60a3ba978c54e5c55e3e41ae565ff05ba1e7fa9627a8bde0edb751aad25fa298

Analysis

max time kernel
149s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25-09-2024 05:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Payment Slip.xls
Size

413KB
MD5

5a788468cddd802e6eea249755b4beaf
SHA1

068f53461793d7859d33818369f2b89177767c00
SHA256

60a3ba978c54e5c55e3e41ae565ff05ba1e7fa9627a8bde0edb751aad25fa298
SHA512

a98e146b3725856522476969cef37e9144b36c434a990f60cde7675cdcf17aed430a63b2cc8a908c2a6030b4dbdfcc35c93d07adeaabef76fedcc828b1c3a5e2
SSDEEP

12288:/vGw7AQCRQwutWYRrBP5Eof77zUBoLiw:WwZHXtWiBPay7cBe

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4212	EXCEL.EXE
2120	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeAuditPrivilege	2120	WINWORD.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
4212	EXCEL.EXE
4212	EXCEL.EXE
4212	EXCEL.EXE
4212	EXCEL.EXE
4212	EXCEL.EXE
4212	EXCEL.EXE
4212	EXCEL.EXE
4212	EXCEL.EXE
4212	EXCEL.EXE
4212	EXCEL.EXE
4212	EXCEL.EXE
4212	EXCEL.EXE
2120	WINWORD.EXE
2120	WINWORD.EXE
2120	WINWORD.EXE
2120	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2120 wrote to memory of 1668	2120	WINWORD.EXE	89
PID 2120 wrote to memory of 1668	2120	WINWORD.EXE	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Payment Slip.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4212

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2120
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:4080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
7fb5fa1534dcf77f2125b2403b30a0ee

SHA1
365d96812a69ac0a4611ea4b70a3f306576cc3ea

SHA256
33a39e9ec2133230533a686ec43760026e014a3828c703707acbc150fe40fd6f

SHA512
a9279fd60505a1bfeef6fb07834cad0fd5be02fd405573fc1a5f59b991e9f88f5e81c32fe910f69bdc6585e71f02559895149eaf49c25b8ff955459fd60c0d2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
971c514f84bba0785f80aa1c23edfd79

SHA1
732acea710a87530c6b08ecdf32a110d254a54c8

SHA256
f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

SHA512
43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Filesize
471B

MD5
d11a564f92ffe2d43c35ec2946a29546

SHA1
0779c8baa0e1bdf76424db75a71e52cbf22db2fc

SHA256
d156b4c63f6fdad0ba2b7f1b71b21764f1cb12f67cc3617a5b541e71af572f86

SHA512
14b288fda8320c3938559518b7a7708d1b0fa7fe70cbd3b41977b4bae945ae744cf6cc8685cbf8ec574941b2d5ea3a4fc236afb84f19705dc6650d1e80b12939

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
05cb703515e438e4fc5fcc62277dcb39

SHA1
a350c807c6d2a7c8fc3c1236dd777853ab6cb964

SHA256
817ffa23fe80fc7f65d818f80168a4f720bfadcb4fac26c7064235cc299191fa

SHA512
9c7e7610479134cb6a2cccc35776bb1447b13e4defbeed69ff29710e19b37cf9a74a4fe302ffccbdd6de682729f84b149060fe8129e56333a3ee682ca9df1113

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
b49d359c8120c7977c97491c3dda415a

SHA1
cec9cf8e7f53b58666e0a070637c005ef8b268e3

SHA256
4ce40c4d8fa5d5cf96cb20de3e609c04f5eb1b04be894ffab47bfebabcd5349d

SHA512
0c85922be9190be3824fadd6ba1d00232ef22846a5c806705320a934bd74a6a829a50d0b504026b30666a12d6a7171068bceee3c73cb8d5579d08119bb5964b6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Filesize
412B

MD5
38bff8063963cb56297901fcad5f08bf

SHA1
b9567c8d293fff44e5c237734488b5dd68fc93f0

SHA256
2326791ffb7075dad7267b0246eea68c5f5b981c32378e47d54c437cf292d0af

SHA512
5304121538c64f9583a7a4ed9bbf676011be9e119c88c7c776048718eb3ff8a6fcb94ef3704e5ec89d1e5a147a1b54fe1d65b83ff3fe34acc39babbd83a7c76e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\9F9F5D71-5DF6-49B2-9576-73FFF60AF929

Filesize
171KB

MD5
52395b81026e0d48b95520c24ac7bf83

SHA1
ffc59eabe4e11459dd1d56f0a27197573c9be720

SHA256
bcdba7899242b384eeae50d7fb220121c4073081a4397af3c04063d34db58803

SHA512
2e92565a6f0b63a8950c2c6a19fa7626bebab421341876a6c09dd07f8748121af95ba5b9bcac4435e3591d539a3ba96d1637f2f02bf48de51f7eb8ae180dfa12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

Filesize
11KB

MD5
e3d5c65d46ba28694d0dcf643cc803da

SHA1
2c5fc88994b4c8b6ef2ad2bdf79adcc69c2324bd

SHA256
848c433a93615aec3826d2f8a04c9f167aa8ca8627ec84ffa54bc7c3917cbe52

SHA512
e758cfa1e1e34549c60cca1a4d8084d980fd802f685a8fed557e8f4a857ce60c2d216fe9ff8ffb775a59804486ed441c0c08dff850c1b7afa37f020c585ec806

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
3049331cc1300d957f09de8969694dd8

SHA1
6b7ef43b631c5589e4ab4dae35ebe27a73a323db

SHA256
47aeb4a8d38be38561b69c832520b77584660e1aecb465e98ed0c15bef576064

SHA512
c1990b08b2198aeb1e3c41624fd3e3d6f346774afa476f63855c07c2370028b9af17449a40fd5ddb6412a8cb5d2a387da6fb58e0e07eb16cd22b3df8e2424fa9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
2369529891a487635ea3e8ff3dba7765

SHA1
f75b6f8cfc17617f1218beed96d6bc62cc426f9b

SHA256
a8d75aec1f8f726e3f9da4106869139201b331b29c981f7b7ed23cc06b65a738

SHA512
1a74f477a4a1c50409b8cb802ede7859153d7fc24e3edc17b9a2dfa45745195c4c3dab18d4b4aba90e93c696854c52154f639725110ee10312ef5791511b6d92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\T1CTRFUW\niceworkingskillmadeeveryonehappywithentirethingsgoforgoodwhichalwaysmadegreatthingseersheisveryfinegirlwhoreallynice____sheisbeautiy[1].doc

Filesize
101KB

MD5
7a9a05109dd848058fd327bc38459a3d

SHA1
a086488bd204ca42e9d522b769b94c9467ad5520

SHA256
9f00a5fc9bdc5206d34d60f39e9872df590b4b71685afb0996e2d46e2b5a97d2

SHA512
8dde56f67785f7594f1e4fe2a3b05519333daa980bae0fd84ffa34671d1d1f7507af6d04dba4909d3195db536ae2fd2782a6f45f5eb7f0df5015ca4b88e0925d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCDF6F8.tmp\gb.xsl

Filesize
262KB

MD5
51d32ee5bc7ab811041f799652d26e04

SHA1
412193006aa3ef19e0a57e16acf86b830993024a

SHA256
6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97

SHA512
5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
346B

MD5
ee07dbc59b0aa3fd9ea980527a989823

SHA1
5c316c87b6b0fcc1ccf38bc27071cf7bbced8c54

SHA256
5253966689be69b0e09db5f96418faac2cbb7d724d7faa6a4dce367af3a62f5f

SHA512
5e80e4915b2ed47957efc54c135384082b22066a406860d8429713052119829b23c5f6eeae2e222fce1f3aa677979acdd903e494cd4b7e58d5d1d507cec64e7f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
2KB

MD5
76ee452dfcece39f694926f4469291d0

SHA1
12f99279551212df9873a8dd31b7437a55d3b85f

SHA256
089129a602c46669d85031ab03686ee45e4c112ce9fe102b7f2a380741b071ff

SHA512
38d745df599fa94103c6d692482e9cf0f0bf2b7734d1830ed751a12cc5bb45f1f6255e2a632055db38b4d8b7a2e63cf6d94f6862cdd32da8e964a234a87a6e86

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
c1ffe3ca748790773e855d0eebf521c5

SHA1
c0c9b25e5cf1ba4e93d2b4a3fc9ebc3b3338d5df

SHA256
d4cd480af34151b1e72fcf489194c41dcaab67e02f673d06feafae79ed612084

SHA512
ccee307cd32cd5f0dad6d68c0c65d23941e5e47a6afb155820c07f001d63832b9c8bd8db0df29ed5277e9c24979ff2abceb74b0ad9d282f1c82eae55858c75e4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
1KB

MD5
f7e88915416574a4fc5fb7a32d655f3f

SHA1
32678fa2a0cb689b4af3508bcb071dc84713f597

SHA256
a9836647892fc1f03630030a4e1edbf8b09c961fac6abebb18f1c95f0e7bbaf0

SHA512
eeebf607db757f05c03471d21808261e3fb0dd0074058b66dd3d6c24dcab3d0e8574449b881357180ad2eebc75ab536e12d45e2d12330fff57ba94030329a739

Download Submit
memory/2120-45-0x00007FFEADE30000-0x00007FFEAE025000-memory.dmp

Filesize
2.0MB

Download
memory/2120-48-0x00007FFEADE30000-0x00007FFEAE025000-memory.dmp

Filesize
2.0MB

Download
memory/2120-99-0x000001C91A8A0000-0x000001C91A98F000-memory.dmp

Filesize
956KB

Download
memory/2120-96-0x00007FFEADE30000-0x00007FFEAE025000-memory.dmp

Filesize
2.0MB

Download
memory/2120-46-0x00007FFEADE30000-0x00007FFEAE025000-memory.dmp

Filesize
2.0MB

Download
memory/2120-47-0x00007FFEADE30000-0x00007FFEAE025000-memory.dmp

Filesize
2.0MB

Download
memory/2120-49-0x00007FFEADE30000-0x00007FFEAE025000-memory.dmp

Filesize
2.0MB

Download
memory/2120-44-0x00007FFEADE30000-0x00007FFEAE025000-memory.dmp

Filesize
2.0MB

Download
memory/4212-16-0x00007FFE6BCF0000-0x00007FFE6BD00000-memory.dmp

Filesize
64KB

Download
memory/4212-13-0x00007FFE6BCF0000-0x00007FFE6BD00000-memory.dmp

Filesize
64KB

Download
memory/4212-6-0x00007FFEADE30000-0x00007FFEAE025000-memory.dmp

Filesize
2.0MB

Download
memory/4212-7-0x00007FFEADE30000-0x00007FFEAE025000-memory.dmp

Filesize
2.0MB

Download
memory/4212-18-0x00007FFEADE30000-0x00007FFEAE025000-memory.dmp

Filesize
2.0MB

Download
memory/4212-21-0x00007FFEADE30000-0x00007FFEAE025000-memory.dmp

Filesize
2.0MB

Download
memory/4212-17-0x00007FFEADE30000-0x00007FFEAE025000-memory.dmp

Filesize
2.0MB

Download
memory/4212-20-0x00007FFEADE30000-0x00007FFEAE025000-memory.dmp

Filesize
2.0MB

Download
memory/4212-14-0x00007FFEADE30000-0x00007FFEAE025000-memory.dmp

Filesize
2.0MB

Download
memory/4212-15-0x00007FFEADE30000-0x00007FFEAE025000-memory.dmp

Filesize
2.0MB

Download
memory/4212-8-0x00007FFEADE30000-0x00007FFEAE025000-memory.dmp

Filesize
2.0MB

Download
memory/4212-2-0x00007FFE6DEB0000-0x00007FFE6DEC0000-memory.dmp

Filesize
64KB

Download
memory/4212-10-0x00007FFEADE30000-0x00007FFEAE025000-memory.dmp

Filesize
2.0MB

Download
memory/4212-11-0x00007FFEADE30000-0x00007FFEAE025000-memory.dmp

Filesize
2.0MB

Download
memory/4212-91-0x00007FFEADE30000-0x00007FFEAE025000-memory.dmp

Filesize
2.0MB

Download
memory/4212-12-0x00007FFEADE30000-0x00007FFEAE025000-memory.dmp

Filesize
2.0MB

Download
memory/4212-19-0x00007FFEADE30000-0x00007FFEAE025000-memory.dmp

Filesize
2.0MB

Download
memory/4212-9-0x00007FFEADE30000-0x00007FFEAE025000-memory.dmp

Filesize
2.0MB

Download
memory/4212-5-0x00007FFE6DEB0000-0x00007FFE6DEC0000-memory.dmp

Filesize
64KB

Download
memory/4212-22-0x00007FFEADE30000-0x00007FFEAE025000-memory.dmp

Filesize
2.0MB

Download
memory/4212-4-0x00007FFE6DEB0000-0x00007FFE6DEC0000-memory.dmp

Filesize
64KB

Download
memory/4212-1-0x00007FFE6DEB0000-0x00007FFE6DEC0000-memory.dmp

Filesize
64KB

Download
memory/4212-3-0x00007FFEADECD000-0x00007FFEADECE000-memory.dmp

Filesize
4KB

Download
memory/4212-0-0x00007FFE6DEB0000-0x00007FFE6DEC0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads