Filesize
64KB

Download
memory/2536-582-0x00007FF8A00D0000-0x00007FF8A02C5000-memory.dmp

Filesize
2.0MB

Download
memory/2536-2-0x00007FF860150000-0x00007FF860160000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads