f9541983f2c2e2f0a0a72dce180342d0637a52a4ba6e49ea42e8c5844d4de9e3

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
26-07-2024 11:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AWD 490104998518.xls
Size

1.2MB
MD5

f63c009bccbc4d8d26d162a168feaeb1
SHA1

fa8ab13582703932f968a31e6cc0973e45ca43e0
SHA256

f9541983f2c2e2f0a0a72dce180342d0637a52a4ba6e49ea42e8c5844d4de9e3
SHA512

56a099036928c0af89d6a4cde7977cf5f3a5626a028aabea8a4dc590dd582c395042ae2c4f05b8085b81a9d19fb12f18beea0fe145712f057ffc12028e063395
SSDEEP

24576:D6sKGQKr9+FZF+S0ANklw1Q1Ftt5Kj1G8RjM78quuH6OBrNoDgYEMuFh:9Hr9+FZQNw1Q1l5oGYjMhuu3BRo0Yr+

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4960	EXCEL.EXE
2372	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeAuditPrivilege	2372	WINWORD.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
4960	EXCEL.EXE
4960	EXCEL.EXE
4960	EXCEL.EXE
4960	EXCEL.EXE
4960	EXCEL.EXE
4960	EXCEL.EXE
4960	EXCEL.EXE
4960	EXCEL.EXE
4960	EXCEL.EXE
4960	EXCEL.EXE
4960	EXCEL.EXE
4960	EXCEL.EXE
2372	WINWORD.EXE
2372	WINWORD.EXE
2372	WINWORD.EXE
2372	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 3640	2372	WINWORD.EXE	93
PID 2372 wrote to memory of 3640	2372	WINWORD.EXE	93

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\AWD 490104998518.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4960

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:3640

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:3308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\6E454A00-F19E-44D1-8A74-A3C325F0452C

Filesize
169KB

MD5
b7d6c19c10ca9bd6c7817f1bb9fa6919

SHA1
368bdd4b77d2f5ce8751a6674f1cc0fadeaa9b2b

SHA256
73859fcd76f07bf256856867fa492d51ba9109ba697666d360464de8dff67f62

SHA512
bf4996092628c5250646707cbab78910648aa32ff2fc97f420b6e2caf8470dfc73b105a0e65005a833b5e86ca10992b8479bc557d147cd8fe4215aab5c2b23d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

Filesize
11KB

MD5
a84d89b96080fe5f4dfb6b8f32f00080

SHA1
38df4d051a2f86afaf0cfaf6996419539e887f8c

SHA256
fd0f55dcb755b34c70a4e2995fb1e27b260a1a2dfa52391063544ab6500bdbc5

SHA512
9a3bb677f83bf956270ed68243973e86ceb02752758121c4ac2ac227d3ba928f2aebbaf69ed4118c14ca3a13ef220a708223e585013ede3749b2861243c3ac67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
c6949437d80a79ea625e1fef8021255d

SHA1
fd3bc3417adae4db31ce14aeee3d34bf7fd4fb1b

SHA256
29019ac8febf225f740fdce91d62add2f0a7582023f58555a57e59252bce68dc

SHA512
90621d1ab21a10c8b22715cc7d7a86a0d68084f9619714cf73a9b38154133cee0dbb48bbc912513d3b03646b8ac1bec3a5a9171e8d713d7504251dfe825023c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
369707dec710409c0595db577ddabd40

SHA1
f5dc6337ef392f9c3e65f1a80127bc0b1ea2d44c

SHA256
ee2b5206617eb80d65e9831fbfe7e9b37446df2fb751e28bca3ada6b489d6494

SHA512
8912c1d81551a843c94fedb52f6d8cc6a74b9710958a986b7eb12eee5b2e5ee36e3e6043d973fdcee1f493f3a1f8e59b840d63cbb3d0e995117007bcba7dff52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCRJMNF7\creamthingstohappenedgetmebackwithentirethingstogetbackeverythingtounderstandhowmuchpowerfulthingsitis__________wearegreatwithentirethingstobeback[1].doc

Filesize
83KB

MD5
e03f3290788de4d7a103f16b780b3cce

SHA1
c220e79a2714ed59f4d7b1d0a4f6c63a03772ea6

SHA256
db4fed8fb3c35582ade2fa57a5866ec7795e94bff34f004f66d15233d1a2fcd8

SHA512
9372b124ecb895a5c7672d75d17eb3ea3d91fab5ed675aa82090d8d00c15cb4477553342a356c4f8616869c2987105e6468bb2a912196dab055e06e34ad24b63

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCDE36A.tmp\iso690.xsl

Filesize
263KB

MD5
ff0e07eff1333cdf9fc2523d323dd654

SHA1
77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

SHA256
3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

SHA512
b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
275B

MD5
2c37117357e2c8c46dfb7e1311eeb013

SHA1
5f875d5da67aa65dac0eb45f0755fcd10c110964

SHA256
bdb8f6f1ef55fc37c9277834b5018215621cc9dec84568a8c9fc10d827a869fa

SHA512
543740386907d4c5c3640e8395bade554b17e7ab77440093017f32d19986676ea71beeb25f800808c6ce4589f7ad62ddbe85fe0b1824690d27b6d299a069caf9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
1KB

MD5
c1c3ed8cd575d1bc0645f9ccd693259a

SHA1
60fcda05e90e67e29f270e38990e6b54d2aed698

SHA256
23fc9982b7086af31318282f14fe838e4c0399a574a2634c299d12d59b0d7c1b

SHA512
3691fdd2abbedec707ad0d822fbf7638bda0ac8ba23df584eebf61bcf4205a28a89b3ba07abc3322b5af78b71a396f879c15bcd7d34360738115ec567bba5a1a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
2KB

MD5
c2bd6dcb0c80051095bd92ba61971882

SHA1
893394de43e13d39b92a8eb0644536514d912bf9

SHA256
bbb1e5557c9f2755562f178bd8fcb8154cfb68d02187f0b90f7ac07f46cd76b8

SHA512
f8fbe759acd64ecec7f1a8730cb42f32d560d4eb095e5fb15805d3823d9de304a431964a9404ecd0c46f038ad3ce79ac5f40e4beb1c3ef71ef005938e559600e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
663B

MD5
7c7cc5dd79039720abc3e614d513db76

SHA1
eb40795c493c1bf6c2d376c4083091dda8941f1d

SHA256
01b312ab9fb79ba2896701ee0940d9cceef1ce1cdab9dd340d8d5a0d44905b28

SHA512
c6d693040faacba662d1496f7507c8624a4164aede9a12e1821260b62f40a7a72242a84e313c3e68b96652cc9d981251a93282090de1703f3f3aabd7a8f86bf4

Download Submit
memory/2372-34-0x00007FFC63910000-0x00007FFC63B05000-memory.dmp

Filesize
2.0MB

Download
memory/2372-37-0x00007FFC63910000-0x00007FFC63B05000-memory.dmp

Filesize
2.0MB

Download
memory/2372-572-0x00007FFC63910000-0x00007FFC63B05000-memory.dmp

Filesize
2.0MB

Download
memory/2372-41-0x00007FFC63910000-0x00007FFC63B05000-memory.dmp

Filesize
2.0MB

Download
memory/2372-42-0x00007FFC63910000-0x00007FFC63B05000-memory.dmp

Filesize
2.0MB

Download
memory/2372-39-0x00007FFC63910000-0x00007FFC63B05000-memory.dmp

Filesize
2.0MB

Download
memory/2372-40-0x00007FFC63910000-0x00007FFC63B05000-memory.dmp

Filesize
2.0MB

Download
memory/2372-36-0x00007FFC63910000-0x00007FFC63B05000-memory.dmp

Filesize
2.0MB

Download
memory/4960-18-0x00007FFC63910000-0x00007FFC63B05000-memory.dmp

Filesize
2.0MB

Download
memory/4960-10-0x00007FFC63910000-0x00007FFC63B05000-memory.dmp

Filesize
2.0MB

Download
memory/4960-0-0x00007FFC23990000-0x00007FFC239A0000-memory.dmp

Filesize
64KB

Download
memory/4960-8-0x00007FFC63910000-0x00007FFC63B05000-memory.dmp

Filesize
2.0MB

Download
memory/4960-17-0x00007FFC63910000-0x00007FFC63B05000-memory.dmp

Filesize
2.0MB

Download
memory/4960-16-0x00007FFC63910000-0x00007FFC63B05000-memory.dmp

Filesize
2.0MB

Download
memory/4960-14-0x00007FFC21140000-0x00007FFC21150000-memory.dmp

Filesize
64KB

Download
memory/4960-15-0x00007FFC63910000-0x00007FFC63B05000-memory.dmp

Filesize
2.0MB

Download
memory/4960-12-0x00007FFC63910000-0x00007FFC63B05000-memory.dmp

Filesize
2.0MB

Download
memory/4960-11-0x00007FFC21140000-0x00007FFC21150000-memory.dmp

Filesize
64KB

Download
memory/4960-9-0x00007FFC63910000-0x00007FFC63B05000-memory.dmp

Filesize
2.0MB

Download
memory/4960-19-0x00007FFC63910000-0x00007FFC63B05000-memory.dmp

Filesize
2.0MB

Download
memory/4960-5-0x00007FFC63910000-0x00007FFC63B05000-memory.dmp

Filesize
2.0MB

Download
memory/4960-7-0x00007FFC23990000-0x00007FFC239A0000-memory.dmp

Filesize
64KB

Download
memory/4960-6-0x00007FFC63910000-0x00007FFC63B05000-memory.dmp

Filesize
2.0MB

Download
memory/4960-4-0x00007FFC23990000-0x00007FFC239A0000-memory.dmp

Filesize
64KB

Download
memory/4960-1-0x00007FFC639AD000-0x00007FFC639AE000-memory.dmp

Filesize
4KB

Download
memory/4960-2-0x00007FFC23990000-0x00007FFC239A0000-memory.dmp

Filesize
64KB

Download
memory/4960-3-0x00007FFC23990000-0x00007FFC239A0000-memory.dmp

Filesize
64KB

Download
memory/4960-471-0x00007FFC63910000-0x00007FFC63B05000-memory.dmp

Filesize
2.0MB

Download
memory/4960-571-0x00007FFC639AD000-0x00007FFC639AE000-memory.dmp

Filesize
4KB

Download
memory/4960-13-0x00007FFC63910000-0x00007FFC63B05000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads