33c790e2db3f22fbd80c43a82837b5fb7a0f4a317b25dbab1e984baf95fa82bc

Analysis

max time kernel
136s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-10-2024 14:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PO-00006799868.xls
Size

1.0MB
MD5

e78662c0ecb1a705f3f16366cff45409
SHA1

0de40063c9028a33b77d4cb3de06dec0f705059b
SHA256

33c790e2db3f22fbd80c43a82837b5fb7a0f4a317b25dbab1e984baf95fa82bc
SHA512

21a144950245cfeb4c616ab3e15889a04811839d3b0a288193678ee8bf6ba14c2ce81fc67c57d57d4a20e1e3b9ae06f88009437de435ab0380f55689805432c4
SSDEEP

12288:ZmzHJEHAfwu4heD3DERnLRmF8DLPrf1H3dzFuFBAn0aIGZf12e5wyowAkiR9GnOp:4Lw/hebARM8Th3OA5qgq3/pp

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4132	EXCEL.EXE
2536	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeAuditPrivilege	2536	WINWORD.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
4132	EXCEL.EXE
4132	EXCEL.EXE
4132	EXCEL.EXE
4132	EXCEL.EXE
4132	EXCEL.EXE
4132	EXCEL.EXE
4132	EXCEL.EXE
4132	EXCEL.EXE
4132	EXCEL.EXE
4132	EXCEL.EXE
4132	EXCEL.EXE
4132	EXCEL.EXE
2536	WINWORD.EXE
2536	WINWORD.EXE
2536	WINWORD.EXE
2536	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2536 wrote to memory of 3424	2536	WINWORD.EXE	90
PID 2536 wrote to memory of 3424	2536	WINWORD.EXE	90

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\PO-00006799868.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4132

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2536
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:3424

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
67e486b2f148a3fca863728242b6273e

SHA1
452a84c183d7ea5b7c015b597e94af8eef66d44a

SHA256
facaf1c3a4bf232abce19a2d534e495b0d3adc7dbe3797d336249aa6f70adcfb

SHA512
d3a37da3bb10a9736dc03e8b2b49baceef5d73c026e2077b8ebc1b786f2c9b2f807e0aa13a5866cf3b3cafd2bc506242ef139c423eaffb050bbb87773e53881e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
971c514f84bba0785f80aa1c23edfd79

SHA1
732acea710a87530c6b08ecdf32a110d254a54c8

SHA256
f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

SHA512
43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
3ce11da21a1cf4d495bd3c4f237ded2d

SHA1
dc6697488c80b15a63d3204954061370aa1ef7d7

SHA256
fab3cdbf0365153779abbae60d958a9766000cb85711d59441230518e5720905

SHA512
29eabf0cb1055d15b70fd17ba8c733afa55121b6174e8645e1f38f3f4967d86aac89295efabcc84799440c8c3ca9667bb16442e832e56dc84e69e5b0ae44266f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
4ccc1ba38111816028074ab618450502

SHA1
e96991f0f532134b854f5607dee10b3b72d9ff68

SHA256
a260231086f5bb4c944dce354485f691bceeac06f87efc72054f193080611061

SHA512
fff98130604155673b0edac789b984b1fc61bf9fb8036e46b6750cace6df1ff51e48de083c21d02899e6a40a0579c7cc9d3e3d1c54e0b14d770cda17b7f6ec29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\A7638FEF-1A93-4BFB-A94A-F83E0381B191

Filesize
172KB

MD5
be2bafb4fb2633a2653c12e9dd3eb044

SHA1
cb25b97789acf12533f7a7104d9b090eb0609bbf

SHA256
2846c4012ce9c20dfe13786e5151d8cec6b0af271d54df86ca5bd7f909868051

SHA512
685e2baa067783de762d78d5a75d305a1c777196ad66b179e626bc6b5282ab577306d7d6b1ce406c9608df86fd8696390289070406dea0215d1ec0ed06cd4ccd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

Filesize
11KB

MD5
0e259a3852ec62d8566e24716799c8b3

SHA1
054b5bbddb3d2b6e17ae64926c7d5e3877400412

SHA256
d13233082b165fdf8e29aac773e72372c95eb60966830c0fb0aeab197fa9fe5d

SHA512
7476e268fe9642d63e93577179b834f0d6ed4599729c714fea4370d4dc98325c03285524a73e16ae899a8855231103da7334fba65cc4793edb272330372dd8ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
c62561ad835c24492f8655f851073eb1

SHA1
e9460fa683399a249dddec88ca8059c3a5c97316

SHA256
900278b96b71c68b6675188904f300cff6cae0c9c2f24740ca83c0fd31f6bd51

SHA512
aaada33432cb94f673c9287dadcae01494f69d8d0cb1224d2852adbde5731a313ae1b9152559da16305c95afabdade9355eebddf1b6f78af98c630a25521c829

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
7487b263c2725b66f9ca9ee917ecd20a

SHA1
e68d51f93e3d2dc6f3c45ed257eb35ee119601c6

SHA256
32f119fc0f7eaf2b543204b5ec2f65531b5581ec2601174c7055a9a4fa20ccc3

SHA512
028b1d64173dc52aaa45f525e079a273a7d0a22c615d1347c5b9664f6a3b05f9f9c6a4d57979d00bc7b7c561d535ea05cc74c5301295e5474947d5330f7de872

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\XH3Z2ZON\wecreatednewthigsforsuccessfulljournecyr________verynicepeoplesetirethigstogoformegreat________________nnicwaytoentreithigntochangewithmegreat[1].doc

Filesize
86KB

MD5
c7b4ec460b896ccd9f368467d06ee44b

SHA1
58d4ed5d5791401f4555d6278a179e5c65563c8a

SHA256
7b33de62dafef125fe428afe47e9a353749a6632d58809ce428b7514886b49b6

SHA512
d82b5ecc391f92e17161ce7b98f62b273f9a51d6c294272aacc1efa1b2d2dc7c8c1095103197d6fe023b21d8b161978c4c6073aed78758649031da99fd687d9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCDD4E4.tmp\iso690.xsl

Filesize
263KB

MD5
ff0e07eff1333cdf9fc2523d323dd654

SHA1
77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

SHA256
3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

SHA512
b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
250B

MD5
fbc58b5602bf94bf0bc06ac79a944b19

SHA1
3561aad15f3d43f4b575a165e4c9ce70384b13b7

SHA256
58c7154cf920a3831bf122704b4f78dd9e0657d0af3396a1f80c04a60a45568a

SHA512
9989ab62b370eb3afd8903b4c7f42c7703d9783724b0f56071a6214e233c468ead6ee24b1457327ba158678bcfc63e727bcfae7f9b304e86b0b03ef8279a337a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
2KB

MD5
e58a98a2411092090ec0aa1234fee85e

SHA1
cae13005b4a5128925b71dca00e7db8473504407

SHA256
13aa5143dd0415e9a3b4c37b295a6db7862fbfef5e081addafd48b4c856056ec

SHA512
84b716dbb89feed8b2774c6d49c886c89310efd5a5d121dc934ad9ac9316e08cb244618be4efe1c5ba1d3cf1debcab8c2997dad756ab875e264bae167db1bf28

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
680B

MD5
c2caec38006d3749773eaecea8cf800c

SHA1
b5b30e50e3ef25ee3f61ed4abfbef02858dfcdae

SHA256
42d4bfbba3186890cc49d9150192fbd3b32b5bd8932c9af72c890b6ca6ed1555

SHA512
68574bd0c9babcb90ecc9818fa6e9a36b0064c66a367c8193912f051328e5bc751aa8c8a16d933615efbceb0b33ae471e5c455de648db3b9c91ec056eae1352e

Download Submit
memory/2536-42-0x00007FFA7C5D0000-0x00007FFA7C7C5000-memory.dmp

Filesize
2.0MB

Download
memory/2536-37-0x00007FFA7C5D0000-0x00007FFA7C7C5000-memory.dmp

Filesize
2.0MB

Download
memory/2536-92-0x00007FFA7C5D0000-0x00007FFA7C7C5000-memory.dmp

Filesize
2.0MB

Download
memory/2536-44-0x00007FFA7C5D0000-0x00007FFA7C7C5000-memory.dmp

Filesize
2.0MB

Download
memory/2536-45-0x00007FFA7C5D0000-0x00007FFA7C7C5000-memory.dmp

Filesize
2.0MB

Download
memory/2536-41-0x00007FFA7C5D0000-0x00007FFA7C7C5000-memory.dmp

Filesize
2.0MB

Download
memory/4132-13-0x00007FFA3A3E0000-0x00007FFA3A3F0000-memory.dmp

Filesize
64KB

Download
memory/4132-5-0x00007FFA3C650000-0x00007FFA3C660000-memory.dmp

Filesize
64KB

Download
memory/4132-20-0x00007FFA7C5D0000-0x00007FFA7C7C5000-memory.dmp

Filesize
2.0MB

Download
memory/4132-1-0x00007FFA3C650000-0x00007FFA3C660000-memory.dmp

Filesize
64KB

Download
memory/4132-14-0x00007FFA7C5D0000-0x00007FFA7C7C5000-memory.dmp

Filesize
2.0MB

Download
memory/4132-15-0x00007FFA7C5D0000-0x00007FFA7C7C5000-memory.dmp

Filesize
2.0MB

Download
memory/4132-16-0x00007FFA7C5D0000-0x00007FFA7C7C5000-memory.dmp

Filesize
2.0MB

Download
memory/4132-10-0x00007FFA7C5D0000-0x00007FFA7C7C5000-memory.dmp

Filesize
2.0MB

Download
memory/4132-11-0x00007FFA7C5D0000-0x00007FFA7C7C5000-memory.dmp

Filesize
2.0MB

Download
memory/4132-18-0x00007FFA3A3E0000-0x00007FFA3A3F0000-memory.dmp

Filesize
64KB

Download
memory/4132-12-0x00007FFA7C5D0000-0x00007FFA7C7C5000-memory.dmp

Filesize
2.0MB

Download
memory/4132-8-0x00007FFA7C5D0000-0x00007FFA7C7C5000-memory.dmp

Filesize
2.0MB

Download
memory/4132-9-0x00007FFA7C5D0000-0x00007FFA7C7C5000-memory.dmp

Filesize
2.0MB

Download
memory/4132-19-0x00007FFA7C5D0000-0x00007FFA7C7C5000-memory.dmp

Filesize
2.0MB

Download
memory/4132-7-0x00007FFA7C5D0000-0x00007FFA7C7C5000-memory.dmp

Filesize
2.0MB

Download
memory/4132-6-0x00007FFA7C5D0000-0x00007FFA7C7C5000-memory.dmp

Filesize
2.0MB

Download
memory/4132-87-0x00007FFA7C66D000-0x00007FFA7C66E000-memory.dmp

Filesize
4KB

Download
memory/4132-88-0x00007FFA7C5D0000-0x00007FFA7C7C5000-memory.dmp

Filesize
2.0MB

Download
memory/4132-4-0x00007FFA3C650000-0x00007FFA3C660000-memory.dmp

Filesize
64KB

Download
memory/4132-90-0x00007FFA7C5D0000-0x00007FFA7C7C5000-memory.dmp

Filesize
2.0MB

Download
memory/4132-91-0x00007FFA7C5D0000-0x00007FFA7C7C5000-memory.dmp

Filesize
2.0MB

Download
memory/4132-17-0x00007FFA7C5D0000-0x00007FFA7C7C5000-memory.dmp

Filesize
2.0MB

Download
memory/4132-3-0x00007FFA3C650000-0x00007FFA3C660000-memory.dmp

Filesize
64KB

Download
memory/4132-0-0x00007FFA7C66D000-0x00007FFA7C66E000-memory.dmp

Filesize
4KB

Download
memory/4132-2-0x00007FFA3C650000-0x00007FFA3C660000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads