f8f5a24f0fb34818d3f59c4508151ce044d373cf9e232d4e330d69ae2cb2b486

Analysis

max time kernel
149s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/08/2024, 02:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f8f5a24f0fb34818d3f59c4508151ce044d373cf9e232d4e330d69ae2cb2b486.xls
Size

331KB
MD5

eaaed9cc781e682ac037d2a2450f198c
SHA1

8599710edfe04be096d1a500bb0f8a3b9ec1fb63
SHA256

f8f5a24f0fb34818d3f59c4508151ce044d373cf9e232d4e330d69ae2cb2b486
SHA512

3c1f51b80d9d71bd2d4adafdaa1f35826d165c956223176aa688b50f46917b68a9cfc00f82dc104e2e7f03279c69cdfb2fd63e4641c5b0f56eefea10ae44e22a
SSDEEP

6144:pMSay9xbU9HIVb5ovxa9hTtGqy1seDWPBmCCGlEOivAolN/jsysdw7JfyToBmo0w:+Say3+fxSt/n66QCCGOOivANfK6TgmA

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3860	EXCEL.EXE
3344	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeAuditPrivilege	3344	WINWORD.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
3860	EXCEL.EXE
3860	EXCEL.EXE
3860	EXCEL.EXE
3860	EXCEL.EXE
3860	EXCEL.EXE
3860	EXCEL.EXE
3860	EXCEL.EXE
3860	EXCEL.EXE
3860	EXCEL.EXE
3860	EXCEL.EXE
3860	EXCEL.EXE
3860	EXCEL.EXE
3344	WINWORD.EXE
3344	WINWORD.EXE
3344	WINWORD.EXE
3344	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3344 wrote to memory of 4080	3344	WINWORD.EXE	94
PID 3344 wrote to memory of 4080	3344	WINWORD.EXE	94

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\f8f5a24f0fb34818d3f59c4508151ce044d373cf9e232d4e330d69ae2cb2b486.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3860

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3344
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:4080

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:3812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
7fb5fa1534dcf77f2125b2403b30a0ee

SHA1
365d96812a69ac0a4611ea4b70a3f306576cc3ea

SHA256
33a39e9ec2133230533a686ec43760026e014a3828c703707acbc150fe40fd6f

SHA512
a9279fd60505a1bfeef6fb07834cad0fd5be02fd405573fc1a5f59b991e9f88f5e81c32fe910f69bdc6585e71f02559895149eaf49c25b8ff955459fd60c0d2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
971c514f84bba0785f80aa1c23edfd79

SHA1
732acea710a87530c6b08ecdf32a110d254a54c8

SHA256
f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

SHA512
43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Filesize
471B

MD5
e976fc9a93c97a403703a4f20b6638f1

SHA1
2e267d636364a7df4a4f85ee8854a69465d27e73

SHA256
c4b1cb9afd0887326f9743a1ec64a9b33abb8905bc27e31a4d65e9755b2fd922

SHA512
dd1a409126b6eef4d04f89765f34b24c46b7880c41e438aca7da66704fc2c2386d5b61b5b41c15f66451d6c2bf11e6304bb6e9ee442f3fb934fe6c419720ba08

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
a377addfde8e059e37fd4a5aa797f34a

SHA1
f60c422900f5ec98d4b4ce2dd219cc66992c7d2d

SHA256
b2f1ad68c41338ff26ce4e6fa2c2188036936fd44dca4386db9c20f8e0c6e325

SHA512
32d15c4cfbfea6191a22d0ce3fb5aaf24ac87ba80c39aea7ea2791ab290b0816bd53df96aee444ee7aa350e0d87977ff2b8826bd21a3cfe0cb84bc76a120a466

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
3e8c5651213872d1ff3cc996e4d7a297

SHA1
a94b99b9ab0e243329d0dfb9a644d30c4b3fa744

SHA256
e5c603251b29adcf220c754eb000c23c15ee2d6bfa9562d3892095c6ac172f51

SHA512
6c31fc7972b7a67594947cc26b1c3b3e16ccaeed8714afefa029eca52b78e2f16e8be54b47734d2c582c5d32345112fc09b9ff3702bf214d93a2ece457a3a528

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Filesize
412B

MD5
a07b854f44202807c64119f4b9443f1b

SHA1
7ee46df551786821d69d5739f2d166d129aad1f0

SHA256
d0182b048523b2b57b83d55cc2bde6f58d5e951dacdbe51f0cb8f2bbebac7a34

SHA512
2ef9b91a2b55a1c53598d42390350d32c426428db18aed6756a6e6b531c3c92fb57cab0d986dfccfdd4030094bfa357fbf006cdad7cf868c917826cf7b6e6af0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\89034C27-AA9B-4B4B-847D-BDAD6552C5A0

Filesize
170KB

MD5
2a447477d6c180d91c125e725cf24344

SHA1
8a7faa74dd57eab31773e847ed3f696e4e28ccae

SHA256
b7e0302ed3d261bfb85ad95c1da2ac6a5589ab640e3636d86082acc3e23a9f4e

SHA512
d7b48a6e9f4136132d8b12dd291d2f4b88a4547e8bd138b6dbe494a78ffd8b426bae0b8368d8f66934678ca533d85009714976bdea8a6f06356bb4b4f0391193

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

Filesize
11KB

MD5
5d17887488dd54905337bf9cc610dbb1

SHA1
b1e2af9bc1da3ed0975d834f05042b9171d80a4c

SHA256
1591b6ece1fab8efc8bf74ee4b8d1e0ccb2f13c4ebefcbbeda11db538d8d2d82

SHA512
303e1d3c6695798cb2229e13809dd62c5f0c66a1cfe5c324f977793c18d6316acbaedc183602f051e78d3f7ff037bea8585bf52a579d79e82be025364d67cac1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
dcd496d48951b96093ee1b4fca50a67c

SHA1
1be4fd1fa0442670ac5ed43b359517dcdef33491

SHA256
9ebb3813058a3939351ee8621b559c51757fc9658a27f4e1cfcf680deb0db05c

SHA512
925ddb3a15424c97a389a10b2ff38ca1544bd156c5e8c478e6dd643042eb5a05e859b1518612cbafbcbb6d96c69561e00f79bb828a38bbe49000ddd1d0cfeb83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
e9e7a0aad3e30e0b3e7d083a2efe53e7

SHA1
23fb32fec70222bc5bdaadcd2444164dca85fb1c

SHA256
eae979a726234ae0c3ac5332c287903aa5e1bd35d81eeb40e22697293dfb01c8

SHA512
72fa3657957bbc2f9d44fc33349d9c40026fa4196ecf10adbfe0adbb61ed7151e5c0d0d189c28a1ed6de5857352e68e26d87992cccd89afc376ff88263ba9a51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BRZNMQLE\weneedbuttersmoothbunwhichreallyniceandyummywithbutterbunwhichnotknowwhyshecantunderstandbuttersmoothbutterbun____chocolatebunyummyhere[1].doc

Filesize
80KB

MD5
03c634f3b71f5dcfca4f2016482bf5f2

SHA1
b559111214ecd6318c86acc86836fbc96ac7ebf6

SHA256
6e2b7a094b6dc5bcf9880332f39b6dd6eefd711d6835bb289493cae6896c26b9

SHA512
91492321ef3cd9ea631bfaa7817d4602faae07a89a9f30c0ae99e9d017c941919c365c33e226d8d0081d17b8053b2850ba086ce39bc94137c91dc7d21e48bc7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCDBCA1.tmp\iso690.xsl

Filesize
263KB

MD5
ff0e07eff1333cdf9fc2523d323dd654

SHA1
77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

SHA256
3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

SHA512
b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
235B

MD5
73e362506c49a8ddf2ac0ce722ec59f8

SHA1
69d0c4ea06e56f4b703176eeba9629826098147a

SHA256
1232cefdf0dc25c8723cce7b6548f80deac681626c09e5b376c05a1a7e7aff27

SHA512
edadb5278846c19b675d1326544262f2edc009df03a8271b6608bd3a3037c57c3a79d5bd6a488fd1238e57ecd3f72ed7bb4cb4e2bb1e7bb950736a05d27ae54c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
1KB

MD5
139cdb3b2b75f4db0795c7726e3d174e

SHA1
f4b283f51d8c93ae64ec5afa95858911de7280f7

SHA256
e25eb4921b2f7e9e030a90a4ca9e42256aab017abaf12113d9f00ac4536f3b9a

SHA512
d366b72b729395559b64cb6443fb73bd1158c4f4ad848e778b36f40da731f09b277586c080af8d68343081875972612670bc5ebeb9c2624955acdfdce4c0533b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
2KB

MD5
21bc5cb528aaf09d30a964e1f5337379

SHA1
58bc5c7c8b7ec0587dbab7f8697894abf5d444a6

SHA256
aead4e4f66d5b0156961802e3e55e654a28903618675b860538c0dc6eef35f94

SHA512
b28ac66100c1b211eefa828481ce11c3536c46fc9facb2efa217e181fb29989b7d790542a729c1df249511adcabc525c17a9c5fd6bb6ac8ffaac67e9601395a2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
669B

MD5
68e18a3d36644db86ea97d1077297678

SHA1
90beb924119e9dc4e6261907a4271331fb234b77

SHA256
f1237e72919e950826bdef9db2f0a806dc6b3d0e8c9dfec2e6d6a4bd28b98219

SHA512
e2d9ec23c7fe9467f897b1977de2fad3ff17cbdc1fc50f68420d0475ac88e9566e45ee520a4bf1068660c57be7892218f064d43a3908d9ba16eb8056935fa1a9

Download Submit
memory/3344-39-0x00007FFE095F0000-0x00007FFE097E5000-memory.dmp

Filesize
2.0MB

Download
memory/3344-46-0x00007FFE095F0000-0x00007FFE097E5000-memory.dmp

Filesize
2.0MB

Download
memory/3344-96-0x00007FFE095F0000-0x00007FFE097E5000-memory.dmp

Filesize
2.0MB

Download
memory/3344-44-0x00007FFE095F0000-0x00007FFE097E5000-memory.dmp

Filesize
2.0MB

Download
memory/3344-45-0x00007FFE095F0000-0x00007FFE097E5000-memory.dmp

Filesize
2.0MB

Download
memory/3344-47-0x00007FFE095F0000-0x00007FFE097E5000-memory.dmp

Filesize
2.0MB

Download
memory/3860-12-0x00007FFE095F0000-0x00007FFE097E5000-memory.dmp

Filesize
2.0MB

Download
memory/3860-72-0x00007FFE0968D000-0x00007FFE0968E000-memory.dmp

Filesize
4KB

Download
memory/3860-13-0x00007FFE095F0000-0x00007FFE097E5000-memory.dmp

Filesize
2.0MB

Download
memory/3860-14-0x00007FFE095F0000-0x00007FFE097E5000-memory.dmp

Filesize
2.0MB

Download
memory/3860-15-0x00007FFE095F0000-0x00007FFE097E5000-memory.dmp

Filesize
2.0MB

Download
memory/3860-21-0x00007FFE095F0000-0x00007FFE097E5000-memory.dmp

Filesize
2.0MB

Download
memory/3860-20-0x00007FFE095F0000-0x00007FFE097E5000-memory.dmp

Filesize
2.0MB

Download
memory/3860-16-0x00007FFE095F0000-0x00007FFE097E5000-memory.dmp

Filesize
2.0MB

Download
memory/3860-17-0x00007FFDC7020000-0x00007FFDC7030000-memory.dmp

Filesize
64KB

Download
memory/3860-19-0x00007FFE095F0000-0x00007FFE097E5000-memory.dmp

Filesize
2.0MB

Download
memory/3860-7-0x00007FFE095F0000-0x00007FFE097E5000-memory.dmp

Filesize
2.0MB

Download
memory/3860-11-0x00007FFDC7020000-0x00007FFDC7030000-memory.dmp

Filesize
64KB

Download
memory/3860-71-0x00007FFE095F0000-0x00007FFE097E5000-memory.dmp

Filesize
2.0MB

Download
memory/3860-1-0x00007FFE0968D000-0x00007FFE0968E000-memory.dmp

Filesize
4KB

Download
memory/3860-73-0x00007FFE095F0000-0x00007FFE097E5000-memory.dmp

Filesize
2.0MB

Download
memory/3860-10-0x00007FFE095F0000-0x00007FFE097E5000-memory.dmp

Filesize
2.0MB

Download
memory/3860-9-0x00007FFE095F0000-0x00007FFE097E5000-memory.dmp

Filesize
2.0MB

Download
memory/3860-8-0x00007FFE095F0000-0x00007FFE097E5000-memory.dmp

Filesize
2.0MB

Download
memory/3860-18-0x00007FFE095F0000-0x00007FFE097E5000-memory.dmp

Filesize
2.0MB

Download
memory/3860-6-0x00007FFE095F0000-0x00007FFE097E5000-memory.dmp

Filesize
2.0MB

Download
memory/3860-4-0x00007FFDC9670000-0x00007FFDC9680000-memory.dmp

Filesize
64KB

Download
memory/3860-5-0x00007FFDC9670000-0x00007FFDC9680000-memory.dmp

Filesize
64KB

Download
memory/3860-3-0x00007FFDC9670000-0x00007FFDC9680000-memory.dmp

Filesize
64KB

Download
memory/3860-2-0x00007FFDC9670000-0x00007FFDC9680000-memory.dmp

Filesize
64KB

Download
memory/3860-0-0x00007FFDC9670000-0x00007FFDC9680000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads