a3ad446626bebe8f644aecc09a0d37995db5519c579d3930ac045a5a45c05692

Analysis

max time kernel
149s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18-08-2024 01:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a3ad446626bebe8f644aecc09a0d37995db5519c579d3930ac045a5a45c05692.xls
Size

165KB
MD5

2fee83fc2c5af9605530ce72a97a9c7b
SHA1

dfeed802de1f062c3a3fdd36a529d86772db6005
SHA256

a3ad446626bebe8f644aecc09a0d37995db5519c579d3930ac045a5a45c05692
SHA512

2614fafe15ad2198fd3bb524d26b959b7c8de3becdf547dddaf2879d72e7c412beea2723b9882e6bf511d265483e14316596ef943133a59f47c97fa84424cd4a
SSDEEP

3072:jUYpmZjeGXnuqKfMMVG+MhD1e5pzYJIjB0ssuyg6kB3f8:AY0Tif7G+MhE30Ojp0grBv8

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3312	EXCEL.EXE
4596	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeAuditPrivilege	4596	WINWORD.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
3312	EXCEL.EXE
3312	EXCEL.EXE
3312	EXCEL.EXE
3312	EXCEL.EXE
3312	EXCEL.EXE
3312	EXCEL.EXE
3312	EXCEL.EXE
3312	EXCEL.EXE
3312	EXCEL.EXE
3312	EXCEL.EXE
3312	EXCEL.EXE
3312	EXCEL.EXE
4596	WINWORD.EXE
4596	WINWORD.EXE
4596	WINWORD.EXE
4596	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4596 wrote to memory of 736	4596	WINWORD.EXE	98
PID 4596 wrote to memory of 736	4596	WINWORD.EXE	98

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\a3ad446626bebe8f644aecc09a0d37995db5519c579d3930ac045a5a45c05692.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3312

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4596
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:736

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:4484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
7fb5fa1534dcf77f2125b2403b30a0ee

SHA1
365d96812a69ac0a4611ea4b70a3f306576cc3ea

SHA256
33a39e9ec2133230533a686ec43760026e014a3828c703707acbc150fe40fd6f

SHA512
a9279fd60505a1bfeef6fb07834cad0fd5be02fd405573fc1a5f59b991e9f88f5e81c32fe910f69bdc6585e71f02559895149eaf49c25b8ff955459fd60c0d2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
971c514f84bba0785f80aa1c23edfd79

SHA1
732acea710a87530c6b08ecdf32a110d254a54c8

SHA256
f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

SHA512
43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
d493002e86afa697493bfc9e1605b967

SHA1
db04a88e0db7e20b4968b3b340a3ab35a981dfd8

SHA256
015a55c9e2455c58f243ce6174835c8fd11e4a2d8a68eee63b56ed44ada70282

SHA512
db58c9ef612080ee5d75adf469af6993bd7d19376ad8ec3e4e6d2bad554bc20c55ee7bc591cc71adf9387294ecb6cbf93034c15c28ab5e43a8653ceb4f754d16

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
e100e54492632700128180ae21c61496

SHA1
eedb064db24a51f93f72e8a642a09e3838f94dda

SHA256
36b1d13c54ed186fb2f03cf0ee1bf58fe6723e27000949a69f1139db60c6f6ff

SHA512
e53cdaf64327b3fd61938921793237d816ea6d5efaf06b95251ce33203aa6059074806a26acd95e893c9e59946ee6cfcaf01949face497a525ae0ae20d323e78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\3757397E-3D1C-4F03-B57B-B0EE411E284E

Filesize
170KB

MD5
5408dc6aefac9d43fd37a4ff4e9020f9

SHA1
a974145808db3b28fa54b75280e2d60e2b18ddd4

SHA256
c7e234e4cbc78f0bc4697be59b8349dda2bd9ab5a40ea842b2949bab95564c9b

SHA512
d146210bfb8b0d83e1fa9919f53268d644581cbbb13267f4bb84b92b26df3ea1086a9c0471340e162258232b93e04f472ace8cf9b89967ea3a0becdeb996f521

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

Filesize
11KB

MD5
26d1e82edcce9e83d9a07454aee75f6d

SHA1
3935847185d6692855c5eae3c50be7bb9e68ba74

SHA256
7f5dfaec8d80f5bf9ef8065bf9ad172720a6b1b46fdb5dda9d9fa04591c029d9

SHA512
bf9ff0f21c32805384111f93887343264be4b1a22a033c7d8d23f3bdef023e67a16e499c8a6a47d9873681c8ebad814c3bd5e925d28b4159f24fd368e47609f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
4130f6b17220bc78ee34ce6101bc52ba

SHA1
15888280b6e60e5f62339e25f203584b3b37cd1f

SHA256
2a38dc55244d7a288a599e52840508473170cc8dfefdf1f26e4217e06000b398

SHA512
cbf980f212b25d7a3005123f7f955607bf239aba9b18b3b2df2e19a19779a29d1c8507851309aec63f00a220356ac69fe9a12e92aa910d4d4c169a7fe9edc26b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
e5861786726a37d8226dd8ebd2a58309

SHA1
98bfecd251d37abac92fc57668eb203897513a0b

SHA256
ad17179cb9641839d5e1ede27b526d29f673457ae5328b9740e8527e071a6f9b

SHA512
39dc5dd5d836b8920e6664525418cb7327536be35382d42daf6bea25d736dfae925f2350740c0437817bcf305c801967dc4bee377e3bd1ffdc4dae59013a1701

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NUB8HZ4Z\probuttersmoothbunwhichireallylovetoeastwithgreattastewhichevennobodyknowwhatsitsisbecause________verycrutebutterbun[1].doc

Filesize
81KB

MD5
3c068c1b622afbe60650f8f8cd85b594

SHA1
29f53dbfcbf23b13ad89bc348657fe31cf648752

SHA256
6ce2f98dabddfa3d155c5cfe4481f152880310786cf9dc83c513c663fd47567c

SHA512
26e5ce24bf6a4c34fe8c0534df4c9fda3cb264ea54acdf29c79d4927d805f09109261ad298fab19fad7da8ee2d14f87b6557ca37213cdc072d74a5ca86b1e364

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCD158F.tmp\gb.xsl

Filesize
262KB

MD5
51d32ee5bc7ab811041f799652d26e04

SHA1
412193006aa3ef19e0a57e16acf86b830993024a

SHA256
6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97

SHA512
5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
362B

MD5
7118cec1b9f58f6f888fdaa8e85e9ce2

SHA1
15c501afb14d2e0a4eb7f50be7f1771804cdb019

SHA256
ac9ac4dcb7e802c84841dae410ded152ec139cbea6916a252758ab1fdb66ad4e

SHA512
b7eca923a075ef8b4da7f8bf45469b2a256f21ce4c2b3b1527064a5d279f5f519cda23c1694c5a6d01c5c43848200b7b677d4faebcb98b15120db6c29c95cd63

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
1KB

MD5
19aa550ce966252d6d941a5a6e2422de

SHA1
e1741f369c4de2536ac3c94eca96a2a986c505de

SHA256
801c761b6733005d9220f3e6b534c51e2a176c8015e3b59dc05ea9d361af1b80

SHA512
5c6ac58c55caa2062669cfbbe9c1bd7883ca5faa593f62f203dff0594befa7ec183bf9650cce27742c37aad248b9355c2191dcba350344a1f4432b214008f39c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
5KB

MD5
17c89a8e8ce1ca5515c887cefdcd0109

SHA1
65602f4f94d2155c8b3096e2dbafd5def73db63b

SHA256
fe165a52854af278ef7b152da25dd8caf1f942ba4f7571def4089512348dac27

SHA512
e350cef5931c06e74fbb7c70b68bf4e7aa20e41a79029bc69100eb957a13d9f19740fbc16215c69bd4861aabe21f305b6269288884bd8233c963732e0192ff25

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
ab9bb9d169072870a5a09038691d47cb

SHA1
c860f8a9c0edc86316e58f14db16eb4a6c11df78

SHA256
a2e2ec147cf87bfab3b218fa2c40b3f7534c1449f8d76da64a3190bf973393e6

SHA512
1ced028cb9d5b2a64c66a38ce3dd8e3778bbfb68a63d8ef1c023d6e50c8069ee74a9d979ad7a86bbae19cb4d0727d3bb5caa58b92598a38deceb0e03994547f9

Download Submit
memory/3312-56-0x00007FF992190000-0x00007FF992385000-memory.dmp

Filesize
2.0MB

Download
memory/3312-13-0x00007FF992190000-0x00007FF992385000-memory.dmp

Filesize
2.0MB

Download
memory/3312-1-0x00007FF99222D000-0x00007FF99222E000-memory.dmp

Filesize
4KB

Download
memory/3312-2-0x00007FF952210000-0x00007FF952220000-memory.dmp

Filesize
64KB

Download
memory/3312-3-0x00007FF952210000-0x00007FF952220000-memory.dmp

Filesize
64KB

Download
memory/3312-5-0x00007FF952210000-0x00007FF952220000-memory.dmp

Filesize
64KB

Download
memory/3312-7-0x00007FF992190000-0x00007FF992385000-memory.dmp

Filesize
2.0MB

Download
memory/3312-10-0x00007FF992190000-0x00007FF992385000-memory.dmp

Filesize
2.0MB

Download
memory/3312-14-0x00007FF950100000-0x00007FF950110000-memory.dmp

Filesize
64KB

Download
memory/3312-11-0x00007FF992190000-0x00007FF992385000-memory.dmp

Filesize
2.0MB

Download
memory/3312-12-0x00007FF992190000-0x00007FF992385000-memory.dmp

Filesize
2.0MB

Download
memory/3312-15-0x00007FF950100000-0x00007FF950110000-memory.dmp

Filesize
64KB

Download
memory/3312-8-0x00007FF992190000-0x00007FF992385000-memory.dmp

Filesize
2.0MB

Download
memory/3312-0-0x00007FF952210000-0x00007FF952220000-memory.dmp

Filesize
64KB

Download
memory/3312-57-0x00007FF99222D000-0x00007FF99222E000-memory.dmp

Filesize
4KB

Download
memory/3312-58-0x00007FF992190000-0x00007FF992385000-memory.dmp

Filesize
2.0MB

Download
memory/3312-9-0x00007FF992190000-0x00007FF992385000-memory.dmp

Filesize
2.0MB

Download
memory/3312-6-0x00007FF992190000-0x00007FF992385000-memory.dmp

Filesize
2.0MB

Download
memory/3312-4-0x00007FF952210000-0x00007FF952220000-memory.dmp

Filesize
64KB

Download
memory/4596-82-0x00007FF992190000-0x00007FF992385000-memory.dmp

Filesize
2.0MB

Download
memory/4596-40-0x00007FF992190000-0x00007FF992385000-memory.dmp

Filesize
2.0MB

Download
memory/4596-39-0x00007FF992190000-0x00007FF992385000-memory.dmp

Filesize
2.0MB

Download
memory/4596-37-0x00007FF992190000-0x00007FF992385000-memory.dmp

Filesize
2.0MB

Download
memory/4596-33-0x00007FF992190000-0x00007FF992385000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads