60a3ba978c54e5c55e3e41ae565ff05ba1e7fa9627a8bde0edb751aad25fa298

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
26-09-2024 01:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

60a3ba978c54e5c55e3e41ae565ff05ba1e7fa9627a8bde0edb751aad25fa298.xls
Size

413KB
MD5

5a788468cddd802e6eea249755b4beaf
SHA1

068f53461793d7859d33818369f2b89177767c00
SHA256

60a3ba978c54e5c55e3e41ae565ff05ba1e7fa9627a8bde0edb751aad25fa298
SHA512

a98e146b3725856522476969cef37e9144b36c434a990f60cde7675cdcf17aed430a63b2cc8a908c2a6030b4dbdfcc35c93d07adeaabef76fedcc828b1c3a5e2
SSDEEP

12288:/vGw7AQCRQwutWYRrBP5Eof77zUBoLiw:WwZHXtWiBPay7cBe

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3172	EXCEL.EXE
788	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeAuditPrivilege	788	WINWORD.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3172	EXCEL.EXE
3172	EXCEL.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
3172	EXCEL.EXE
3172	EXCEL.EXE
3172	EXCEL.EXE
3172	EXCEL.EXE
3172	EXCEL.EXE
3172	EXCEL.EXE
3172	EXCEL.EXE
3172	EXCEL.EXE
3172	EXCEL.EXE
3172	EXCEL.EXE
3172	EXCEL.EXE
3172	EXCEL.EXE
788	WINWORD.EXE
788	WINWORD.EXE
788	WINWORD.EXE
788	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 788 wrote to memory of 1620	788	WINWORD.EXE	87
PID 788 wrote to memory of 1620	788	WINWORD.EXE	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\60a3ba978c54e5c55e3e41ae565ff05ba1e7fa9627a8bde0edb751aad25fa298.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3172

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:788
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1620

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:1080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
7fb5fa1534dcf77f2125b2403b30a0ee

SHA1
365d96812a69ac0a4611ea4b70a3f306576cc3ea

SHA256
33a39e9ec2133230533a686ec43760026e014a3828c703707acbc150fe40fd6f

SHA512
a9279fd60505a1bfeef6fb07834cad0fd5be02fd405573fc1a5f59b991e9f88f5e81c32fe910f69bdc6585e71f02559895149eaf49c25b8ff955459fd60c0d2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
971c514f84bba0785f80aa1c23edfd79

SHA1
732acea710a87530c6b08ecdf32a110d254a54c8

SHA256
f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

SHA512
43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Filesize
471B

MD5
8c8a295ea02bfa9d84ea2a82fdebf3d5

SHA1
073b74687778ba49889c5d4cb26f78ca6e248fb9

SHA256
e7893cb1a4c8c64f72185467c034051a7bb02b96a56085a28c6283815c63ff21

SHA512
59679d72415c9057b9971d843c8719fd9e3925673a180d9f5eb1c9e919e58fa0599dcec27f9452df0340a5511772bbab1ff48892729888ab464cdaaabba55b49

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
7de5bc0e48fc47a4239fadabb9e0480f

SHA1
f82b9968befe86e5940077037871bda819ed4e62

SHA256
459873dfaa54f7e11d71795f88eea782559b14c0c6db4959e3e4a6644e7d9d5f

SHA512
f39b6963800c44b5e578a94e2701f81b46cb116374641747914ee19b72a576164430edb9205af5c6b96be0c0661781f107315f6b34e495b3224dc224926fafad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
9872c463ec884a9742fb05bfc50a1e13

SHA1
74d9f901c5292349453071880e055929ab339ad7

SHA256
d532359d6999ae8fb022a54311e8f154017e0cc74d5e69a71e077f1d5cecb259

SHA512
16446a914886e6916462ea2a1e391d16e387644b7cc33707161b3d83006bec827c04a919661bce3e65e82f165541adf29edfe998315cd7437185b741816cfde1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Filesize
412B

MD5
8ab7e643cdb1b8d7f13c58365286bc70

SHA1
b7b0376edd1de596edf6beaafdaee149c002b3ee

SHA256
83d6a4fa537e9c457c204afce0b7239c6fb240e22031056634c35c87ea1c3d6e

SHA512
b2b3fe82f69a5c137e0541ca15c98cf7b0c7a1c3e4c335f3ad1dbe18b94461b30c74916e564683d334b54da49aa8efb19f2a3b418767ae0fbd327de35a72d56a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\1B3A9C63-651F-41EB-90AA-7C96870E7DAF

Filesize
171KB

MD5
a00bc5b809ce813962d9715ca343fc7d

SHA1
7457d720346e941f1ecbf658f44a250c5397aba8

SHA256
f9f3a4a8764953264a2b54302cb5921e197fd9752445be2b083c55688b07434a

SHA512
1ac16419acc9e1ad60cef0d4d169a9edc57ad95d0537cb507061b19c160a0e0f44e5090d5ca5e47fea625a69f9ee47c6ba335949ea8b152ab94c1b5c3fa284c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

Filesize
11KB

MD5
1c66cc7fa7ca327519825aa78ae9789c

SHA1
e80e32dcea2298098603d749f957b353b79e3315

SHA256
f7fc7620be1cf714e2d17bbac2be6900e27907b5a6ddb3d36a15bff8700ae5fa

SHA512
292a4a0f9bd1e16d1a24bf2aebd9f0149116c80ac29aef4557b2b57febe21d59214a0db4fbe61d3fdbe344c4c791ed9f0d0b55cecec411c2206beca45f8ed98f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
675eff343956968c5282f19867d4068f

SHA1
eef47fb2b1592cbc38a8596a31b1ae9def262fa2

SHA256
ef12c936d1b095c883d4a313d30389558e007f95c683cb3c974e9d2bd908d10c

SHA512
60ece1ec01f90ba8fc75357aedbaef833e43a16ee8b8d9569980fa70803cf452bde8eb4f454978f23a9b497f95c1499ff22f9c07073fd1ac9307d47fc45179b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
02b51966b39aa042e5648dac03a0a75b

SHA1
caf274018759a8d8a31579e143e0448ab6d6f86b

SHA256
2930c93f971c3fbac2a14ee44d809915871f3929a2da29637d50c65012df7799

SHA512
2645f37618214ebd7507e9885d1551c898edeeabd46b725a63fcff3cbd46d2109025d33764e146d3532dd07c9c8e5e67c5891562ff289811412c00cc680a8624

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\KQ3665LB\niceworkingskillmadeeveryonehappywithentirethingsgoforgoodwhichalwaysmadegreatthingseersheisveryfinegirlwhoreallynice____sheisbeautiy[1].doc

Filesize
101KB

MD5
7a9a05109dd848058fd327bc38459a3d

SHA1
a086488bd204ca42e9d522b769b94c9467ad5520

SHA256
9f00a5fc9bdc5206d34d60f39e9872df590b4b71685afb0996e2d46e2b5a97d2

SHA512
8dde56f67785f7594f1e4fe2a3b05519333daa980bae0fd84ffa34671d1d1f7507af6d04dba4909d3195db536ae2fd2782a6f45f5eb7f0df5015ca4b88e0925d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCDD10D.tmp\sist02.xsl

Filesize
245KB

MD5
f883b260a8d67082ea895c14bf56dd56

SHA1
7954565c1f243d46ad3b1e2f1baf3281451fc14b

SHA256
ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

SHA512
d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
362B

MD5
fbcbc7889be6c5b13ecd2e3a521375bb

SHA1
c89fbdfe5c304e373a7a00b80c45e9db67873117

SHA256
92b56793410011c34a9ffbad48c9fbd692fde50b9096a0b9f5a5da4b813ce4e5

SHA512
23a0fc17435fe2c9d5014b6b699bc64e895213fcd08fc6f6ee7af4b4420a1b62ec2d0eae213243e501d9c93a02d7542ffb340f0ee188322216c10dcf89d39c90

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
2KB

MD5
ee4702e03474c7b0d88feb95110e51b2

SHA1
215c98d2fff8ee30a5e4bcff76e4acd34597fbf4

SHA256
0859d65a958a5d1e46f1087693a787cd0ebc982455ef78ea39a798f816b76285

SHA512
e99bc55475457a8c8edceb409755ccfe0b4345d845e24b30e590560a6ecf844f3ccef39cec4c8b71823e55c1e78fcd2a966940807ec830f55a1a57e706270faa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
925525e39ee5dcf8a03ded7c8eaa993b

SHA1
2a768df22d43cec6a333b25beacf222b18908ebc

SHA256
764cb940fcc74af4d5fd212b7637f8c4b712e98d29e304880921382f73ad3a7f

SHA512
50c8f46e8699ce41dda576f742a25a906779d2ffc31fbca0044664f97130687619dff204bb29677c7f16d351952b1e36139e35c09e14127d29e05873aa7e36c9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
1KB

MD5
7127af6e6b42e0a9199d85e01c7d9d0c

SHA1
641f796ce4770fca27f636d22979c51dae52cd10

SHA256
6521edc40b2dc7f2b4d2e5a8732e7d1835ff33c07becf398cad296f76841b884

SHA512
37486c17728f19ef2167845ddbd9581596883b7b4c84eae032033da18b4fc2af58dba6aa522dbca85980f46d8a978ab9c6eac8404074f840026ee3118f792f9b

Download Submit
memory/788-44-0x00007FFA99AF0000-0x00007FFA99CE5000-memory.dmp

Filesize
2.0MB

Download
memory/788-43-0x00007FFA99AF0000-0x00007FFA99CE5000-memory.dmp

Filesize
2.0MB

Download
memory/788-97-0x00007FFA99AF0000-0x00007FFA99CE5000-memory.dmp

Filesize
2.0MB

Download
memory/788-46-0x00007FFA99AF0000-0x00007FFA99CE5000-memory.dmp

Filesize
2.0MB

Download
memory/788-47-0x00007FFA99AF0000-0x00007FFA99CE5000-memory.dmp

Filesize
2.0MB

Download
memory/788-48-0x00007FFA99AF0000-0x00007FFA99CE5000-memory.dmp

Filesize
2.0MB

Download
memory/3172-16-0x00007FFA99AF0000-0x00007FFA99CE5000-memory.dmp

Filesize
2.0MB

Download
memory/3172-72-0x00007FFA99AF0000-0x00007FFA99CE5000-memory.dmp

Filesize
2.0MB

Download
memory/3172-0-0x00007FFA59B70000-0x00007FFA59B80000-memory.dmp

Filesize
64KB

Download
memory/3172-14-0x00007FFA57260000-0x00007FFA57270000-memory.dmp

Filesize
64KB

Download
memory/3172-17-0x00007FFA99AF0000-0x00007FFA99CE5000-memory.dmp

Filesize
2.0MB

Download
memory/3172-20-0x00007FFA99AF0000-0x00007FFA99CE5000-memory.dmp

Filesize
2.0MB

Download
memory/3172-19-0x00007FFA99AF0000-0x00007FFA99CE5000-memory.dmp

Filesize
2.0MB

Download
memory/3172-18-0x00007FFA99AF0000-0x00007FFA99CE5000-memory.dmp

Filesize
2.0MB

Download
memory/3172-15-0x00007FFA99AF0000-0x00007FFA99CE5000-memory.dmp

Filesize
2.0MB

Download
memory/3172-22-0x00007FFA99AF0000-0x00007FFA99CE5000-memory.dmp

Filesize
2.0MB

Download
memory/3172-13-0x00007FFA99AF0000-0x00007FFA99CE5000-memory.dmp

Filesize
2.0MB

Download
memory/3172-7-0x00007FFA99AF0000-0x00007FFA99CE5000-memory.dmp

Filesize
2.0MB

Download
memory/3172-12-0x00007FFA57260000-0x00007FFA57270000-memory.dmp

Filesize
64KB

Download
memory/3172-6-0x00007FFA99AF0000-0x00007FFA99CE5000-memory.dmp

Filesize
2.0MB

Download
memory/3172-8-0x00007FFA99AF0000-0x00007FFA99CE5000-memory.dmp

Filesize
2.0MB

Download
memory/3172-9-0x00007FFA99AF0000-0x00007FFA99CE5000-memory.dmp

Filesize
2.0MB

Download
memory/3172-91-0x00007FFA99B8D000-0x00007FFA99B8E000-memory.dmp

Filesize
4KB

Download
memory/3172-92-0x00007FFA99AF0000-0x00007FFA99CE5000-memory.dmp

Filesize
2.0MB

Download
memory/3172-11-0x00007FFA99AF0000-0x00007FFA99CE5000-memory.dmp

Filesize
2.0MB

Download
memory/3172-21-0x00007FFA99AF0000-0x00007FFA99CE5000-memory.dmp

Filesize
2.0MB

Download
memory/3172-10-0x00007FFA99AF0000-0x00007FFA99CE5000-memory.dmp

Filesize
2.0MB

Download
memory/3172-1-0x00007FFA99B8D000-0x00007FFA99B8E000-memory.dmp

Filesize
4KB

Download
memory/3172-2-0x00007FFA59B70000-0x00007FFA59B80000-memory.dmp

Filesize
64KB

Download
memory/3172-3-0x00007FFA59B70000-0x00007FFA59B80000-memory.dmp

Filesize
64KB

Download
memory/3172-5-0x00007FFA59B70000-0x00007FFA59B80000-memory.dmp

Filesize
64KB

Download
memory/3172-4-0x00007FFA59B70000-0x00007FFA59B80000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads