49bfe0d5f55746bf0ce5016fc4c179d3483dd96ed9175b7e60fb155b8c61b632

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/08/2024, 09:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

49bfe0d5f55746bf0ce5016fc4c179d3483dd96ed9175b7e60fb155b8c61b632.xls
Size

332KB
MD5

87cc85777526d5b05b67f4b1466729a4
SHA1

81ad91c53c67b0d800041cfa162fd16c4e420350
SHA256

49bfe0d5f55746bf0ce5016fc4c179d3483dd96ed9175b7e60fb155b8c61b632
SHA512

1f276ff57be75a73eb59a7b85faac182b1000ca7ce9e341178242e7e4f7e66efd3ac64f4f87f84a067f984e2270effe6281dd8d27f0ea977667bae73d56bb9b4
SSDEEP

6144:srNORYBhJHw5ufziCNBmwtzRer7Zwbtong8+9JOnRuoU94bTQdSn:srN7bZ7iCWwtzoqUgmsoO4oE

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4016	EXCEL.EXE
748	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeAuditPrivilege	748	WINWORD.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
4016	EXCEL.EXE
4016	EXCEL.EXE
4016	EXCEL.EXE
4016	EXCEL.EXE
4016	EXCEL.EXE
4016	EXCEL.EXE
4016	EXCEL.EXE
4016	EXCEL.EXE
4016	EXCEL.EXE
4016	EXCEL.EXE
4016	EXCEL.EXE
4016	EXCEL.EXE
748	WINWORD.EXE
748	WINWORD.EXE
748	WINWORD.EXE
748	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 748 wrote to memory of 1940	748	WINWORD.EXE	93
PID 748 wrote to memory of 1940	748	WINWORD.EXE	93

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\49bfe0d5f55746bf0ce5016fc4c179d3483dd96ed9175b7e60fb155b8c61b632.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4016

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:748
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1940

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:4928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
822467b728b7a66b081c91795373789a

SHA1
d8f2f02e1eef62485a9feffd59ce837511749865

SHA256
af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

SHA512
bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Filesize
471B

MD5
42fb97c861fb0400877cf26cb6fb41f2

SHA1
4b858f26fa4e35e65509a25bee693eef5ea411a7

SHA256
b030f6da934b9ea1c5829c326e4991f7183c550263b3722ff9b61cfa238e8772

SHA512
2ccac738a44967413c4a0ad53fee4b6faffdcccf6091661fd9e0fb76c0500e24eccacd8d5d3ad26476bdbf6ee5be53f59d0949d282417dd21429a023ad05bbf7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FD60B2A78C5CF48D5A24EF4AB542D958

Filesize
345B

MD5
ea0beedc18632c393124365f866ca6d3

SHA1
844a4f4eb8a900034a66da05744edba963cd59a1

SHA256
f0a473e4f3b274823261d335d92e0e9339872739e2e6e7c1c6757a0f2d22ce8e

SHA512
8250824921ae372dd0e2299e6abe4b149ab56f9e3906c473b1c67eac5cb669833cfecb6bd5c97620f41071d0fec6ea145c64c3216a359bda007e390443d6dd8f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
824da2bd0d6cc2d182b4c75552f59bd7

SHA1
3a22b9cdd4c47bd0640ffcf0bc9efa062d5a36bd

SHA256
2d084bc20fb8404dbe52d3c32f306d0078736db92d746d13fb860279f814cecc

SHA512
3ccc6e9d72ea89c51a0c3b72b6ea541466764f765f7f5d790f39cfcf87e44f4318ba1280813dc65ffd1e9a35803869337ab5ded2dd87a7fb303a44248ef67824

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Filesize
412B

MD5
e4973f23c5317faa8adce6a38adcfbff

SHA1
bf70eeac7354c977689ade2faec2fd93f2037ea4

SHA256
ae393d0be6050bba549dee377da1eca0946fe35a2729243ab04891500883c34e

SHA512
9c42f67c2b75b7f49df24bca6110c7273a4985ec45a5b52d31c4cf6a32c7a6399b7daa85ffa8bbc48d558993f134359eac02e400affed69cf2538eb83465a7c0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FD60B2A78C5CF48D5A24EF4AB542D958

Filesize
544B

MD5
04a130f9c57122f585f343bd27dfaf7f

SHA1
ac50b099132a174e46f0ebd60175c00e4b27f6b9

SHA256
94750051a48383e8d1d20c271e99b316108f1b260d6b343faac4a8b68ee92b38

SHA512
5ee6fe79e5f3f99b8439de780e5e42980c906e47ee5c888b6b5f154a4cc91598c528bd0d0eac72d5e2bdaf328781819d31c5d74a9259b9b2a37cba74bf13aefe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\E07E711F-08D0-44EF-8DA0-747971202839

Filesize
170KB

MD5
47a69163fa6ed179e9570fd6546397fd

SHA1
9d9a99805fdda0f8c98180284305f843cf45f41f

SHA256
4d27b573879f45a4a878ff31d35b29e626f7981c193dd4cc8b394b2eb00f0fdf

SHA512
a0f4cadcc8b90630cebc353663cf8c1a3ee3780785658e6d0972b0f846c548aa86eadb72cbc75570622904834c2267bbcebe768125295ae776052e220c412fd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

Filesize
11KB

MD5
a9c4df6257038fa70653b8bfcae555d6

SHA1
9406f8ee49a616b9314e4e61b762bfc53db86bd4

SHA256
02e3b94af1af296678eb11d38bf555938822ba95d68578367f436e13dfe0bbb9

SHA512
aad444ad053a49f6d7bc3e305ea27ee2b5e656d9947eb81574281e03317e5588c34cb8d8d1c94387c83dfeb141ac35c8f9ca390741ac5ab18d75c7a3c5bf6946

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
dc944533cb1425633b9fa56b497e1676

SHA1
6e72e4570fd5a794045a59de84eb033a8b6185a2

SHA256
819e9a0569a04944586af62e5593fc261ae0284913c7e58f72476737b4a01839

SHA512
b637e0b1d84eba0c378fab322f30083f361d6c3baf49cafd928696f38d9e973acf3377a6a597f5178ff09c0880da4958698627fe772f729dd0ae5cf33dc6a4a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
66a91b9fef8b04af70c34208cc742dc7

SHA1
a6bcd18a2858dc18d033ea8ee0bb1b412be9d86c

SHA256
6a781e50cbe833a2e1c8e4f413259d426f26b22a2c08dfd1097d0396e2e385bd

SHA512
e6773f2188add502a8866ffb3a21bda3459395a09bfe2e8487bb616af31682437f052b347e915c63db4a908a4e2ac7bafb173a1ab6feaea3aa29058b328447e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\WLXU5DI6\wethingsaboutentirethingstobebackwithnewideadswhichcanbreakentireworldrespondtotings_______seethebestworldthingsalways[1].doc

Filesize
102KB

MD5
14063e76ac284744cb2ba86de57b9072

SHA1
a7ea877406729bac83e279d20b85c33e3a88de63

SHA256
771abb2dd9d45565687b372c7049a18779b3f4de35b216709eb3aae06f360561

SHA512
8e897b37ee6cce03b20baff610030bf31416030b34dd741e8df8a7ca90d11b91e80f751777d7573f69d889901d9068d9706805f2787833c341695b4a1607e7dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCDCD59.tmp\iso690.xsl

Filesize
263KB

MD5
ff0e07eff1333cdf9fc2523d323dd654

SHA1
77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

SHA256
3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

SHA512
b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
332B

MD5
3c47970c0cc6f6b9e407a5403d6222cf

SHA1
8cd38cb29d858563b159bcdaa109694b79100c65

SHA256
af5c2ca94e9a9ebbc6423ffd6cb5323407afb69f80e74e4ee7f83d85c30f0419

SHA512
c6c5434258d7bb2381c4318b228e931ae8643f7d1e27f13f3fff5b811f94e7987bc6935bbc006b4f7837f9f83efed0006eabc7e2a13377465e4c0f7a03be87f3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
4KB

MD5
e597b378f056415bd44f1edcbba72d9c

SHA1
8e35b26ddab5fdd0b0ca34d536f210601048bb52

SHA256
2965ddb55c78b936d209b7f1d0cb8db9dcbe29198eab654fac813cf124246f73

SHA512
78585789b7ee3d7b1074c5c64f7e369fa2b5816fddb3801516cfc62ca3810ce65e779908a1439c1fcc4d5665b71eb3c6ab4b2691e285753f72b687e914c09776

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
2KB

MD5
4c72587a62aa9d22e580b5c474307edc

SHA1
a61b2b3fe2d87a962185ea6cddc5d324b2971705

SHA256
ec2f05a3adc6f30ad2f42db7cdec4a4797c717ef10ed528f91988ff61c352c98

SHA512
79694d93a1b93ec3b787f2b14cf727954e838d7daabf929e0671b14ef2ab2a8fdcfe3be94132f42f24067ac4de89ea9160c4cbec96899b11cf21cd6018cc5d00

Download Submit
memory/748-41-0x00007FFF72550000-0x00007FFF72745000-memory.dmp

Filesize
2.0MB

Download
memory/748-45-0x00007FFF72550000-0x00007FFF72745000-memory.dmp

Filesize
2.0MB

Download
memory/748-221-0x00007FFF72550000-0x00007FFF72745000-memory.dmp

Filesize
2.0MB

Download
memory/748-40-0x00007FFF72550000-0x00007FFF72745000-memory.dmp

Filesize
2.0MB

Download
memory/748-39-0x00007FFF72550000-0x00007FFF72745000-memory.dmp

Filesize
2.0MB

Download
memory/748-47-0x00007FFF72550000-0x00007FFF72745000-memory.dmp

Filesize
2.0MB

Download
memory/748-42-0x00007FFF72550000-0x00007FFF72745000-memory.dmp

Filesize
2.0MB

Download
memory/748-44-0x00007FFF72550000-0x00007FFF72745000-memory.dmp

Filesize
2.0MB

Download
memory/748-46-0x00007FFF72550000-0x00007FFF72745000-memory.dmp

Filesize
2.0MB

Download
memory/4016-13-0x00007FFF72550000-0x00007FFF72745000-memory.dmp

Filesize
2.0MB

Download
memory/4016-10-0x00007FFF72550000-0x00007FFF72745000-memory.dmp

Filesize
2.0MB

Download
memory/4016-16-0x00007FFF72550000-0x00007FFF72745000-memory.dmp

Filesize
2.0MB

Download
memory/4016-14-0x00007FFF72550000-0x00007FFF72745000-memory.dmp

Filesize
2.0MB

Download
memory/4016-17-0x00007FFF301D0000-0x00007FFF301E0000-memory.dmp

Filesize
64KB

Download
memory/4016-12-0x00007FFF301D0000-0x00007FFF301E0000-memory.dmp

Filesize
64KB

Download
memory/4016-7-0x00007FFF72550000-0x00007FFF72745000-memory.dmp

Filesize
2.0MB

Download
memory/4016-9-0x00007FFF72550000-0x00007FFF72745000-memory.dmp

Filesize
2.0MB

Download
memory/4016-11-0x00007FFF72550000-0x00007FFF72745000-memory.dmp

Filesize
2.0MB

Download
memory/4016-0-0x00007FFF325D0000-0x00007FFF325E0000-memory.dmp

Filesize
64KB

Download
memory/4016-8-0x00007FFF72550000-0x00007FFF72745000-memory.dmp

Filesize
2.0MB

Download
memory/4016-6-0x00007FFF72550000-0x00007FFF72745000-memory.dmp

Filesize
2.0MB

Download
memory/4016-4-0x00007FFF325D0000-0x00007FFF325E0000-memory.dmp

Filesize
64KB

Download
memory/4016-5-0x00007FFF325D0000-0x00007FFF325E0000-memory.dmp

Filesize
64KB

Download
memory/4016-1-0x00007FFF325D0000-0x00007FFF325E0000-memory.dmp

Filesize
64KB

Download
memory/4016-2-0x00007FFF325D0000-0x00007FFF325E0000-memory.dmp

Filesize
64KB

Download
memory/4016-3-0x00007FFF725ED000-0x00007FFF725EE000-memory.dmp

Filesize
4KB

Download
memory/4016-220-0x00007FFF72550000-0x00007FFF72745000-memory.dmp

Filesize
2.0MB

Download
memory/4016-15-0x00007FFF72550000-0x00007FFF72745000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads