7a0100fe1d14c012aebc379d5f911b928aa7cae5f8371ef5246184c6d3472fea

Analysis

max time kernel
149s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/08/2024, 01:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7a0100fe1d14c012aebc379d5f911b928aa7cae5f8371ef5246184c6d3472fea.xls
Size

445KB
MD5

c7a3e10987c9944a35718f64a1956a89
SHA1

4f73a1b4fcbd3299a1a30368971db3386a7d4509
SHA256

7a0100fe1d14c012aebc379d5f911b928aa7cae5f8371ef5246184c6d3472fea
SHA512

11826c3ab8c21a2d5a5ab2e42ca29ad21649b92604b5e766367aabf5003ce6a1b3d3f94fd903e9f2db0091ac4cc2b6b2155c0fc8da10c190d436543cf1c219a5
SSDEEP

6144:O51QZrEsVQ4GhPik6m9p4uwEoLWGD8v9FhreVKjLovdWDUNQ:O5YrEsfGtb6mc1Ll8vbhreVmDg

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4264	EXCEL.EXE
2252	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeAuditPrivilege	2252	WINWORD.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
4264	EXCEL.EXE
4264	EXCEL.EXE
4264	EXCEL.EXE
4264	EXCEL.EXE
4264	EXCEL.EXE
4264	EXCEL.EXE
4264	EXCEL.EXE
4264	EXCEL.EXE
4264	EXCEL.EXE
4264	EXCEL.EXE
4264	EXCEL.EXE
4264	EXCEL.EXE
2252	WINWORD.EXE
2252	WINWORD.EXE
2252	WINWORD.EXE
2252	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2252 wrote to memory of 3720	2252	WINWORD.EXE	91
PID 2252 wrote to memory of 3720	2252	WINWORD.EXE	91

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\7a0100fe1d14c012aebc379d5f911b928aa7cae5f8371ef5246184c6d3472fea.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4264

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:3720

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:3880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\06B88E7F787D0F8E872CC6C5E3EDE59C

Filesize
344B

MD5
9a6ab26a10dddbc558e03cd1752ae11b

SHA1
b898ed796eeb645627b10e13221e851aa6f0b095

SHA256
b9ed60f8f2b187d480ae021d696c44d9e2030783ba377a57965e70bd9ff42abe

SHA512
9119bd9f375525d818d482edb168fca359342ae43efe6348adac51002f6fcd1eb02497eba98337bd478ac7950e82a378de2b252a9f9fa6f16901206be4335fb4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
822467b728b7a66b081c91795373789a

SHA1
d8f2f02e1eef62485a9feffd59ce837511749865

SHA256
af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

SHA512
bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Filesize
471B

MD5
42fb97c861fb0400877cf26cb6fb41f2

SHA1
4b858f26fa4e35e65509a25bee693eef5ea411a7

SHA256
b030f6da934b9ea1c5829c326e4991f7183c550263b3722ff9b61cfa238e8772

SHA512
2ccac738a44967413c4a0ad53fee4b6faffdcccf6091661fd9e0fb76c0500e24eccacd8d5d3ad26476bdbf6ee5be53f59d0949d282417dd21429a023ad05bbf7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\06B88E7F787D0F8E872CC6C5E3EDE59C

Filesize
540B

MD5
db28c101cb48561b05e451fdeb8ca15c

SHA1
f13d0699209004e0a7dc987a00afc3cecf3c77b5

SHA256
89cfd9bc943266226360f3b6e8ebe028223304b963dc4591363c3b3c72940211

SHA512
446e14df5cff160f7408f056ace4ee07b193e4cf4a9820b6493f5a7be938954152db631c355b220e21afef93af60c2aae38c35201b2a6ee84607b20d770ac8bb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
291e7a34189ed43a4f6feb53de204a6f

SHA1
5ad7c52714fc055d1eb9cd49e448dba55480539a

SHA256
4638fbbe1c475bbdfffc845a55e1fb77f64fcbcca49a79efbae01548886b0082

SHA512
a1a41bf568d7bb4d468b201830e497cbdd7a12e866853e2d2bb050f0f789244e4c07ed6f7aa0488ef345439ac5c3a2d7ddccf7093bbad4555c8b699674a8b2a2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Filesize
412B

MD5
93d170ef0e66d16eb7f95511c2873027

SHA1
710952854447a12d1c3c635eb3c2bbe02bc346ae

SHA256
017d8e2876514f5f9aba153ead7bae4ca392a7496b9445cd989514665598eabb

SHA512
3833cbf4fe14320cd1d96094879e60f1bc378fec48a5dd43598f9520afc5607e0d77137df667c646d52b68b6c853c283d5449fd01c74d917617e86e672aa1714

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\68986D68-C5F9-44D0-AFFC-502E1E04006E

Filesize
170KB

MD5
c4704c3d90d60f97fe19709c5062e847

SHA1
43ac66800e0a630f3ca038d08bec99879ceccf6a

SHA256
344d9e4f6516ad9442dd7b10892389c6fdaf3aff0b3cca86d1362d7acac3075b

SHA512
4b772838c5d09660dbd6a903be63c25c50a3f9b5991d16050b1697b60f94856574a4d6eefff42e3c2ca428fc13dfc2425b60e6d91d4f54fcb6b73d1cec83fc5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

Filesize
11KB

MD5
0e95cd3df8aae66c0682171882db40bc

SHA1
5ef8fe8244362c04b3555457ab77f7dbdc503cdc

SHA256
af6cd48cbc7aa761b9790038d5886a19fcc584fcffd2d6884bf6c5623951c5c8

SHA512
8cf6585f69908f358324bae60f86dcf9f7ffc3ef365a9528f5e2e88e90f4cda09f83d8c6d6f3ecea17e41f4f236f4c22403f22029adb3cf78c496bc33ba744aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
6ac781b74bc0205ebc2e09db92dd7dbb

SHA1
4b4614e09db75a8f840a620b9c3cb3c6133b2820

SHA256
e63992d0774b928879051febb352f9d2d8ae60536bdf91bc78f2ee149cc9e325

SHA512
dafef88f63bafb752e6989520070c060dc7cefda2d2bb443d3e7361d792e08c9e1b755fa383623aea022cd83898237bde992494f4f73bd5cd8f36e9df7166d29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
358d0cdb744b34c950d7f0ee1f03f265

SHA1
d6052d9d869599bbed8e48c0edb5e45aadfdf141

SHA256
1e3151fc5209f8eddcd6ae8d1ac3d4a606eea16bda3bb34aeb213ea95322ec83

SHA512
9e9377ab3cc372c03ca982d02078229fb28907c52ee3438e95aee341a4b0fbf964ef2ff66c46009096151e6d86942ad7107b5ed2ec2dd3a253193c6c5a69e4e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\T1CTRFUW\mekissingonurheartwithentirelovetogetmebacktounderstandeverythinggoodfor______sheisbeautifulgirlalways[1].doc

Filesize
73KB

MD5
97cca4e078a994aa4adaa54442493f6c

SHA1
2c51164de0595d2cc668677b8f5de7c0cc94f23e

SHA256
4bdce27d87c6d840c9022f855fd86a7216094868d53fb208e0696195b0123097

SHA512
a85f8fdaa96ec57451548ecf44494ff8575d74f05f934f71883454f184311cc4cf38f9e63ae30e25c1f37aa53059a7bbdee6e504e40d2e22a4e7473d0a525a97

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCD20C6.tmp\sist02.xsl

Filesize
245KB

MD5
f883b260a8d67082ea895c14bf56dd56

SHA1
7954565c1f243d46ad3b1e2f1baf3281451fc14b

SHA256
ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

SHA512
d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
408B

MD5
214a3734a1c9a5b40c7f3d466337e1bd

SHA1
3655a78eea18268b404584fd5ec7baa44cd0de29

SHA256
348d18583768faa2c80f8c65dbeb07845b623efaba6565f2a6a7628f83bd15f5

SHA512
d713e92e65bbf0c4a2901a5c21123c2a9d1a00dcfcd955d351aea6744f966beb9100fa612cac4f5df7045b0285e577f43faff65f3fda74f8d28bdd690042e7bb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
2KB

MD5
0106631cd61d2fb5e73d6aa63d1e422c

SHA1
d411c38c4daa337dd04741c895db3963047eec4e

SHA256
fc4e4bcdba6924ed18055341382d5b8b788b2106ddf96942fd1a25143cdd5657

SHA512
26768d49445fd2d3e1bd2438e0a731c336cfe0f6a254714cf895567990b70be3dc258bad37c49688b3ace536c9908d7768f0fe318864975831d80ecb176fb167

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
2KB

MD5
975a45f92ee1a12c0a1758aaa54afd77

SHA1
bb7f33bbb35d96c258ee68a5fa2d6afa6ab5a223

SHA256
ee1ffed3adbb9795651f47c4f5b5463b2a10efebcca860cac57845eae8ff69d0

SHA512
15c3bc0964cb9260b9ca01dbb24eb5b7577c47fcdd981890fb773be59f507991fb36e972372ddaa028d0b5ca6e448d0741bc4a285c5a5931e0c6978fce7c436c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
4KB

MD5
8879d6a361e405e3e87eb2d4b88498cc

SHA1
97bf267715f1ce21eee685b8df37555c74ca7b6f

SHA256
2d99e4ccc4ae1cd6b933e1ed58e12ec479e7996ba539921e9188f4a3a294faf5

SHA512
f4b55f94a8dc95bd84b80e9d2e2febf65f728ba0ee53a5570d3dd72a5eabb764e7f4dd6753313778e1e227dd06950078422981bdee66375c34d1c14e771542a3

Download Submit
memory/2252-49-0x00007FFF167F0000-0x00007FFF169E5000-memory.dmp

Filesize
2.0MB

Download
memory/2252-239-0x00007FFF167F0000-0x00007FFF169E5000-memory.dmp

Filesize
2.0MB

Download
memory/2252-240-0x00007FFF167F0000-0x00007FFF169E5000-memory.dmp

Filesize
2.0MB

Download
memory/2252-41-0x00007FFF167F0000-0x00007FFF169E5000-memory.dmp

Filesize
2.0MB

Download
memory/2252-42-0x00007FFF167F0000-0x00007FFF169E5000-memory.dmp

Filesize
2.0MB

Download
memory/2252-43-0x00007FFF167F0000-0x00007FFF169E5000-memory.dmp

Filesize
2.0MB

Download
memory/2252-46-0x00007FFF167F0000-0x00007FFF169E5000-memory.dmp

Filesize
2.0MB

Download
memory/2252-47-0x00007FFF167F0000-0x00007FFF169E5000-memory.dmp

Filesize
2.0MB

Download
memory/2252-45-0x00007FFF167F0000-0x00007FFF169E5000-memory.dmp

Filesize
2.0MB

Download
memory/2252-241-0x00007FFF167F0000-0x00007FFF169E5000-memory.dmp

Filesize
2.0MB

Download
memory/2252-50-0x00007FFF167F0000-0x00007FFF169E5000-memory.dmp

Filesize
2.0MB

Download
memory/2252-244-0x00007FFF167F0000-0x00007FFF169E5000-memory.dmp

Filesize
2.0MB

Download
memory/2252-245-0x00007FFF167F0000-0x00007FFF169E5000-memory.dmp

Filesize
2.0MB

Download
memory/2252-246-0x00007FFF167F0000-0x00007FFF169E5000-memory.dmp

Filesize
2.0MB

Download
memory/2252-243-0x00007FFF167F0000-0x00007FFF169E5000-memory.dmp

Filesize
2.0MB

Download
memory/2252-242-0x00007FFF167F0000-0x00007FFF169E5000-memory.dmp

Filesize
2.0MB

Download
memory/4264-12-0x00007FFF167F0000-0x00007FFF169E5000-memory.dmp

Filesize
2.0MB

Download
memory/4264-3-0x00007FFED6870000-0x00007FFED6880000-memory.dmp

Filesize
64KB

Download
memory/4264-9-0x00007FFF167F0000-0x00007FFF169E5000-memory.dmp

Filesize
2.0MB

Download
memory/4264-8-0x00007FFF167F0000-0x00007FFF169E5000-memory.dmp

Filesize
2.0MB

Download
memory/4264-6-0x00007FFF167F0000-0x00007FFF169E5000-memory.dmp

Filesize
2.0MB

Download
memory/4264-7-0x00007FFF167F0000-0x00007FFF169E5000-memory.dmp

Filesize
2.0MB

Download
memory/4264-5-0x00007FFF1688D000-0x00007FFF1688E000-memory.dmp

Filesize
4KB

Download
memory/4264-2-0x00007FFED6870000-0x00007FFED6880000-memory.dmp

Filesize
64KB

Download
memory/4264-218-0x00007FFF167F0000-0x00007FFF169E5000-memory.dmp

Filesize
2.0MB

Download
memory/4264-15-0x00007FFF167F0000-0x00007FFF169E5000-memory.dmp

Filesize
2.0MB

Download
memory/4264-4-0x00007FFED6870000-0x00007FFED6880000-memory.dmp

Filesize
64KB

Download
memory/4264-0-0x00007FFED6870000-0x00007FFED6880000-memory.dmp

Filesize
64KB

Download
memory/4264-11-0x00007FFF167F0000-0x00007FFF169E5000-memory.dmp

Filesize
2.0MB

Download
memory/4264-10-0x00007FFED3F60000-0x00007FFED3F70000-memory.dmp

Filesize
64KB

Download
memory/4264-13-0x00007FFED3F60000-0x00007FFED3F70000-memory.dmp

Filesize
64KB

Download
memory/4264-18-0x00007FFF167F0000-0x00007FFF169E5000-memory.dmp

Filesize
2.0MB

Download
memory/4264-17-0x00007FFF167F0000-0x00007FFF169E5000-memory.dmp

Filesize
2.0MB

Download
memory/4264-16-0x00007FFF167F0000-0x00007FFF169E5000-memory.dmp

Filesize
2.0MB

Download
memory/4264-1-0x00007FFED6870000-0x00007FFED6880000-memory.dmp

Filesize
64KB

Download
memory/4264-14-0x00007FFF167F0000-0x00007FFF169E5000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads