Analysis
-
max time kernel
30s -
max time network
135s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
13-07-2020 15:05
Static task
static1
Behavioral task
behavioral1
Sample
66c9b27a6ed1e8b8228b60559551d9bf6c656dd5d616548ad38c41ba6b8ee12e.xls
Resource
win7
Behavioral task
behavioral2
Sample
66c9b27a6ed1e8b8228b60559551d9bf6c656dd5d616548ad38c41ba6b8ee12e.xls
Resource
win10v200430
General
-
Target
66c9b27a6ed1e8b8228b60559551d9bf6c656dd5d616548ad38c41ba6b8ee12e.xls
-
Size
349KB
-
MD5
bbbb3fc2e412ad902f5c967669e52bf6
-
SHA1
3b1981d40f78d524aa5dd6e5decc4c5af6a3d21a
-
SHA256
66c9b27a6ed1e8b8228b60559551d9bf6c656dd5d616548ad38c41ba6b8ee12e
-
SHA512
a3397833c215817706040718d9d5f12133ee7e920878cc7a8f60bb6d45fd553d52ccea2141126259899a5d394bf5b134e76ac7bfa8a7669235ca625527a20a7c
Malware Config
Signatures
-
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 3888 EXCEL.EXE 3888 EXCEL.EXE 3888 EXCEL.EXE 3888 EXCEL.EXE 3888 EXCEL.EXE 3888 EXCEL.EXE 3888 EXCEL.EXE 3888 EXCEL.EXE 3888 EXCEL.EXE 3888 EXCEL.EXE 3888 EXCEL.EXE 3888 EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 3888 EXCEL.EXE -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
EXCEL.EXEdescription pid process target process PID 3888 wrote to memory of 3740 3888 EXCEL.EXE ZVKeULZ.exe PID 3888 wrote to memory of 3740 3888 EXCEL.EXE ZVKeULZ.exe PID 3888 wrote to memory of 3740 3888 EXCEL.EXE ZVKeULZ.exe -
Executes dropped EXE 1 IoCs
Processes:
ZVKeULZ.exepid process 3740 ZVKeULZ.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\66c9b27a6ed1e8b8228b60559551d9bf6c656dd5d616548ad38c41ba6b8ee12e.xls"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of WriteProcessMemory
- Checks processor information in registry
- Enumerates system info in registry
PID:3888 -
C:\jSSFrSo\CQxPBFe\ZVKeULZ.exe"C:\jSSFrSo\CQxPBFe\ZVKeULZ.exe"2⤵
- Executes dropped EXE
PID:3740