33c790e2db3f22fbd80c43a82837b5fb7a0f4a317b25dbab1e984baf95fa82bc

Analysis

max time kernel
136s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-10-2024 01:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

33c790e2db3f22fbd80c43a82837b5fb7a0f4a317b25dbab1e984baf95fa82bc.xls
Size

1.0MB
MD5

e78662c0ecb1a705f3f16366cff45409
SHA1

0de40063c9028a33b77d4cb3de06dec0f705059b
SHA256

33c790e2db3f22fbd80c43a82837b5fb7a0f4a317b25dbab1e984baf95fa82bc
SHA512

21a144950245cfeb4c616ab3e15889a04811839d3b0a288193678ee8bf6ba14c2ce81fc67c57d57d4a20e1e3b9ae06f88009437de435ab0380f55689805432c4
SSDEEP

12288:ZmzHJEHAfwu4heD3DERnLRmF8DLPrf1H3dzFuFBAn0aIGZf12e5wyowAkiR9GnOp:4Lw/hebARM8Th3OA5qgq3/pp

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3820	EXCEL.EXE
452	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeAuditPrivilege	452	WINWORD.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
3820	EXCEL.EXE
3820	EXCEL.EXE
3820	EXCEL.EXE
3820	EXCEL.EXE
3820	EXCEL.EXE
3820	EXCEL.EXE
3820	EXCEL.EXE
3820	EXCEL.EXE
3820	EXCEL.EXE
3820	EXCEL.EXE
3820	EXCEL.EXE
3820	EXCEL.EXE
452	WINWORD.EXE
452	WINWORD.EXE
452	WINWORD.EXE
452	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 452 wrote to memory of 2024	452	WINWORD.EXE	89
PID 452 wrote to memory of 2024	452	WINWORD.EXE	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\33c790e2db3f22fbd80c43a82837b5fb7a0f4a317b25dbab1e984baf95fa82bc.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3820

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:452
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2024

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
67e486b2f148a3fca863728242b6273e

SHA1
452a84c183d7ea5b7c015b597e94af8eef66d44a

SHA256
facaf1c3a4bf232abce19a2d534e495b0d3adc7dbe3797d336249aa6f70adcfb

SHA512
d3a37da3bb10a9736dc03e8b2b49baceef5d73c026e2077b8ebc1b786f2c9b2f807e0aa13a5866cf3b3cafd2bc506242ef139c423eaffb050bbb87773e53881e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
971c514f84bba0785f80aa1c23edfd79

SHA1
732acea710a87530c6b08ecdf32a110d254a54c8

SHA256
f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

SHA512
43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Filesize
471B

MD5
adca62d83bfe2fccad58a7035e9cb40c

SHA1
8585b192deaa613bfbaf08138bc8bbfb0cd09da4

SHA256
67026b0a3377b9365d4bcacd1f21b16db8184d256661b7ffab2bf5becf01e343

SHA512
b48a0ce890dfc6049206ac43b2d5c5bea57a733cc4e000ff0524c077b6199b3dc2692b1a8d1c1c5e4fb262e0fb2091fdf03040c627fb2bd9bc3e4c46ae2b6074

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
a4b17e197661cf33821052099fb7914f

SHA1
a72a99e04d965bc8135a7a6c582879df86ea00ee

SHA256
4137283bdcd32cb9414095248706ea49c71199296594f0a034b0fce38960c2a0

SHA512
6c6f3e94d365609ec1ffef923f3772d46c9af4b1595543ec6f74c2c59f09f22119e4ae2b4408edefc6103fa867112f292eceed7a6b9c05a8465cb480f2a03621

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
9fc2f92be2b603f1f24fe9dd2e54cc2c

SHA1
9bc960bcd31935d43c34ab65bc318f4e2342c6e2

SHA256
613a1c1dd13a6b507f2297333da676c110ec9c12208dd8734db9c94d3bf689bf

SHA512
2994d9fedd3f1f084076d72397a48a597728e59f9475a91cb0645a1d371e19ed5efd6b5307bcfbf4eb5a9487b1b6a810d200e91f0306256bfebd96b619ea48e0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Filesize
412B

MD5
2e77da4cd41f50764ee5aedc79f32a24

SHA1
1f7ceb6cdf6ef9cc7a05121ae4cf127f4a014657

SHA256
090dcae446f4b45a39c25de24816d92f99662a72f20d40cb6083a0af47b59262

SHA512
5a36b6aaeb1bd3909c7b2d0b6b245df79c168f94bf83b8e9a01813bfeeb2aa34ccdc0016ab517ac4635393592bbab5fbdce1d2ef418e3464645ffec10e105eba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\883F2C6C-F487-4440-914F-A2396512E267

Filesize
172KB

MD5
88d07f3c05f158a5895e56b76d18ac68

SHA1
6a3473383310d8357e3e3584a9d98b1582af442b

SHA256
d9b1b6531d75fbf5d35c7f37d68d9cc58177e5b8d0408579b210ec01bd6b9e3b

SHA512
a1312d60dc71717416db60507e31111015ce2938e08e404a0147f36f26c11f5d1cbab9d5593b90a812da741c9d3e3bdaed286aee9e336ef32b3bf2f73ee8a904

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

Filesize
11KB

MD5
e26dde9a45ff9dbb65e4ca8c249bbb0b

SHA1
abef4a1eecfa6636cf4c140c63b68842cdd84462

SHA256
4bb575d5948a1b305bcb76f5680daa0f6f8d1b4bef1465a7100c3c656f34141c

SHA512
f390b9e3871365a60c1d244602bcb9bbe032f0f1b42b717a50266b4d607294ba934c705196425759da742d943ee077a0dca7d8523aa8257d69c703cbb3f3eb91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
47995dfaf21fe04a6ac3c162aa5f5039

SHA1
4bebb59d3358ba597b59fe964722296927c31ea3

SHA256
1c16679a14a6c8a56f72b7f2d9d943179d8c124e4bd5c26f8dd44275eb75c1b8

SHA512
a29c7934991e8c8b4e3774404050485ecc79f3ef378fdde3ae4dfab3ae5e18da37e088c27df7d3c3ee6d45aacc1490059c1e27fa88dd4f1ebc783512e0aebad8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
b858d4c6bc241d51d3ea220bde78db22

SHA1
1e89888a8880210b4f6d9aae271f0ac9ea81916b

SHA256
dbcd4a1d90531fc4f12ffa56962a9b5b0611b1c26fdcf15827de36298c955ec4

SHA512
9cc000d028528f71d25c77fd07270e491dfd7c43452bad7934d6af1d24eddbbed3646b7d6baaec97d69f775cffea1d7cc3b17931e05414dd3fd971eaa2c0779a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\P2UT3MS5\wecreatednewthigsforsuccessfulljournecyr________verynicepeoplesetirethigstogoformegreat________________nnicwaytoentreithigntochangewithmegreat[1].doc

Filesize
86KB

MD5
c7b4ec460b896ccd9f368467d06ee44b

SHA1
58d4ed5d5791401f4555d6278a179e5c65563c8a

SHA256
7b33de62dafef125fe428afe47e9a353749a6632d58809ce428b7514886b49b6

SHA512
d82b5ecc391f92e17161ce7b98f62b273f9a51d6c294272aacc1efa1b2d2dc7c8c1095103197d6fe023b21d8b161978c4c6073aed78758649031da99fd687d9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCDF6DB.tmp\iso690.xsl

Filesize
263KB

MD5
ff0e07eff1333cdf9fc2523d323dd654

SHA1
77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

SHA256
3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

SHA512
b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
333B

MD5
2175f92eb370b8be399570dd9623b754

SHA1
a72975ad752d285b631219c38238f21eb513d1fb

SHA256
cdc57e497fabf0d8634abc20172f810896391c8089bcb4ceb8ed3ff3785e7a71

SHA512
b9b9ba03b4ddecb8108a3fbc2f1f721dec83af748da4ebb7d725b504ad7e544943f0f27609b21c49680f0b8ffb70d2cdabde734cd387caf133685db920cacb1b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
1KB

MD5
5e7ec7d346010407b549f7819b4260b1

SHA1
70c6bb3392591c089ec482c36922cd4b6503c445

SHA256
f4051c7d083fa7e31bcacafeef0570903a9b520d2e0203e20d2cf562346c613a

SHA512
ed38983c3d2fe4c2a60a3d23b47b5843de2bde484c0f8d5c2173ae5b86ca65d3f9f0111473eb3c5c8f306cf12d94c54e92dd6895457f87271520522839ba6a39

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
3ab0720f774d85b44368111a0436e9fd

SHA1
7c44cd7401ec4c79524b15e14583c0e64c5a91b9

SHA256
83b54e7f1dd25a0487b60074d29fd77c237218579a19b95cb8b8b9d51ff5c82c

SHA512
011d0d1eb34d04cd8153f1448fca27d98dc5608e1f2a99390fb362ced1e101b3fb84dd3b37d41a90732d0469f65d54429bece6d016e93bda92fb8ddd03036861

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
1KB

MD5
576cfea0b97aa3820ee75383e2308636

SHA1
4a550efecdcbdb50e2aeb5caf1ba76d3a8981d67

SHA256
0cbaa57e461976a51fa78018fbe1a60631c8a8cd3c8ba3639bd7dba4939fc465

SHA512
64ff8085d4302e3bb3c6c75330245c8c2a0f8dfa4c24ad4a82a2074e6e9a3c0b0b4e32fffa969ea119540b4e08388246f9e55131d8b527d08f0fdd136f4d2971

Download Submit
memory/452-44-0x00007FF94D9F0000-0x00007FF94DBE5000-memory.dmp

Filesize
2.0MB

Download
memory/452-86-0x00007FF94D9F0000-0x00007FF94DBE5000-memory.dmp

Filesize
2.0MB

Download
memory/452-42-0x00007FF94D9F0000-0x00007FF94DBE5000-memory.dmp

Filesize
2.0MB

Download
memory/452-43-0x00007FF94D9F0000-0x00007FF94DBE5000-memory.dmp

Filesize
2.0MB

Download
memory/452-39-0x00007FF94D9F0000-0x00007FF94DBE5000-memory.dmp

Filesize
2.0MB

Download
memory/452-40-0x00007FF94D9F0000-0x00007FF94DBE5000-memory.dmp

Filesize
2.0MB

Download
memory/452-47-0x00007FF94D9F0000-0x00007FF94DBE5000-memory.dmp

Filesize
2.0MB

Download
memory/452-45-0x00007FF94D9F0000-0x00007FF94DBE5000-memory.dmp

Filesize
2.0MB

Download
memory/452-46-0x00007FF94D9F0000-0x00007FF94DBE5000-memory.dmp

Filesize
2.0MB

Download
memory/3820-16-0x00007FF94D9F0000-0x00007FF94DBE5000-memory.dmp

Filesize
2.0MB

Download
memory/3820-3-0x00007FF90DA70000-0x00007FF90DA80000-memory.dmp

Filesize
64KB

Download
memory/3820-14-0x00007FF94D9F0000-0x00007FF94DBE5000-memory.dmp

Filesize
2.0MB

Download
memory/3820-7-0x00007FF94D9F0000-0x00007FF94DBE5000-memory.dmp

Filesize
2.0MB

Download
memory/3820-15-0x00007FF94D9F0000-0x00007FF94DBE5000-memory.dmp

Filesize
2.0MB

Download
memory/3820-17-0x00007FF94D9F0000-0x00007FF94DBE5000-memory.dmp

Filesize
2.0MB

Download
memory/3820-59-0x00007FF94D9F0000-0x00007FF94DBE5000-memory.dmp

Filesize
2.0MB

Download
memory/3820-60-0x00007FF94DA8D000-0x00007FF94DA8E000-memory.dmp

Filesize
4KB

Download
memory/3820-8-0x00007FF94D9F0000-0x00007FF94DBE5000-memory.dmp

Filesize
2.0MB

Download
memory/3820-18-0x00007FF90B350000-0x00007FF90B360000-memory.dmp

Filesize
64KB

Download
memory/3820-0-0x00007FF94DA8D000-0x00007FF94DA8E000-memory.dmp

Filesize
4KB

Download
memory/3820-2-0x00007FF90DA70000-0x00007FF90DA80000-memory.dmp

Filesize
64KB

Download
memory/3820-19-0x00007FF94D9F0000-0x00007FF94DBE5000-memory.dmp

Filesize
2.0MB

Download
memory/3820-6-0x00007FF94D9F0000-0x00007FF94DBE5000-memory.dmp

Filesize
2.0MB

Download
memory/3820-13-0x00007FF90B350000-0x00007FF90B360000-memory.dmp

Filesize
64KB

Download
memory/3820-10-0x00007FF94D9F0000-0x00007FF94DBE5000-memory.dmp

Filesize
2.0MB

Download
memory/3820-11-0x00007FF94D9F0000-0x00007FF94DBE5000-memory.dmp

Filesize
2.0MB

Download
memory/3820-12-0x00007FF94D9F0000-0x00007FF94DBE5000-memory.dmp

Filesize
2.0MB

Download
memory/3820-9-0x00007FF94D9F0000-0x00007FF94DBE5000-memory.dmp

Filesize
2.0MB

Download
memory/3820-5-0x00007FF90DA70000-0x00007FF90DA80000-memory.dmp

Filesize
64KB

Download
memory/3820-4-0x00007FF90DA70000-0x00007FF90DA80000-memory.dmp

Filesize
64KB

Download
memory/3820-1-0x00007FF90DA70000-0x00007FF90DA80000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads