38bc13ef112b2f17d4d1a80243fac6a521b5d58228984aae0752d79487fa3b66

Resubmissions

01/04/2025, 21:24

250401-z8184awycs 10

Analysis

max time kernel
114s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
25/02/2025, 23:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CVE-2018-15982_PoC.swf
Size

12KB
MD5

82fe94beb621a4368e76aa4a51998c00
SHA1

b7c79b8f05c3d998e21d01b07b9ba157160581a9
SHA256

c61dd1b37cbf2d72e3670e3c8dff28959683e6d85b8507cda25efe1dffc04bdb
SHA512

055677c2194ff132dc3c50ef900a36a0e4b8e5b85d176047fdefdec049aff4d5e2db1ccffefaf65575b4ca41e81fd24beb3c7cfd2fce6275642638d0cf624d27
SSDEEP

192:gR6qPBBRRcrxFx/pHPn9moz7p/+tqHM41rftZDBLj9b5d/:gwqDcLx/pH/IoBiqH/BfbDBLj9b5h

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 9 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: AddClipboardFormatListener 3 IoCs

pid	Process
4004	EXCEL.EXE
4916	EXCEL.EXE
2688	EXCEL.EXE

Suspicious use of SetWindowsHookEx 39 IoCs

pid	Process
5092	OpenWith.exe
5092	OpenWith.exe
5092	OpenWith.exe
4004	EXCEL.EXE
4004	EXCEL.EXE
4004	EXCEL.EXE
4004	EXCEL.EXE
4004	EXCEL.EXE
4004	EXCEL.EXE
4004	EXCEL.EXE
4004	EXCEL.EXE
4004	EXCEL.EXE
4004	EXCEL.EXE
4004	EXCEL.EXE
4004	EXCEL.EXE
4916	EXCEL.EXE
4916	EXCEL.EXE
4916	EXCEL.EXE
4916	EXCEL.EXE
4916	EXCEL.EXE
4916	EXCEL.EXE
4916	EXCEL.EXE
4916	EXCEL.EXE
4916	EXCEL.EXE
4916	EXCEL.EXE
4916	EXCEL.EXE
4916	EXCEL.EXE
2688	EXCEL.EXE
2688	EXCEL.EXE
2688	EXCEL.EXE
2688	EXCEL.EXE
2688	EXCEL.EXE
2688	EXCEL.EXE
2688	EXCEL.EXE
2688	EXCEL.EXE
2688	EXCEL.EXE
2688	EXCEL.EXE
2688	EXCEL.EXE
2688	EXCEL.EXE

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\CVE-2018-15982_PoC.swf
1⤵
- Modifies registry class
PID:4532

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5092

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\RegisterJoin.xlsx"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4004

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\UndoImport.xlsx"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4916

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\NewEdit.xlsx"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

Filesize
471B

MD5
21dbace18c1ec1c068b499d7568a7c55

SHA1
ea36b713aaca431d36a8b2c70cb56a86d8664f83

SHA256
e37b6de87b8743904983d6a54e58184f909652ffb3adbff1176c47fa1c850df5

SHA512
b40c0a0902a78ce622f68966d791cde8cdae347e6440dcc4fb042fa185203a8dec89a9e35cc5945cb9f5f9e9d99bcc463285788e76163d3e3745700f6b01041b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

Filesize
420B

MD5
9a95ed5b2a529c50fe88b569b8f284aa

SHA1
c044d8f9d10e2c82de1691e3afdc8c4b396dc33a

SHA256
c7f84afd4c6295b21d1c954d13d90eea699127a122cf4197d338233d57deb29f

SHA512
3a07b9a8e16826283ca25e80ff736f5b2694619497bff4c2342d333eeb4767b243ccefee47d948babe63634a92d75079c8a1b011d2f8370bc1637b7ef19fd464

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Excel.CampaignStates.json

Filesize
21B

MD5
f1b59332b953b3c99b3c95a44249c0d2

SHA1
1b16a2ca32bf8481e18ff8b7365229b598908991

SHA256
138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c

SHA512
3c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Excel.GovernedChannelStates.json

Filesize
417B

MD5
c56ff60fbd601e84edd5a0ff1010d584

SHA1
342abb130dabeacde1d8ced806d67a3aef00a749

SHA256
200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c

SHA512
acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Excel.Settings.json

Filesize
87B

MD5
e4e83f8123e9740b8aa3c3dfa77c1c04

SHA1
5281eae96efde7b0e16a1d977f005f0d3bd7aad0

SHA256
6034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31

SHA512
bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Excel.SurveyHistoryStats.json

Filesize
14B

MD5
6ca4960355e4951c72aa5f6364e459d5

SHA1
2fd90b4ec32804dff7a41b6e63c8b0a40b592113

SHA256
88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3

SHA512
8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\C4A605DC-BA47-4B32-AAE5-E7E1F8EFFC1A

Filesize
177KB

MD5
1d37dec5a5a08a366ba1d6b4a0c0637e

SHA1
6db91a676820b5b13a0a0e464afef8dd4945b90d

SHA256
b591fdfccac591c66cf3701adb43733cb8a8d4ceb62c4898f8ed8ca92b486f00

SHA512
514e536db94aa020e0475c880336ce4ccd50a97d334f36455af85472937873c2255539769e412d2f9dc7c25f6934989c34029405fb99cd52a53042c5f2a4722b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

Filesize
323KB

MD5
f0ae0f46e9371cd56176a95907282623

SHA1
3ff54df89976ec740650c0a929787645baaa9b0f

SHA256
4eff24f92c01822032916c8db336480771e0082632066bc3113c55b0f7f79b9c

SHA512
0f04eef9450d7c5e8142949b6b8fbe57181e2f7f84e5ccc48b8d371569b90a030f2db25c2bc7803f09cf8ae98aa0f01a19e634fb0a87bc47d8b6a16cd400c9c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

Filesize
15KB

MD5
fdcb7aa1a047d86e48525dab8feddbc5

SHA1
9431ea70fe96bf6e0184a3081af849c2d248af87

SHA256
9bdc2fa4187fd5f392760c8dcf404101eb3070283258a9959974793cfdfaced4

SHA512
832097945d136b0f62750608055f3aa3963d6389a17b8d6a3d61dee309ccd8021507a008f23a90e89fa3ac61152b8b694729e3c4660d59317684e363cf611d6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

Filesize
12KB

MD5
6b518be9ae49b60aca0542f897011568

SHA1
cf1bbad71b712fb7b4cac6b374fd877aed84ce31

SHA256
bfabe84485646ec6e67a063d4ededa53b3b8f4ab6c9dda9dce63861dcf604914

SHA512
fd4c836b647251ab66476d73920bb8a970ec9fac7d512883aa9d6ae38c0ec9f453e45b6b07647c9cf95c9ddc63df5d74ebb084a7144253ed5a46941b5d680959

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db

Filesize
24KB

MD5
33eea2792b9fa42f418d9d609f692007

SHA1
48c3916a14ef2d9609ec4d2887a337b973cf8753

SHA256
8f7807c324626abc2d3504638958c148e2e3f3e212261f078940cf4c5f0c4fbb

SHA512
b2dbfcdf2599c38c966c5ebce714a5cd50e2f8b411555acf9f02b31b9c29b8ab53a9afa9d32bab87a06e08f8b2c7818d600773f659a058c8af81c50be7f09b95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db

Filesize
24KB

MD5
085ebd119f5fc6b8f63720fac1166ff5

SHA1
af066018aadec31b8e70a124a158736aca897306

SHA256
b8411fe8ec499074fca9047f6983d920279e84ddf3b02b2dd5c08cf07ec44687

SHA512
adb0522830db26123347cb485c43b156f5c888510e52091ba0fafc22b650ad29630c027746c920321905c28259dce7ff63dded93a79efddd5567c68312117875

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
eb14b0d71b7acd4391986c3420f43feb

SHA1
918bb8bab9d6600952a9ec710ee5b74bd5d95d09

SHA256
2f434f1b0529f0cdf637d7539d695327ce1ef2f53a9a160cb6faf10be8e16eb1

SHA512
9760cfd36aaeffc9923a85197a784f04e2d53a8dace59038e46f602f09e2d0decbc00df6259943fd587b5e8e054f4e30374cb2606cca29f0168dee96ec5e3fdf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
4c69350d3e63a2b0521a49ed664399a4

SHA1
27988bf5dd1e1aa2551f456ecb3e589eb05a55bc

SHA256
14893b75fc62ab0806ccc589cde37f7124d49029ccc95ef36dfed4d9f684b48e

SHA512
5400de81c9020d8df0cb55ad8b3c9b605a5e6916142c0af71fc200d84eee9dee0683426e54983cef8f610f4d8fa1e7dd315cf611b5920c85a1574b6a98430e14

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
368B

MD5
8dde722856ac59ad6b290627148f9045

SHA1
da037b1508ff87ea4a083ff7f3c50cb845242c03

SHA256
95490ba466bacae8b2252f1d3aba46da21651fcb4aabacaca88a61da2488bc8d

SHA512
313aa87b5e27c515b1158757f6d026eef2bea828e8d8e73364cf8f5eeca7997515f3a3b3a4d4f976b56b6759b21d56ec86c2b505883d77deb2440475cde53f0f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
373B

MD5
bca746d4015f79c29baea2fc6ac6c527

SHA1
3b0b66bc9f80f4e1c7ada37f0ea45aad286f37e4

SHA256
45e655b90f565ea736962695120127efcb2e34ef3cdd1d24f92ecb6b4344a43b

SHA512
dcb44f52b627e6a3ce09efb4a8c65918eb30a24a1d4d55a78cb1c398111487c9c805a1b16cc7cfa1f56232ecdadfe27371576e3dcb213d6e6dbbeb988bc986f1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
374B

MD5
244539945288c5b354fcbe56ec0d21c1

SHA1
d395d929701fad7adf72bfe208f78441fcd82d7c

SHA256
395b2ef489a8c4ec8db3796d3e58c165b8467005ee4125beaef4638e2649353b

SHA512
55afa1468c9b8f6085fdc75130c26a3b081b39f2aefa83f87805c9c9778b8103bbd684b5cdc423bd578f9817d80869ec92289159f5b7c0a17afc4687daf5da5b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
2KB

MD5
99296f93485d758350d80ad65f0550d3

SHA1
046d907cdd6a039fd2c7a4d5c7dcbf0ac2331bfb

SHA256
bc51bdaa33f8dd0c3088155550decb5ed12efb56bba430a7eb95dafe3e5f32d2

SHA512
1aac8f3a48aa38492eb99d9ca0ddb72889aa22445c17117abda100a7a2d986589836f6ca652ffaee0da3b3f064c54abb06ff11a51599b60cbce50b7d1d491ed5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
2KB

MD5
0c401cd5aa356edabde75cff078d76fe

SHA1
df6f135fb87b214f5c6ba76dd31a3cccdf2096b9

SHA256
e0ec0932a2dfefa0a4c7c1a13049ae0f63d86fbe17ba92b0f60a23ef491be0b6

SHA512
e12e6e7580296d4189519dff9728e33187ef6aee00b3171316a92f4a53c6c471c05d05f914a2b942d2619c29973fb980968d0f9b9ee244d84519b404bb0ed9bf

Download Submit
memory/4004-57-0x00007FFE003D0000-0x00007FFE003E0000-memory.dmp

Filesize
64KB

Download
memory/4004-1-0x00007FFE003D0000-0x00007FFE003E0000-memory.dmp

Filesize
64KB

Download
memory/4004-3-0x00007FFE003D0000-0x00007FFE003E0000-memory.dmp

Filesize
64KB

Download
memory/4004-5-0x00007FFDFE280000-0x00007FFDFE290000-memory.dmp

Filesize
64KB

Download
memory/4004-6-0x00007FFDFE280000-0x00007FFDFE290000-memory.dmp

Filesize
64KB

Download
memory/4004-0-0x00007FFE003D0000-0x00007FFE003E0000-memory.dmp

Filesize
64KB

Download
memory/4004-58-0x00007FFE003D0000-0x00007FFE003E0000-memory.dmp

Filesize
64KB

Download
memory/4004-55-0x00007FFE003D0000-0x00007FFE003E0000-memory.dmp

Filesize
64KB

Download
memory/4004-56-0x00007FFE003D0000-0x00007FFE003E0000-memory.dmp

Filesize
64KB

Download
memory/4004-4-0x00007FFE003D0000-0x00007FFE003E0000-memory.dmp

Filesize
64KB

Download
memory/4004-2-0x00007FFE003D0000-0x00007FFE003E0000-memory.dmp

Filesize
64KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads