9634a4f19306cf8e57396c40e99612888f2663cfe261e3640b836ad488cfe95b

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
23-07-2024 06:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SCAN-HSBC-PAYMENT-ADVICE.xls
Size

751KB
MD5

32eb79369e1e7e135906f146b9d35457
SHA1

cf00749dc8097014fa6f94dba1b400e600cd92d8
SHA256

9634a4f19306cf8e57396c40e99612888f2663cfe261e3640b836ad488cfe95b
SHA512

808b364e5688dc85565411933fb03dbed3b21d0043776585e133f4ad817079fee36c02f1b530fbc0b260e4970ed3b13f6d5deacf39b9cd7a85420dec50c14904
SSDEEP

12288:0qFzu4LSZU2QdSZKHuntvZctbyyWgFfX202BToNcq7nqDljjTvyd8NPi9zS+i:Nzu4LLxdSZw0vZEbciX20KTZ++ljjTDD

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1556	EXCEL.EXE
2500	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeAuditPrivilege	2500	WINWORD.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
1556	EXCEL.EXE
1556	EXCEL.EXE
1556	EXCEL.EXE
1556	EXCEL.EXE
1556	EXCEL.EXE
1556	EXCEL.EXE
1556	EXCEL.EXE
1556	EXCEL.EXE
1556	EXCEL.EXE
1556	EXCEL.EXE
1556	EXCEL.EXE
1556	EXCEL.EXE
2500	WINWORD.EXE
2500	WINWORD.EXE
2500	WINWORD.EXE
2500	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2500 wrote to memory of 4064	2500	WINWORD.EXE	93
PID 2500 wrote to memory of 4064	2500	WINWORD.EXE	93

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\SCAN-HSBC-PAYMENT-ADVICE.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1556

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2500
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:4064

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:3232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\CA8B4197-10D3-40EB-9160-3EA09A3767F4

Filesize
169KB

MD5
2cd8e50d31b6838911d2702e5371c763

SHA1
8d5e6ec5637a59f78726702907429982fe43834b

SHA256
4aa9564ec0179944dc8080c9bf707279727ad31ee7ca58eb304be025f26b53f5

SHA512
46f56b4bbd14a8e27babdd6da2e2635e84927794a23df492022294ab1f51398f6cbf25a55c3f70fd44c669c3f98e88a16315943cbe59465986a1b3d7a9b6eb07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

Filesize
11KB

MD5
dece06e7c35b3a108a2d7ccd39994bbe

SHA1
374995b53b754c8d939e31da943e50ca640b410c

SHA256
22958fa7da8006bf087ebe527595c567033681b3c4716e0da244bfa4616c1ca2

SHA512
43f6519c4df3f0e5d91da25de938466da03bca1c671f86084689b5989a4215c388b10967b52abb6921ce25e77bf795a7cf72fa9da54db07aaeaeb5df0bd4a08f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
1aa24bc149d1094d64b3b0371814086d

SHA1
24fdebce032ad5a230ebc0d82fe1cbe504084350

SHA256
17566c4ad69054450cf19f67200178c6a36c801046f4924e5c48eb82a3ad9ec2

SHA512
68e60cce53cc7f468579c80f6aa9dd58942477e598aa69789c62758822b2d81077abdee9cfe6cc44f404250a7d699ee443e4238b57bd3436a5ba5e81a8faff9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
035899edf5b6348f9aad4f689fe9179a

SHA1
78a2d66338609e9a867bd1558745fb30b37826de

SHA256
50328295f2544d6a5343fd8ba268f4fa28107fdb84d43c3ff5cbb6bce1ad8673

SHA512
4b4a76447b71864a0457983898b435c4d496d7b4659d03a6df12087fddc8e3096af9682c0f23a2fbd74ca3043291bdc76945b3dfeb394fdaecdc99a2b05e67f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\MQYRE6E5\megreatwithyourlovertothinkaboutthenewconceptgreaterthanbefore_________ireallylovingthisbewbeautytoinvolvethestructure[1].doc

Filesize
87KB

MD5
29b3fc11ab9d647ec19d3e02364355b2

SHA1
bcacc163004990d917d6402942e3e34609fa33e5

SHA256
2f7014c598a900f828893aeb0c0724d9f48c37c6987dfc12847525df174e0e81

SHA512
68752b58c102c4816859f4e06a9e676509ffba01cbe2772d5694e76da37f4dcdf74bd62d8ecaa33ed42f773693aaf135ad1b4bd940ae2277a7900f0105c57ba0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCDED40.tmp\iso690.xsl

Filesize
263KB

MD5
ff0e07eff1333cdf9fc2523d323dd654

SHA1
77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

SHA256
3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

SHA512
b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
349B

MD5
41f1794d56beaee0b3ef5a266575188c

SHA1
24cae0d77a5d1e8dccc3ef1efc631c8a30013c88

SHA256
88b5520f3ca4a1651b775af000a63726577153e6575b63e7d90e132e6942318d

SHA512
a7f98adfb87ff4f535f0f37ce733a4a879b1c58a99a752be95c9b46954de8ac94a2a4d9d0c77a6cf7938e74ee30df7a9b195e76493416b44b8f628aaee999eec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
1KB

MD5
74aba59864e0f19446be7c2eca7f21a6

SHA1
cdee74afe5c65a0b14c1fe00ab4fab314b0d39b1

SHA256
99f340795e75baa2766a50b1e3db6d28fdb63cd8221a4ea90c8c9bb0ec3dbfa4

SHA512
22bc52d89a7fa85f937517807bae39741523240ac5d9e115180a60152943cfbee23108f28b2f40e037f0999e68b8de8daeea2560c7c108241c14f2a9e1a2ce61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
8f90fe27883f91a765e5c46b03be0af0

SHA1
9701c7df622e9fb97df9cbc68109be8b737aac1b

SHA256
a21d499450e57bb92c82284310723082f3e05068c966d2a8125d16b72060efb8

SHA512
cbd4ac3fedf65ccb1af42a14d407c00169ad3a1b77d0a8910955fb9a55141550ec8dee892d4db2328711639424dde454a554beec49aa5c3f25edfbfb91693abf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
1KB

MD5
46a6ffd17e59bf2659d12aa715eb0c13

SHA1
1412a1276d4b8212ae2d39a526039949db78ae36

SHA256
92fab2fb60ded1b63a881bfc33eb655f59d23a986aa5fe1fbf51f3bdde10a2bb

SHA512
ba35ac5c504658ae5f9c2e66deac52a6987a63fed764230141738db4147d9e1dcad47635338e41ba68f9c61b4a689028085d7279b994a582d578151ccd42f1f3

Download Submit
memory/1556-15-0x00007FFE7C0F0000-0x00007FFE7C2E5000-memory.dmp

Filesize
2.0MB

Download
memory/1556-13-0x00007FFE7C0F0000-0x00007FFE7C2E5000-memory.dmp

Filesize
2.0MB

Download
memory/1556-11-0x00007FFE7C0F0000-0x00007FFE7C2E5000-memory.dmp

Filesize
2.0MB

Download
memory/1556-9-0x00007FFE7C0F0000-0x00007FFE7C2E5000-memory.dmp

Filesize
2.0MB

Download
memory/1556-17-0x00007FFE39870000-0x00007FFE39880000-memory.dmp

Filesize
64KB

Download
memory/1556-8-0x00007FFE7C0F0000-0x00007FFE7C2E5000-memory.dmp

Filesize
2.0MB

Download
memory/1556-7-0x00007FFE7C0F0000-0x00007FFE7C2E5000-memory.dmp

Filesize
2.0MB

Download
memory/1556-6-0x00007FFE7C0F0000-0x00007FFE7C2E5000-memory.dmp

Filesize
2.0MB

Download
memory/1556-215-0x00007FFE7C0F0000-0x00007FFE7C2E5000-memory.dmp

Filesize
2.0MB

Download
memory/1556-1-0x00007FFE3C170000-0x00007FFE3C180000-memory.dmp

Filesize
64KB

Download
memory/1556-16-0x00007FFE39870000-0x00007FFE39880000-memory.dmp

Filesize
64KB

Download
memory/1556-12-0x00007FFE7C0F0000-0x00007FFE7C2E5000-memory.dmp

Filesize
2.0MB

Download
memory/1556-0-0x00007FFE3C170000-0x00007FFE3C180000-memory.dmp

Filesize
64KB

Download
memory/1556-14-0x00007FFE7C0F0000-0x00007FFE7C2E5000-memory.dmp

Filesize
2.0MB

Download
memory/1556-10-0x00007FFE7C0F0000-0x00007FFE7C2E5000-memory.dmp

Filesize
2.0MB

Download
memory/1556-5-0x00007FFE3C170000-0x00007FFE3C180000-memory.dmp

Filesize
64KB

Download
memory/1556-4-0x00007FFE3C170000-0x00007FFE3C180000-memory.dmp

Filesize
64KB

Download
memory/1556-3-0x00007FFE7C18D000-0x00007FFE7C18E000-memory.dmp

Filesize
4KB

Download
memory/1556-2-0x00007FFE3C170000-0x00007FFE3C180000-memory.dmp

Filesize
64KB

Download
memory/2500-34-0x00007FFE7C0F0000-0x00007FFE7C2E5000-memory.dmp

Filesize
2.0MB

Download
memory/2500-32-0x00007FFE7C0F0000-0x00007FFE7C2E5000-memory.dmp

Filesize
2.0MB

Download
memory/2500-216-0x00007FFE7C0F0000-0x00007FFE7C2E5000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads