9634a4f19306cf8e57396c40e99612888f2663cfe261e3640b836ad488cfe95b

Analysis

max time kernel
149s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
24-07-2024 02:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9634a4f19306cf8e57396c40e99612888f2663cfe261e3640b836ad488cfe95b.xls
Size

751KB
MD5

32eb79369e1e7e135906f146b9d35457
SHA1

cf00749dc8097014fa6f94dba1b400e600cd92d8
SHA256

9634a4f19306cf8e57396c40e99612888f2663cfe261e3640b836ad488cfe95b
SHA512

808b364e5688dc85565411933fb03dbed3b21d0043776585e133f4ad817079fee36c02f1b530fbc0b260e4970ed3b13f6d5deacf39b9cd7a85420dec50c14904
SSDEEP

12288:0qFzu4LSZU2QdSZKHuntvZctbyyWgFfX202BToNcq7nqDljjTvyd8NPi9zS+i:Nzu4LLxdSZw0vZEbciX20KTZ++ljjTDD

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1476	EXCEL.EXE
3840	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeAuditPrivilege	3840	WINWORD.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
1476	EXCEL.EXE
1476	EXCEL.EXE
1476	EXCEL.EXE
1476	EXCEL.EXE
1476	EXCEL.EXE
1476	EXCEL.EXE
1476	EXCEL.EXE
1476	EXCEL.EXE
1476	EXCEL.EXE
1476	EXCEL.EXE
1476	EXCEL.EXE
1476	EXCEL.EXE
3840	WINWORD.EXE
3840	WINWORD.EXE
3840	WINWORD.EXE
3840	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3840 wrote to memory of 4668	3840	WINWORD.EXE	97
PID 3840 wrote to memory of 4668	3840	WINWORD.EXE	97

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\9634a4f19306cf8e57396c40e99612888f2663cfe261e3640b836ad488cfe95b.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1476

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3840
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:4668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:4264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\CD012D63-8414-4D16-9CBA-61B44A901BCE

Filesize
169KB

MD5
3705a14e7fbcb2a0132dd5e83890b2d1

SHA1
4e998b666010688c8b0d89858d2b641b86270ecb

SHA256
93c82141dedec894f69697a41833473ff0f1fd800d318439ff382290b09029ff

SHA512
a4d0dab4d28be23743ec0f7b9a367adb37633879204bf4fd1210beca397f4f81ca8bfbf08504845297728a5eba8cc30286addd1bf914a14171fce49cd23083b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

Filesize
8KB

MD5
2fadceb27dccdac055952bbbe9e9d7ab

SHA1
0296e6c1ab0efc038503415c349a097c9aee3503

SHA256
6c8d33cc28a60dabc6b4386ab0ab35098fa6a5e35d497c0e2350b2368c38224c

SHA512
b8739d2636a658dc8ea8f30f0806236e7a8f69572bb11db5be19b4e124a3c131c56ce5fc19c0fc20c2e2f0967ee21b55e9d206a2ce0fc7f46364aa469cad355b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
d1b3348aefde37bd12b427b55b387a02

SHA1
479c7a66eefd600826804b040a445d4d5ed55458

SHA256
29cdd05d2fcec2dd192a9355b5ded7624bb82563dbcd4cc0407f8fbad5c735d3

SHA512
3ec9cb8df8a1b6f30188023831a4c1a40e7ead362ba1c3da66610bae97360ed9c0bacb2a7cfb510ca915191b37bb60b074677b045dff12096988ccc00fc1e835

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
0cd470cce424df6cc4e60187e03a0aca

SHA1
46a4631b0d5557e0de4507625323047a072ab42a

SHA256
d1cbfda5205a723ae5951d30e99909c89c7a52ba70c98c60cbd406f722002dc3

SHA512
59ca4f946d23b77f1986cd2243867b7387c96d5b7908cffa405b89af0f544d4a945f85187123f03e381e4e0d25fbf828135e201e5954fd3b51ba6bca09bd1bb6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\WZ04RUV6\megreatwithyourlovertothinkaboutthenewconceptgreaterthanbefore_________ireallylovingthisbewbeautytoinvolvethestructure[1].doc

Filesize
87KB

MD5
29b3fc11ab9d647ec19d3e02364355b2

SHA1
bcacc163004990d917d6402942e3e34609fa33e5

SHA256
2f7014c598a900f828893aeb0c0724d9f48c37c6987dfc12847525df174e0e81

SHA512
68752b58c102c4816859f4e06a9e676509ffba01cbe2772d5694e76da37f4dcdf74bd62d8ecaa33ed42f773693aaf135ad1b4bd940ae2277a7900f0105c57ba0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCDC15F.tmp\iso690.xsl

Filesize
263KB

MD5
ff0e07eff1333cdf9fc2523d323dd654

SHA1
77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

SHA256
3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

SHA512
b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
235B

MD5
4c06cc72d4a32fa82aa9e5cd97fd6667

SHA1
3989abfcef594441d8d755048e6cf6879533a3cf

SHA256
ea72816d7cee08d695c6f90487d2e334a3d8c1a261ffdc0d66f3ad8b0d8d50fd

SHA512
b666fad68168f65f076627c1785f8419c4e445c4378a47cf9cdc933586830436986dbf094643bcf67769918377a775895e79c6df18ef4b6eb753f1f47891053d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
2KB

MD5
a8eb70740327a11b634cc14e18aaa359

SHA1
4aa1b37a612f0794a1c16c17683734292b539533

SHA256
8fd74c5002de47610bef2a9106962de029b70ec1169452c29d38e3c0a4435240

SHA512
c0540062da782d0a6e52b034557ead1009f238dd97d92d7ee8ada5570e4bb18ce7d1fc3c2cef27774d6e7b707d26cfe1d8b8900e116142b8134d38d92b1dad12

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
24B

MD5
4fcb2a3ee025e4a10d21e1b154873fe2

SHA1
57658e2fa594b7d0b99d02e041d0f3418e58856b

SHA256
90bf6baa6f968a285f88620fbf91e1f5aa3e66e2bad50fd16f37913280ad8228

SHA512
4e85d48db8c0ee5c4dd4149ab01d33e4224456c3f3e3b0101544a5ca87a0d74b3ccd8c0509650008e2abed65efd1e140b1e65ae5215ab32de6f6a49c9d3ec3ff

Download Submit
memory/1476-10-0x00007FF9D68B0000-0x00007FF9D6AA5000-memory.dmp

Filesize
2.0MB

Download
memory/1476-7-0x00007FF9D68B0000-0x00007FF9D6AA5000-memory.dmp

Filesize
2.0MB

Download
memory/1476-11-0x00007FF9D68B0000-0x00007FF9D6AA5000-memory.dmp

Filesize
2.0MB

Download
memory/1476-13-0x00007FF9D68B0000-0x00007FF9D6AA5000-memory.dmp

Filesize
2.0MB

Download
memory/1476-12-0x00007FF9D68B0000-0x00007FF9D6AA5000-memory.dmp

Filesize
2.0MB

Download
memory/1476-16-0x00007FF9D68B0000-0x00007FF9D6AA5000-memory.dmp

Filesize
2.0MB

Download
memory/1476-15-0x00007FF9D68B0000-0x00007FF9D6AA5000-memory.dmp

Filesize
2.0MB

Download
memory/1476-18-0x00007FF9D68B0000-0x00007FF9D6AA5000-memory.dmp

Filesize
2.0MB

Download
memory/1476-17-0x00007FF9941E0000-0x00007FF9941F0000-memory.dmp

Filesize
64KB

Download
memory/1476-20-0x00007FF9D68B0000-0x00007FF9D6AA5000-memory.dmp

Filesize
2.0MB

Download
memory/1476-19-0x00007FF9D68B0000-0x00007FF9D6AA5000-memory.dmp

Filesize
2.0MB

Download
memory/1476-14-0x00007FF9D68B0000-0x00007FF9D6AA5000-memory.dmp

Filesize
2.0MB

Download
memory/1476-574-0x00007FF9D68B0000-0x00007FF9D6AA5000-memory.dmp

Filesize
2.0MB

Download
memory/1476-1-0x00007FF996930000-0x00007FF996940000-memory.dmp

Filesize
64KB

Download
memory/1476-2-0x00007FF996930000-0x00007FF996940000-memory.dmp

Filesize
64KB

Download
memory/1476-3-0x00007FF996930000-0x00007FF996940000-memory.dmp

Filesize
64KB

Download
memory/1476-4-0x00007FF996930000-0x00007FF996940000-memory.dmp

Filesize
64KB

Download
memory/1476-5-0x00007FF9D694D000-0x00007FF9D694E000-memory.dmp

Filesize
4KB

Download
memory/1476-6-0x00007FF9D68B0000-0x00007FF9D6AA5000-memory.dmp

Filesize
2.0MB

Download
memory/1476-0-0x00007FF996930000-0x00007FF996940000-memory.dmp

Filesize
64KB

Download
memory/1476-8-0x00007FF9D68B0000-0x00007FF9D6AA5000-memory.dmp

Filesize
2.0MB

Download
memory/1476-9-0x00007FF9941E0000-0x00007FF9941F0000-memory.dmp

Filesize
64KB

Download
memory/3840-40-0x00007FF9D68B0000-0x00007FF9D6AA5000-memory.dmp

Filesize
2.0MB

Download
memory/3840-41-0x00007FF9D68B0000-0x00007FF9D6AA5000-memory.dmp

Filesize
2.0MB

Download
memory/3840-44-0x00007FF9D68B0000-0x00007FF9D6AA5000-memory.dmp

Filesize
2.0MB

Download
memory/3840-42-0x00007FF9D68B0000-0x00007FF9D6AA5000-memory.dmp

Filesize
2.0MB

Download
memory/3840-39-0x00007FF9D68B0000-0x00007FF9D6AA5000-memory.dmp

Filesize
2.0MB

Download
memory/3840-36-0x00007FF9D68B0000-0x00007FF9D6AA5000-memory.dmp

Filesize
2.0MB

Download
memory/3840-38-0x00007FF9D68B0000-0x00007FF9D6AA5000-memory.dmp

Filesize
2.0MB

Download
memory/3840-37-0x00007FF9D68B0000-0x00007FF9D6AA5000-memory.dmp

Filesize
2.0MB

Download
memory/3840-575-0x00007FF9D68B0000-0x00007FF9D6AA5000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads