66c9b27a6ed1e8b8228b60559551d9bf6c656dd5d616548ad38c41ba6b8ee12e

Analysis

max time kernel
30s
max time network
135s
platform
windows10_x64
resource
win10v200430
submitted
13-07-2020 15:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

66c9b27a6ed1e8b8228b60559551d9bf6c656dd5d616548ad38c41ba6b8ee12e.xls
Size

349KB
MD5

bbbb3fc2e412ad902f5c967669e52bf6
SHA1

3b1981d40f78d524aa5dd6e5decc4c5af6a3d21a
SHA256

66c9b27a6ed1e8b8228b60559551d9bf6c656dd5d616548ad38c41ba6b8ee12e
SHA512

a3397833c215817706040718d9d5f12133ee7e920878cc7a8f60bb6d45fd553d52ccea2141126259899a5d394bf5b134e76ac7bfa8a7669235ca625527a20a7c

Score

8^/10

Malware Config

Signatures

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXE

pid	process
3888	EXCEL.EXE
3888	EXCEL.EXE
3888	EXCEL.EXE
3888	EXCEL.EXE
3888	EXCEL.EXE
3888	EXCEL.EXE
3888	EXCEL.EXE
3888	EXCEL.EXE
3888	EXCEL.EXE
3888	EXCEL.EXE
3888	EXCEL.EXE
3888	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

3888 EXCEL.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

EXCEL.EXE

description	pid	process	target process
PID 3888 wrote to memory of 3740	3888	EXCEL.EXE	ZVKeULZ.exe
PID 3888 wrote to memory of 3740	3888	EXCEL.EXE	ZVKeULZ.exe
PID 3888 wrote to memory of 3740	3888	EXCEL.EXE	ZVKeULZ.exe

Executes dropped EXE 1 IoCs

Processes:

ZVKeULZ.exe

pid process

3740 ZVKeULZ.exe

pid	process
3740	ZVKeULZ.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\66c9b27a6ed1e8b8228b60559551d9bf6c656dd5d616548ad38c41ba6b8ee12e.xls"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of WriteProcessMemory
- Checks processor information in registry
- Enumerates system info in registry
PID:3888

C:\jSSFrSo\CQxPBFe\ZVKeULZ.exe
"C:\jSSFrSo\CQxPBFe\ZVKeULZ.exe"
2⤵
- Executes dropped EXE
PID:3740

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\jSSFrSo\CQxPBFe\ZVKeULZ.exe

Download Submit
C:\jSSFrSo\CQxPBFe\ZVKeULZ.exe

Download Submit
memory/3740-0-0x0000000000000000-mapping.dmp

Download