f30ecca55c1a5c272f1cdf82b8f3dbb18689a689a98fe77d3f50ab249665ab07

Analysis

max time kernel
149s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22/08/2024, 05:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

wire_receipt.xls
Size

449KB
MD5

83ee185562ee68924b96e955fae0288c
SHA1

2651e918e6ea1aa228cdf0b4d2bcbda43c491c81
SHA256

f30ecca55c1a5c272f1cdf82b8f3dbb18689a689a98fe77d3f50ab249665ab07
SHA512

fbc1c10cf53926f766259c954d8bafa0ba25fb1df6f81fa268c4dd9935c7fb7564fa2c252f62efba8fb6ef014cc162d5cb4793c29d5b2d9e9f8d48b4907fe3bd
SSDEEP

12288:OnEGJFAYHW6b5wUyAeor7r6DFfWaS3i4cdFIZhp/4:zKh5xeC6DF/S3i4cfIZ

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2464	EXCEL.EXE
1044	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeAuditPrivilege	1044	WINWORD.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
2464	EXCEL.EXE
2464	EXCEL.EXE
2464	EXCEL.EXE
2464	EXCEL.EXE
2464	EXCEL.EXE
2464	EXCEL.EXE
2464	EXCEL.EXE
2464	EXCEL.EXE
2464	EXCEL.EXE
2464	EXCEL.EXE
2464	EXCEL.EXE
2464	EXCEL.EXE
1044	WINWORD.EXE
1044	WINWORD.EXE
1044	WINWORD.EXE
1044	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1044 wrote to memory of 912	1044	WINWORD.EXE	94
PID 1044 wrote to memory of 912	1044	WINWORD.EXE	94

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\wire_receipt.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2464

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1044
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:912

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:4408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
7fb5fa1534dcf77f2125b2403b30a0ee

SHA1
365d96812a69ac0a4611ea4b70a3f306576cc3ea

SHA256
33a39e9ec2133230533a686ec43760026e014a3828c703707acbc150fe40fd6f

SHA512
a9279fd60505a1bfeef6fb07834cad0fd5be02fd405573fc1a5f59b991e9f88f5e81c32fe910f69bdc6585e71f02559895149eaf49c25b8ff955459fd60c0d2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
971c514f84bba0785f80aa1c23edfd79

SHA1
732acea710a87530c6b08ecdf32a110d254a54c8

SHA256
f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

SHA512
43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

Filesize
471B

MD5
69110a181e6196eab88822a1d7c54fad

SHA1
5200454f3298d903a8dcb531c188a2b12f963239

SHA256
a1acefdaa4f3826d48b629b9b15f8e39edca9d23d96271745679a464d38b1646

SHA512
11ca8a5dc520628849db5702fa9936cdf001cf62da467b737350ed70ce1f70cdd1b8e81367d2687944711ea0b956fbd5051bca9926112024581ddeaf45250e33

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
814c0761d2bf9b96e20f4183fbd8586d

SHA1
5d92623569f462e5858306dbf2497ed588687b02

SHA256
dd1fae223c654e89d5ba87c4b8b1d6076bf5e05ed386ae46eed68ef2a5331baa

SHA512
150086b343c2d300f55d4b76c85f1b65cad13cb622409e97f3514ceb040da68ffd971fa5ffedd1dc570a016d578929688582add275bee753fdf13a846446c077

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
dd7d7ddd8c7469845665ad9eb5d8610c

SHA1
77b036126a4f87df593237c2f1339b0a355790d1

SHA256
c181f8d15b36f42bb655e34cdb4d1081018238b874251c066626a09c9bfc045c

SHA512
66faa185c56908af4d1f93c3abd98bcfe899db665f80523f3ed6992569824108d1cbf6dbbf9cc7c9408cee2c2cea2d915a67696d316a671ccd3e793cb83db406

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

Filesize
420B

MD5
18ed0c03d0496a91ab2bad9fba3cfe8d

SHA1
bdbbd227828568b8a0ce4e13218831c16a97a69f

SHA256
a9c738dc573661b8e46bbc3496b3d9b67b76704211e044ddf5bba85418b7bfbc

SHA512
377fcfe5bd3c55ba900d9c007bfc24371bf03025e1b9609892ecc7dd6a9e66169a43ae6ae21df2aabf311c25375ebd3d789e4d3f073c6d9d4575b9f288473f79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\C8AE06E4-D06B-4FEC-A191-22B906EC03CC

Filesize
170KB

MD5
d7b33e2c5a7f204acfd45126517a4532

SHA1
2c15ab8e1f6db8599d1cd1ca1834d5afaab5f224

SHA256
f1920212b531dd637d23b52fc711b4141439926db5bdde9f54073c6fceb7071b

SHA512
145f618f491c79b5556e2e8a1e993b84caff03ff366a615fb11102a91c4e51618bb840af440c53d423db70fae6d1f01499526d7f2e37cd9415351a7e5eca3a3f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

Filesize
11KB

MD5
d384905c031171a40a617f287fd10c77

SHA1
9aee4877e5a44d3f79497e7aa6529faec4e3f0bb

SHA256
da8523daa59763887cc2c8a008205c1a6fa6fef24f28d418c13d511df8eb266a

SHA512
a4dfcfaa96c30f29ab3f162af1eda6cd4998847624d66a922bafc566ba0e5ab79f816bd14d8d55c3d3e0d6f4faf2f0ba3d497ca3847e6c87bc349a7350b1400f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
5c290d1f282ee80706cff6c5deef5cca

SHA1
f840159cc81b936c7cb2c2b19e3302bcde4c43c7

SHA256
a867e37b4e0e768abc1d07e5a20e4c0d2c4e4bdbb99a579693dcb5a6face8815

SHA512
091cb430d498ac59b33036d1d2e601729b35061b1f1c6ad32107dcf4e1ce845ebc8c9ef19f5d0e7ac74ea0c94fe09e1f9839c431d197b6138136314ab8689274

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
22cfbdfb0f0f92ef99c8bbb83fd70faf

SHA1
adaa6bb03e0cdd5cf5887f445f3bfa110b07755d

SHA256
6f1b4e74c55c956932381cd31d93b0f2a62b467231b19b82deddb9298f982512

SHA512
fcad6a667f61578f85122ec5f924bc0a1d12ba37f23d0ad3dbe743dde61f948229ef75d39d2f700793cb6e78cc31341f897bc46ca3bd80ae222cbd80292fb71e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\T1CTRFUW\mewithentirethingstogetmebackwithnewthingsreadyforbutterbunsmoothslikeyburnforeatingwithgirlsfriendwho_______yummybuttersmoothbun[1].doc

Filesize
91KB

MD5
28d95412db3a011684784953657efd12

SHA1
0a3734ee93c07b5f7c78766af2af63bb75984856

SHA256
c66193934887bee3b03867ec20b6aa7448d5f38b2d82d122a0cd442676d87866

SHA512
74642d41efa0a87e72086e210645b1aaed04fb8cdb918c38410cbcfa3d618b58eae2b9d04658431ac240fbf70e3ba8ae4abc15501dd146f5e759c3e090cea2d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCDFE7C.tmp\sist02.xsl

Filesize
245KB

MD5
f883b260a8d67082ea895c14bf56dd56

SHA1
7954565c1f243d46ad3b1e2f1baf3281451fc14b

SHA256
ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

SHA512
d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
398B

MD5
a982a84248f06114cd333971deeb4c7f

SHA1
7822ae1953326cf4e03a20411c261c6aa9278eba

SHA256
b7b652b5dc834872f65f3759fabfae39c74490f9c46030996055b3f5d5a444ea

SHA512
7f1d82a69d443bb3fd55028d29688643d2e65ac4ae2566be5067a741587db92347d5a3cfc5723e0d4aa1831d5a2dabdb8628ac58e6ed420459e3b99607e83efe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
2KB

MD5
97f7d92041dfa85324bd3cdab3b7b07e

SHA1
4a1f58fa7bdf0e4c309e9625f6bf197cfbfaee5a

SHA256
d00b7c0491cee45d94bc10116d15530312d9b2684d41e567412a145c279ea714

SHA512
2f8f8ca223a2686d3394c9a526a73a1d91e11cc7565f23d4eca900f25f1c4c475c1d5be5c3142b044fb2f828716cbf6a7fc6e7918ecd42bda3c4c6c147420ba7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
5KB

MD5
6cc60fce3983f57c42b89aa69d21afff

SHA1
2eb6e4ca17fca2203ead102a9a1586542664df97

SHA256
0f6c96f31469ec5bd4976b8389a4978a90da0e88d3c37ebe59b6c3ca568008be

SHA512
3ed35a807bed9478e6e1a7b92b1e2d611725e17e5339d5f7c462a2d4816260bc6ae1e3264ecd2ecac98ebfd0fb46a0b973c891c082e0770c03c5fff4231cef31

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
55858e1ca257e4cbf5887b7dd6ff8175

SHA1
249245451f13d004cbb24c0f24e18963a2d1c40f

SHA256
6055e11aa26de34b7506882f55bd0adc31bc9eea748d76456f41e9b3cec12545

SHA512
6d7b975441a75fc2af30a6586a8bdc914a442036fb678c77e3961b45838e017e091dcb39e8c19415e608fc9fa99ede3b52957f6a086e7a52eee179ddd95776c4

Download Submit
memory/1044-87-0x00007FFD85A70000-0x00007FFD85C65000-memory.dmp

Filesize
2.0MB

Download
memory/1044-37-0x00007FFD85A70000-0x00007FFD85C65000-memory.dmp

Filesize
2.0MB

Download
memory/1044-38-0x00007FFD85A70000-0x00007FFD85C65000-memory.dmp

Filesize
2.0MB

Download
memory/1044-40-0x00007FFD85A70000-0x00007FFD85C65000-memory.dmp

Filesize
2.0MB

Download
memory/2464-11-0x00007FFD85A70000-0x00007FFD85C65000-memory.dmp

Filesize
2.0MB

Download
memory/2464-16-0x00007FFD43440000-0x00007FFD43450000-memory.dmp

Filesize
64KB

Download
memory/2464-13-0x00007FFD85A70000-0x00007FFD85C65000-memory.dmp

Filesize
2.0MB

Download
memory/2464-15-0x00007FFD85A70000-0x00007FFD85C65000-memory.dmp

Filesize
2.0MB

Download
memory/2464-14-0x00007FFD43440000-0x00007FFD43450000-memory.dmp

Filesize
64KB

Download
memory/2464-8-0x00007FFD85A70000-0x00007FFD85C65000-memory.dmp

Filesize
2.0MB

Download
memory/2464-9-0x00007FFD85A70000-0x00007FFD85C65000-memory.dmp

Filesize
2.0MB

Download
memory/2464-65-0x00007FFD85A70000-0x00007FFD85C65000-memory.dmp

Filesize
2.0MB

Download
memory/2464-0-0x00007FFD45AF0000-0x00007FFD45B00000-memory.dmp

Filesize
64KB

Download
memory/2464-12-0x00007FFD85A70000-0x00007FFD85C65000-memory.dmp

Filesize
2.0MB

Download
memory/2464-84-0x00007FFD85B0D000-0x00007FFD85B0E000-memory.dmp

Filesize
4KB

Download
memory/2464-85-0x00007FFD85A70000-0x00007FFD85C65000-memory.dmp

Filesize
2.0MB

Download
memory/2464-10-0x00007FFD85A70000-0x00007FFD85C65000-memory.dmp

Filesize
2.0MB

Download
memory/2464-4-0x00007FFD45AF0000-0x00007FFD45B00000-memory.dmp

Filesize
64KB

Download
memory/2464-7-0x00007FFD45AF0000-0x00007FFD45B00000-memory.dmp

Filesize
64KB

Download
memory/2464-5-0x00007FFD85A70000-0x00007FFD85C65000-memory.dmp

Filesize
2.0MB

Download
memory/2464-6-0x00007FFD85A70000-0x00007FFD85C65000-memory.dmp

Filesize
2.0MB

Download
memory/2464-2-0x00007FFD45AF0000-0x00007FFD45B00000-memory.dmp

Filesize
64KB

Download
memory/2464-3-0x00007FFD45AF0000-0x00007FFD45B00000-memory.dmp

Filesize
64KB

Download
memory/2464-1-0x00007FFD85B0D000-0x00007FFD85B0E000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads