e6ce3afaaaed3a333bd27710378607dbab0e662ce54de106e63621d44b15cf8d

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22/08/2024, 02:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e6ce3afaaaed3a333bd27710378607dbab0e662ce54de106e63621d44b15cf8d.xls
Size

331KB
MD5

88683824dbd986b04614f87932b353e2
SHA1

2337105e97292f73355a9bec6ab557801291958a
SHA256

e6ce3afaaaed3a333bd27710378607dbab0e662ce54de106e63621d44b15cf8d
SHA512

51085d772bdcb96630a96ab549224b3acf93a60685df0ef33bc844a917e595df99ee6554fbbb28a611b2ea96a63aaf4a666fbeed9a14a987d5645c5f654a5d97
SSDEEP

6144:busFsN2M9GMzJexttr9+nkpJsJV5ehYxH/P1ljNGEMo:Ksg9GDtIkTynxf8Er

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1216	EXCEL.EXE
4972	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeAuditPrivilege	4972	WINWORD.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
1216	EXCEL.EXE
1216	EXCEL.EXE
1216	EXCEL.EXE
1216	EXCEL.EXE
1216	EXCEL.EXE
1216	EXCEL.EXE
1216	EXCEL.EXE
1216	EXCEL.EXE
1216	EXCEL.EXE
1216	EXCEL.EXE
1216	EXCEL.EXE
1216	EXCEL.EXE
4972	WINWORD.EXE
4972	WINWORD.EXE
4972	WINWORD.EXE
4972	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4972 wrote to memory of 3632	4972	WINWORD.EXE	95
PID 4972 wrote to memory of 3632	4972	WINWORD.EXE	95

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\e6ce3afaaaed3a333bd27710378607dbab0e662ce54de106e63621d44b15cf8d.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1216

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4972
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:3632

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:3844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
7fb5fa1534dcf77f2125b2403b30a0ee

SHA1
365d96812a69ac0a4611ea4b70a3f306576cc3ea

SHA256
33a39e9ec2133230533a686ec43760026e014a3828c703707acbc150fe40fd6f

SHA512
a9279fd60505a1bfeef6fb07834cad0fd5be02fd405573fc1a5f59b991e9f88f5e81c32fe910f69bdc6585e71f02559895149eaf49c25b8ff955459fd60c0d2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
971c514f84bba0785f80aa1c23edfd79

SHA1
732acea710a87530c6b08ecdf32a110d254a54c8

SHA256
f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

SHA512
43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Filesize
471B

MD5
6eb8c94f3742856b98d877591d5ee250

SHA1
9627d3dcbc9f58b9d3844a1e84ae40a2673247a7

SHA256
ba51a748cee3578bb2167b1b1c39eec5fabe3f899d10a289ece22b97519eb61a

SHA512
04d0212658d68c8288ae0cde389cc07de4fa9ed535ae6f83e3593407f75e4bce4303ab265a186bc8ba0ced8d0cda1d79da32d67f4c40b2e48435c432fc25acf7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
f6a33a0e67837371a36726599651277d

SHA1
7fbbec4c421641da37e44eeb49a31ab5286737de

SHA256
880ce09ed9cab8e94978dc29214374474447cd9d1ca551a996683779317d0e33

SHA512
feaa98309953f126c2293b58557969b371776849e03d3edd2b17e1fda1547533f8009af78e711ecc7e7a981a19cd689c9531c5c5ed1468fbaeb0cd4ca1b601a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
b2108ba0fc55cd5b5d1873e9b0955a60

SHA1
d1e8996348057a5841d46480d86157aab43d36b1

SHA256
4cae43d07478fd0c679abff2170096dc6d8dcb487fb1df9e83f9474e385b8c34

SHA512
3d5c56948dc79c7b3b4d19fb8c47e2a1e33c5782720a959753cb284fe6a4a353019266ee30621088d48ad69dc706cb5ca25627b66de113c4ef95bdaa69f830d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Filesize
412B

MD5
7e67890934b6fd2ca25555ccd0292125

SHA1
5c19134cc475a46916a638c25d2c60577ef603c9

SHA256
24c1ebae245cc265132fa136d3edf4df713f166d7a80c537e1b0b652598e6306

SHA512
86f7734cd78c1936d2c2d868e69fb6e6175ffc1ac890112f0520182e48d62969ac577cee7e5320c4d9d63efb6999ff6d032a7f511a3a73b82f10c28b588a7f6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\32394918-98CD-4B28-B9FF-81618B3A38A7

Filesize
170KB

MD5
7aceab4c91090a0718798f4397dfcd72

SHA1
c91df68eb0698b167da78489b6f6a1b29642c374

SHA256
c59a3175e73cf68bbd3c096aa5bb9bce0889f57c8b9b55d4d6e6484110261ecf

SHA512
e9ddde953d3481996700ec5cbd4f19883b0751eee6d7a626af4ae6d3354154b64c4b8aa6175c5e93d99f69254ea251d1017d81b716e6e9698713c155334d8139

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

Filesize
11KB

MD5
4ffa9c0cbe79398338072f84a91bd48d

SHA1
a410b7e9728043b590be54dfe17be3872232ec15

SHA256
040a6bcb8678ce56ce271f557a24abc35f7647d45c4f1588a6b3a700a42325cf

SHA512
4f2ebeec93d6b8bab4dc1712a547b9a35f1583286a19f9a3083676e964276369e7fc98632ff611de8fecb3bc445cb4fd6d2e8a398dfb00a47f4048ec92c9cfe9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
1756314dbeaf0c3a174368db659e063e

SHA1
5cda5ee084e300aec26fe8a89303801ad7e91d9d

SHA256
a488fde549f9b42963764f8eeb20104a95e84279082c1752a713ad5f7115474d

SHA512
d6f262ee711289e09fc7acd7f21f7b84610de64697b69ca628212e6f3776872c92fa72efd11c99545af14db01eddea049dbdd769a7f3bac5a95d7e8acefec9c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
7ed9ac7246c1c8a33d3d2f9583c7c97b

SHA1
9c726ddfaf6489692632e05f07b1eedbf6bc7d5d

SHA256
2081b5f85ba5ab91623768939671d3698fbdd0ab5b522090a6011c2243684158

SHA512
8b3148b4c42bea7ffc86693e44849d83c25def3d5ddbe53034aaa95f6031e1b9e37485688c9f196742bd539ce004f795d7ee2e94f2003c6ea8d64752e0cbaa33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\KQ3665LB\yummybuttercakeaddedchocolatewithsugarandotherthingswhichmakecakewillbehappyentireprocesshappeneingwithnew___yummybuttercakebun[1].doc

Filesize
88KB

MD5
ce3b08f58d579862f5b03bb1f563f9f9

SHA1
aa9339e51447b2766306991a1b7c489b483da9ea

SHA256
3d7634a57671a2cb7c21f514374d28280fc3708f114ab73e0593ac911111e882

SHA512
327fac685fcd6d53aa7ac2ec854f3b4b7f8f2b7f47632948a931a098ea19607d3dfe58d36dc35024b8da468c82eedb855a2619328b82b81a7835ee72b1197308

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCDDA81.tmp\iso690.xsl

Filesize
263KB

MD5
ff0e07eff1333cdf9fc2523d323dd654

SHA1
77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

SHA256
3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

SHA512
b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
335B

MD5
84b2931311f073f61eb1fa92667c3d47

SHA1
b623c31a6254118fad4a0eba299e8d29349f7bac

SHA256
6e452479a8898e96fc51ff7cf7db6611e3042c157058da567aaba9759d4f34a1

SHA512
e4d106af90e3ef8ea7bd4c4340ace1ffdf5e1392f0476935e4db4b8af9f4e38cd77f1b9e37bff108cb8bb83fee7b26637cb8962bc906bc25959b02cd6d78465a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
3KB

MD5
4b1a9daf8a80bf87fe9928c44401511b

SHA1
56871f5f9c4bf4d8db5cf8f6014a94359058a9cd

SHA256
39174157a121385435ca7373363bbf4659372c44d4a431a027b591e267b864b4

SHA512
07b38481a91c0f29b930172305c6a02460695d1a9e69bec6673af5e8942a3ca7a8ca53f46fa38e604f3e0af54ee183517dfd86d570d61cb7c000499cd33a33e7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
7400ee7a714868f66a1dd1cc1ab704af

SHA1
7b06e4321907c8e25d2f99461367561f363fdfc0

SHA256
98e6c322540145636ecccd006e89781c830dc862211fa89d741ff45c39b4f3ba

SHA512
a0b2d79cc90ffda21c112aa066cb1a780788253234cf7a0afa002cc30a621c67fd6278ea7490926793a81258f81dcd66c5adbb887aedda196f1adfee4c6e5db6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
1KB

MD5
a64b37dd994ad30c84b016c6d2f02185

SHA1
5da20f1ccc545e4c871b2ec4050b16dec7fd2a2d

SHA256
e12be60e6eaffa90667278765427f03216f38277da386d29d4e1929ab4d63df4

SHA512
26e754cbf5ad079ed1f5a204c2b2c5e5c6afe7517e759c0fc7fd8473825cc2c8effbc1b5cf3326fd9f573f06481c03a4a3f0414589fd37f677925e1c7cad3ae3

Download Submit
memory/1216-10-0x00007FFCC1790000-0x00007FFCC1985000-memory.dmp

Filesize
2.0MB

Download
memory/1216-21-0x00007FFCC1790000-0x00007FFCC1985000-memory.dmp

Filesize
2.0MB

Download
memory/1216-18-0x00007FFCC1790000-0x00007FFCC1985000-memory.dmp

Filesize
2.0MB

Download
memory/1216-17-0x00007FFCC1790000-0x00007FFCC1985000-memory.dmp

Filesize
2.0MB

Download
memory/1216-15-0x00007FFCC1790000-0x00007FFCC1985000-memory.dmp

Filesize
2.0MB

Download
memory/1216-14-0x00007FFCC1790000-0x00007FFCC1985000-memory.dmp

Filesize
2.0MB

Download
memory/1216-1-0x00007FFC81810000-0x00007FFC81820000-memory.dmp

Filesize
64KB

Download
memory/1216-2-0x00007FFC81810000-0x00007FFC81820000-memory.dmp

Filesize
64KB

Download
memory/1216-19-0x00007FFCC1790000-0x00007FFCC1985000-memory.dmp

Filesize
2.0MB

Download
memory/1216-3-0x00007FFCC182D000-0x00007FFCC182E000-memory.dmp

Filesize
4KB

Download
memory/1216-5-0x00007FFC81810000-0x00007FFC81820000-memory.dmp

Filesize
64KB

Download
memory/1216-9-0x00007FFCC1790000-0x00007FFCC1985000-memory.dmp

Filesize
2.0MB

Download
memory/1216-20-0x00007FFCC1790000-0x00007FFCC1985000-memory.dmp

Filesize
2.0MB

Download
memory/1216-16-0x00007FFCC1790000-0x00007FFCC1985000-memory.dmp

Filesize
2.0MB

Download
memory/1216-13-0x00007FFC7F7B0000-0x00007FFC7F7C0000-memory.dmp

Filesize
64KB

Download
memory/1216-4-0x00007FFC81810000-0x00007FFC81820000-memory.dmp

Filesize
64KB

Download
memory/1216-0-0x00007FFC81810000-0x00007FFC81820000-memory.dmp

Filesize
64KB

Download
memory/1216-12-0x00007FFC7F7B0000-0x00007FFC7F7C0000-memory.dmp

Filesize
64KB

Download
memory/1216-73-0x00007FFCC1790000-0x00007FFCC1985000-memory.dmp

Filesize
2.0MB

Download
memory/1216-11-0x00007FFCC1790000-0x00007FFCC1985000-memory.dmp

Filesize
2.0MB

Download
memory/1216-8-0x00007FFCC1790000-0x00007FFCC1985000-memory.dmp

Filesize
2.0MB

Download
memory/1216-7-0x00007FFCC1790000-0x00007FFCC1985000-memory.dmp

Filesize
2.0MB

Download
memory/1216-6-0x00007FFCC1790000-0x00007FFCC1985000-memory.dmp

Filesize
2.0MB

Download
memory/4972-47-0x00007FFCC1790000-0x00007FFCC1985000-memory.dmp

Filesize
2.0MB

Download
memory/4972-97-0x00007FFCC1790000-0x00007FFCC1985000-memory.dmp

Filesize
2.0MB

Download
memory/4972-96-0x00007FFCC1790000-0x00007FFCC1985000-memory.dmp

Filesize
2.0MB

Download
memory/4972-50-0x00007FFCC1790000-0x00007FFCC1985000-memory.dmp

Filesize
2.0MB

Download
memory/4972-48-0x00007FFCC1790000-0x00007FFCC1985000-memory.dmp

Filesize
2.0MB

Download
memory/4972-45-0x00007FFCC1790000-0x00007FFCC1985000-memory.dmp

Filesize
2.0MB

Download
memory/4972-43-0x00007FFCC1790000-0x00007FFCC1985000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads