5daccf2d036e313eacb7b0660c8f6c4b4eb48a7bf841f5f85a68eaf08b678553

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17/08/2024, 01:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5daccf2d036e313eacb7b0660c8f6c4b4eb48a7bf841f5f85a68eaf08b678553.xls
Size

445KB
MD5

e07cfed85c1ddf5a98b21de6cb894a18
SHA1

092241ff646b40b753d18973ec61638a0f70fa98
SHA256

5daccf2d036e313eacb7b0660c8f6c4b4eb48a7bf841f5f85a68eaf08b678553
SHA512

0016dc6031bc7f82b7d85ccd6d93e7618eb56d4ff5fb08847c73996a61c7a5670786bb689fec14e3ab704070e472ab8f16ed25bd5f428b0ac104e827e712cf68
SSDEEP

12288:aWkD+1iATCUvwG3Dl6M+ntycfS8ZxGxJygH42DYqI9:dkD+1BCSDinTrZxK4mYqG

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4804	EXCEL.EXE
4840	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeAuditPrivilege	4840	WINWORD.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
4804	EXCEL.EXE
4804	EXCEL.EXE
4804	EXCEL.EXE
4804	EXCEL.EXE
4804	EXCEL.EXE
4804	EXCEL.EXE
4804	EXCEL.EXE
4804	EXCEL.EXE
4804	EXCEL.EXE
4804	EXCEL.EXE
4804	EXCEL.EXE
4804	EXCEL.EXE
4840	WINWORD.EXE
4840	WINWORD.EXE
4840	WINWORD.EXE
4840	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4840 wrote to memory of 4900	4840	WINWORD.EXE	94
PID 4840 wrote to memory of 4900	4840	WINWORD.EXE	94

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\5daccf2d036e313eacb7b0660c8f6c4b4eb48a7bf841f5f85a68eaf08b678553.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4804

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4840
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:4900

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

Filesize
1KB

MD5
4fa224d2d0de7f9d614356b87ce9a8f9

SHA1
81340c1f9243f0d7d6b4718e633eeb0a936ff3b2

SHA256
3de62a6199eec7f34c0255fb132f75448604cb47e4045c7a4c950186e6eb232d

SHA512
a6cb63403f06627ad7be7c3924b95aac7e51ad49275eafdf6ac7b5e75544b5ac033a298c07660f7f9fa65c5cc0cef282552dfd0614e2febcc605f98c982842ef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

Filesize
471B

MD5
84882f34acd3db3c74b4a8a97963f15b

SHA1
698828bf3de66dc8ced308ef4f2f742f67db0421

SHA256
60bf31dfbe03c1c484c166f239f5a69f0baf70245e00621c44ea997d79eaebe8

SHA512
c7f07b6237894b906ddbfbbe06cfcef273cdfefe0679cace07746119b1e79c4936b1347f28fe4e72a1a82367b288ac2ea064f05ed2a95484b47a4579118c2f10

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

Filesize
408B

MD5
ce4501df6cb9aaad28410d1145801280

SHA1
d6c923df3e955eb2b9a50fe28a8394c756c9c2db

SHA256
727e754466067c094e61834eb7d7e45ef4de3002028cac0194f0704014f40f42

SHA512
52d8db480c0afd3a3543eaf5062f347f2018ba689856a96bccbbdf9e94a908cd7f96187258faf9c36cfc4264a11b15e42fa039c8591bc5db0e36fc152f4b1df7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

Filesize
420B

MD5
335418d62f466b2cbec40a98ab69d3cd

SHA1
f564a72d7c820ab55225778b7f5bfb671ca7fdc4

SHA256
5066308256bcd4d6a505a4642f77ba5bd2f1d6c7323f3d214d5025e78bad66e7

SHA512
2f1946f052eb83c66fdfc95d675cab230659c248896dbd6af16cfb07728c0d1f4c301b4ff7013db6f333df40b00485001ed595296a8b749d0420af5b89eb463d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\032CF1A4-298F-4E92-9F8D-B9AEEEC756AE

Filesize
170KB

MD5
848ec64367a2f6bd32f424a06931195e

SHA1
00fb2bbbe594168b6d0710fdf9dc734c255e9335

SHA256
27583baa07577028bb52dbc5542daa12a674928890c4c83b42f62e15563df5cd

SHA512
e446c765b8f2bf62d591280d19732c7946765a3ce775e81622727a71e3d707674625e12e9a21a5a296262db6fc6cbc581dfb0a5724c9f4d554bb219cdd6dc68b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

Filesize
11KB

MD5
917784bb6dbc6c29fd85f1cc76e756ef

SHA1
6067c5e4de355c737beca46c4c40a4f5fa16f7d6

SHA256
5eb3347c6c3ad4dd35d6945e9dd122ecf775167283fa3abc51f34493433f8eb2

SHA512
9441562cfb44e2e16144ff3c39fe99a2fe76de9cdfc42d3b58fc89638d3237f3a502c58f3dce6fd858aa19e032a95afcf91b193a1907e6dc5846ff7b132d7e6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
df7ee84a01fe4ad16d3f78f64d336e44

SHA1
50337392e32895e78d046be8c30a08e85067a55c

SHA256
3ae010dd81b9422c265597496436dd59a69b27a6013f886027c59797c3660cd4

SHA512
d68620ec4a5be009a2ef517827bb59e79e8b1dcde997ba2e29af596664a256f04c72b79f35a963e7d2db3cd1e38e1375f3c351f614b9a0743e2cd435ce8b6835

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
f6dac1f74ad0063bf1a705e51f4b741f

SHA1
480747ebebd6868064d87885f32ddec45cc80ce2

SHA256
a5719c5d72c78a9a413006124124c948d3d49868475fdbe9b189846cc45ad940

SHA512
d835aa6c15c3804c99a26303b5e00bdab744df0f63b061748882176662400ef19539b74f45fc79bdf77dcf21f03c41980cc5d6aa6a98e2a5ddd9f54c9311905d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\WLXU5DI6\seethesmoothofbutterburnwhichtasteofentirethingstounderrstnadwellthebuttersmoothchocolateburneatwellwith_______sweetandhotburn[1].doc

Filesize
84KB

MD5
d18067e4be9ca434241869dda26c5f8f

SHA1
e3f3abcc32c87d48037d68577c3b625bb1c02636

SHA256
f34155575606c4bb730c370e184b5581e724c35fa0161da93f37e5263d476650

SHA512
1d7bf63a5235e5f9c0815ac50ead92775e1e6e1f72b3e53e3432b367f4b8504d411ac575085fea6028085b1790d780f669c80c7455ae9c6c0d89f044a3e053be

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
244B

MD5
86a9d70ac6e8ceae1e1027c3d745bf16

SHA1
397b35f4419a620b55c870be59ca2d2f331b479b

SHA256
40ae977f9b29711701db47e097bb53f42c623f65120c3e1550ee84496854124d

SHA512
e77cb8d8a7ce5fdea452757da02c9d6022431db479abb757816c091840bddd954bb51fd91e41f6d0714f6fbc15d3274cdd15aa575363573d751f1edfc62d9d5b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851223[[fn=iso690]].xsl

Filesize
263KB

MD5
ff0e07eff1333cdf9fc2523d323dd654

SHA1
77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

SHA256
3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

SHA512
b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
af2ed3383c4ddefe0d9ee5e6188c62e0

SHA1
f75134db92fe0380f4f9300f23966ba0c7673064

SHA256
c8a28964cae24c6a9ace49908eaa546ad04254531084726d4f4b29c82df4ebf6

SHA512
453dcae96725b15c73ffb1d4a3debeeec7702c1000924c194ec882b7a0cf9747bb55d3d6766df9ab65f1faec28fd8b8a820c598968f4382668e83b83cc2db694

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
1KB

MD5
6e0c046b126b6739ef356ca127b29c49

SHA1
b4f4cd7e2896bb606f8511a320692a9c05335e9b

SHA256
b175634cf7527c34f6de665ebe27d7babe5a2075ce3833b420d68fe5f4223ccf

SHA512
5717fb4880169f2bc216cc8a8d0bb580740606c1852979d95c49bfd2bacc757d0ed562e15813efae0b4370c2efcdee6ba1575aa43bc6973381cfdfa1d5c0569b

Download Submit
memory/4804-12-0x00007FFF8BCB0000-0x00007FFF8BEA5000-memory.dmp

Filesize
2.0MB

Download
memory/4804-8-0x00007FFF8BCB0000-0x00007FFF8BEA5000-memory.dmp

Filesize
2.0MB

Download
memory/4804-16-0x00007FFF8BCB0000-0x00007FFF8BEA5000-memory.dmp

Filesize
2.0MB

Download
memory/4804-18-0x00007FFF8BCB0000-0x00007FFF8BEA5000-memory.dmp

Filesize
2.0MB

Download
memory/4804-17-0x00007FFF49C30000-0x00007FFF49C40000-memory.dmp

Filesize
64KB

Download
memory/4804-15-0x00007FFF8BCB0000-0x00007FFF8BEA5000-memory.dmp

Filesize
2.0MB

Download
memory/4804-19-0x00007FFF8BCB0000-0x00007FFF8BEA5000-memory.dmp

Filesize
2.0MB

Download
memory/4804-0-0x00007FFF4BD30000-0x00007FFF4BD40000-memory.dmp

Filesize
64KB

Download
memory/4804-2-0x00007FFF4BD30000-0x00007FFF4BD40000-memory.dmp

Filesize
64KB

Download
memory/4804-3-0x00007FFF4BD30000-0x00007FFF4BD40000-memory.dmp

Filesize
64KB

Download
memory/4804-5-0x00007FFF4BD30000-0x00007FFF4BD40000-memory.dmp

Filesize
64KB

Download
memory/4804-4-0x00007FFF4BD30000-0x00007FFF4BD40000-memory.dmp

Filesize
64KB

Download
memory/4804-9-0x00007FFF8BCB0000-0x00007FFF8BEA5000-memory.dmp

Filesize
2.0MB

Download
memory/4804-6-0x00007FFF8BCB0000-0x00007FFF8BEA5000-memory.dmp

Filesize
2.0MB

Download
memory/4804-13-0x00007FFF49C30000-0x00007FFF49C40000-memory.dmp

Filesize
64KB

Download
memory/4804-1-0x00007FFF8BD4D000-0x00007FFF8BD4E000-memory.dmp

Filesize
4KB

Download
memory/4804-52-0x00007FFF8BCB0000-0x00007FFF8BEA5000-memory.dmp

Filesize
2.0MB

Download
memory/4804-58-0x00007FFF8BD4D000-0x00007FFF8BD4E000-memory.dmp

Filesize
4KB

Download
memory/4804-59-0x00007FFF8BCB0000-0x00007FFF8BEA5000-memory.dmp

Filesize
2.0MB

Download
memory/4804-11-0x00007FFF8BCB0000-0x00007FFF8BEA5000-memory.dmp

Filesize
2.0MB

Download
memory/4804-10-0x00007FFF8BCB0000-0x00007FFF8BEA5000-memory.dmp

Filesize
2.0MB

Download
memory/4804-7-0x00007FFF8BCB0000-0x00007FFF8BEA5000-memory.dmp

Filesize
2.0MB

Download
memory/4804-14-0x00007FFF8BCB0000-0x00007FFF8BEA5000-memory.dmp

Filesize
2.0MB

Download
memory/4840-42-0x00007FFF8BCB0000-0x00007FFF8BEA5000-memory.dmp

Filesize
2.0MB

Download
memory/4840-88-0x00007FFF8BCB0000-0x00007FFF8BEA5000-memory.dmp

Filesize
2.0MB

Download
memory/4840-89-0x00007FFF8BCB0000-0x00007FFF8BEA5000-memory.dmp

Filesize
2.0MB

Download
memory/4840-43-0x00007FFF8BCB0000-0x00007FFF8BEA5000-memory.dmp

Filesize
2.0MB

Download
memory/4840-45-0x00007FFF8BCB0000-0x00007FFF8BEA5000-memory.dmp

Filesize
2.0MB

Download
memory/4840-44-0x00007FFF8BCB0000-0x00007FFF8BEA5000-memory.dmp

Filesize
2.0MB

Download
memory/4840-39-0x00007FFF8BCB0000-0x00007FFF8BEA5000-memory.dmp

Filesize
2.0MB

Download
memory/4840-40-0x00007FFF8BCB0000-0x00007FFF8BEA5000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads