01ec154a2091a775c04dd9a617e562e81428ebcb997e636ae3f41852dd187d61

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22/08/2024, 15:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PURCHASEORDER.xls
Size

577KB
MD5

04929b992e5b8a4fa00b6bd53b0961bd
SHA1

3a7500ef879b346f907787872d0448111aafd001
SHA256

01ec154a2091a775c04dd9a617e562e81428ebcb997e636ae3f41852dd187d61
SHA512

f0ebd589f335ffc83d8958496cc6b9a0e67c1ff21265a87e503e2555676bd7067482060d8708a292e57f8e82af4a95bb3a316ca862891c74a645f3bc1dd22a93
SSDEEP

12288:V7aM7RywgyPd6XkvchJb+KrAgku79113DLAk1Wxx6k6gHVI0T4FB:VRtl60vcJBrvd3Dtgsk6dA4F

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4428	EXCEL.EXE
4760	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeAuditPrivilege	4760	WINWORD.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
4428	EXCEL.EXE
4428	EXCEL.EXE
4428	EXCEL.EXE
4428	EXCEL.EXE
4428	EXCEL.EXE
4428	EXCEL.EXE
4428	EXCEL.EXE
4428	EXCEL.EXE
4428	EXCEL.EXE
4428	EXCEL.EXE
4428	EXCEL.EXE
4428	EXCEL.EXE
4760	WINWORD.EXE
4760	WINWORD.EXE
4760	WINWORD.EXE
4760	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4760 wrote to memory of 2180	4760	WINWORD.EXE	99
PID 4760 wrote to memory of 2180	4760	WINWORD.EXE	99

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\PURCHASEORDER.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4428

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4760
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2180

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:4744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
822467b728b7a66b081c91795373789a

SHA1
d8f2f02e1eef62485a9feffd59ce837511749865

SHA256
af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

SHA512
bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B7A69FF474CB55CBBEC817CB4508128

Filesize
344B

MD5
25018186f29d9d42ea0c349faf1e92f0

SHA1
5242faf5fc75288c20e2d61f231d38118a8d2399

SHA256
a0e4d9c3b184b90abbd481b490b95574ca7555ec54c1cc396af1cabe59f82547

SHA512
ab02cbbe0f82a6f519ef2d7b29be01103eb4ca8a0e7b6b01e501a207bbca9bdf8b5f6cfd53b91afc864589f1027e722682d0263b0b1c4814ca1c32e20b5e5811

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Filesize
471B

MD5
6eb8c94f3742856b98d877591d5ee250

SHA1
9627d3dcbc9f58b9d3844a1e84ae40a2673247a7

SHA256
ba51a748cee3578bb2167b1b1c39eec5fabe3f899d10a289ece22b97519eb61a

SHA512
04d0212658d68c8288ae0cde389cc07de4fa9ed535ae6f83e3593407f75e4bce4303ab265a186bc8ba0ced8d0cda1d79da32d67f4c40b2e48435c432fc25acf7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
225c3109d0f9f67ad8d6ebbc16c7d394

SHA1
f5eb2d0de1531d558d4d886ebec573a092ac7acd

SHA256
2b71544e9ebf5a4fcac5f4ecd04f9828c9bce0080434176976d6f8e1e27372fe

SHA512
5a0156ce95d03341aae4d21c409a055274093ff733aaa1d2da69b306b42406fc80f9e2de41e0018fd29cc3bbb747256e4e67ae4a3871d858f8ce8c57b1873b78

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B7A69FF474CB55CBBEC817CB4508128

Filesize
540B

MD5
4200064f38de4c6f7af92a392c221406

SHA1
0a3ef459fab0ff2ecc747769657f87b59c19e293

SHA256
3f7154acd38f2e509362bfb5116f8993b34f2ac46bc1abf8ab2de1209c19786c

SHA512
119dc66d05718025b1b2197ba99f796d37fef329eee5265b56701340784cd850b5b5940a954e7b865414dac1c515f56e2b1928a95b2b9443f8fb38bc62b4fd3a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Filesize
412B

MD5
1f5176517bcb9e8092d73d788bed8d5e

SHA1
f89fa38215aa13a48e5c35845bbafe0342b3bd7f

SHA256
bafa1d68f03390bb8a319415336f7778ac2ad965edd4a181fcd9acd6bfff56b4

SHA512
7942d03f86a708b759cf2b0173d6f806f866b2a1615755183dab410a6cbc86dcb6dca149c22eda2cfc5eb513dbbf80619e1607ed5c181f7b62d4ff6f893c83d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

Filesize
8KB

MD5
c444bdaffdf5fab57303d047d480ff1d

SHA1
dd003aaa653c93b9a169b3a27073b3e6a3d71b00

SHA256
a8f1719b4f25c4a5808a8c30281e06d0718101489c6332a9acab40306dd1fd69

SHA512
cab5c23c925da07cc90758924f95a7b66fd44ee1f2c16e687e67c17f178d1c0091d2e929e4df3eccd21036cce0393093774d7bd90a630980497c1bcb13a193c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
42f66107cc220a23c22edb788ec9d6c8

SHA1
193fc9601cbb5209cb355b0a3f029b423700cbaa

SHA256
29d1577c7bb94a1a5c27a0d28c5272a58be4f14b9ef95f82fdd22dc3f5dd9670

SHA512
22632fa9594b8e1f10f7f5ddbe073d3f08e4aa9ee2a1de611dd746dccece348a63280e2389f331762768b2bd1421de2d3c7159fbd6d9df39b1f2169fa108108d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\f3df91c436730d7a37c58d5f25d9bf4a56fa3a34.tbres

Filesize
4KB

MD5
d5884ca5367cdbed16c583cc6ec168cc

SHA1
01e7d6321377668423289afc092f4bd7a363d9be

SHA256
f866bc0153c907897906f1e330a18ee336b7c2612ca93478d4c9f31caf5f3711

SHA512
cf2e73568d9a6739acfa936247cded06f4559570ab6136e5954794a56b5912a9907830201ee39703f3feeffda3c6663d5b8a749751817a28e4c6f202b16581b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\4329235D\buttersmoothbetterwalkdesignbutterbunwithchocopygivemesuchagoodvibssheisfullymotivatedwithbutterbunchocomilk______yummymilkwithbutter[1].doc

Filesize
98KB

MD5
757aec08a763530ae66de959b507c59b

SHA1
3a345e0a804937bfa059b290687d4a078b73437d

SHA256
22e0cb84f8762f899a4d5dab8694e55a49e982b13baae1312e06173bee5a9d2c

SHA512
5bd7c7132fc5328d3679bc09d93c49c69e3d65c07b2ee63374c34d88b429af839bd80e44a32df3d9a9292347c575d0681fac641c4d914db6a074ed738c54a349

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCDE8FE.tmp\sist02.xsl

Filesize
245KB

MD5
f883b260a8d67082ea895c14bf56dd56

SHA1
7954565c1f243d46ad3b1e2f1baf3281451fc14b

SHA256
ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

SHA512
d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
228B

MD5
55b0593625fa7485a225749f929f41ea

SHA1
4f6d281c5db0d2d0c9300d8801bd3732b99aa3e8

SHA256
c4475cc3f8e3c3d190df32c80bab71113d6861923b9a4c16627db19632099498

SHA512
a9d94e571138743a4cdc8e67dc0bf7bb38e7e7a6f506bec824a9fa612637cc76a222457b5c456c25ae885e363321a2d0ca45a343833de977b2a2e2f47e7cc9a4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\CGALKSI789QT7K1MUK26.temp

Filesize
24B

MD5
4fcb2a3ee025e4a10d21e1b154873fe2

SHA1
57658e2fa594b7d0b99d02e041d0f3418e58856b

SHA256
90bf6baa6f968a285f88620fbf91e1f5aa3e66e2bad50fd16f37913280ad8228

SHA512
4e85d48db8c0ee5c4dd4149ab01d33e4224456c3f3e3b0101544a5ca87a0d74b3ccd8c0509650008e2abed65efd1e140b1e65ae5215ab32de6f6a49c9d3ec3ff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
2KB

MD5
70a51a8ec199bb3111c88face17c2385

SHA1
2e1a0e97d08434b8768c32103ba1ec59d4b1d194

SHA256
8202abc351161d6c3fed71cd6c694ba651e8165dc3d1d3c089f340531676fd1a

SHA512
0bd4eb38190d4dcebac78b806cd559a5c457677ba283e61d661ff84967ebbf4ff8e97b31ba631fd05c42f13d09ed9239387d1b2487dba3d90b25d3fb34c5d771

Download Submit
memory/4428-14-0x00007FF9AEB90000-0x00007FF9AEBA0000-memory.dmp

Filesize
64KB

Download
memory/4428-8-0x00007FF9F1470000-0x00007FF9F1665000-memory.dmp

Filesize
2.0MB

Download
memory/4428-19-0x00007FF9F1470000-0x00007FF9F1665000-memory.dmp

Filesize
2.0MB

Download
memory/4428-20-0x00007FF9F1470000-0x00007FF9F1665000-memory.dmp

Filesize
2.0MB

Download
memory/4428-18-0x00007FF9F1470000-0x00007FF9F1665000-memory.dmp

Filesize
2.0MB

Download
memory/4428-7-0x00007FF9F1470000-0x00007FF9F1665000-memory.dmp

Filesize
2.0MB

Download
memory/4428-6-0x00007FF9F1470000-0x00007FF9F1665000-memory.dmp

Filesize
2.0MB

Download
memory/4428-31-0x00007FF9F1470000-0x00007FF9F1665000-memory.dmp

Filesize
2.0MB

Download
memory/4428-1-0x00007FF9F150D000-0x00007FF9F150E000-memory.dmp

Filesize
4KB

Download
memory/4428-3-0x00007FF9B14F0000-0x00007FF9B1500000-memory.dmp

Filesize
64KB

Download
memory/4428-36-0x00007FF9F1470000-0x00007FF9F1665000-memory.dmp

Filesize
2.0MB

Download
memory/4428-35-0x00007FF9F150D000-0x00007FF9F150E000-memory.dmp

Filesize
4KB

Download
memory/4428-16-0x00007FF9AEB90000-0x00007FF9AEBA0000-memory.dmp

Filesize
64KB

Download
memory/4428-17-0x00007FF9F1470000-0x00007FF9F1665000-memory.dmp

Filesize
2.0MB

Download
memory/4428-2-0x00007FF9B14F0000-0x00007FF9B1500000-memory.dmp

Filesize
64KB

Download
memory/4428-9-0x00007FF9F1470000-0x00007FF9F1665000-memory.dmp

Filesize
2.0MB

Download
memory/4428-15-0x00007FF9F1470000-0x00007FF9F1665000-memory.dmp

Filesize
2.0MB

Download
memory/4428-0-0x00007FF9B14F0000-0x00007FF9B1500000-memory.dmp

Filesize
64KB

Download
memory/4428-13-0x00007FF9F1470000-0x00007FF9F1665000-memory.dmp

Filesize
2.0MB

Download
memory/4428-10-0x00007FF9F1470000-0x00007FF9F1665000-memory.dmp

Filesize
2.0MB

Download
memory/4428-11-0x00007FF9F1470000-0x00007FF9F1665000-memory.dmp

Filesize
2.0MB

Download
memory/4428-12-0x00007FF9F1470000-0x00007FF9F1665000-memory.dmp

Filesize
2.0MB

Download
memory/4428-4-0x00007FF9B14F0000-0x00007FF9B1500000-memory.dmp

Filesize
64KB

Download
memory/4428-5-0x00007FF9B14F0000-0x00007FF9B1500000-memory.dmp

Filesize
64KB

Download
memory/4760-66-0x00007FF9F1470000-0x00007FF9F1665000-memory.dmp

Filesize
2.0MB

Download
memory/4760-34-0x00007FF9F1470000-0x00007FF9F1665000-memory.dmp

Filesize
2.0MB

Download
memory/4760-32-0x00007FF9F1470000-0x00007FF9F1665000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads