c3b92516dd77bf745e32aa4ffc4db810f0dbb9d290989235c71489b75910917d

Analysis

max time kernel
30s
max time network
128s
platform
windows10_x64
resource
win10
submitted
13-07-2020 15:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c3b92516dd77bf745e32aa4ffc4db810f0dbb9d290989235c71489b75910917d.xls
Size

340KB
MD5

1591dce6e9ac5b9cfc8246d1113a14e8
SHA1

f9248ab4978f521c1052a6d54932aadeb8a56560
SHA256

c3b92516dd77bf745e32aa4ffc4db810f0dbb9d290989235c71489b75910917d
SHA512

5de06b8d3bee8af4d9069efe7efed0dc6cf2f43dd60535d658055f69dd3259617228477ce851e1c45834321e535c043fe633dbbaf60b69d38d0d7ee9ec866f16

Score

8^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
3612	EXCEL.EXE
3612	EXCEL.EXE
3612	EXCEL.EXE
3612	EXCEL.EXE
3612	EXCEL.EXE
3612	EXCEL.EXE
3612	EXCEL.EXE
3612	EXCEL.EXE
3612	EXCEL.EXE
3612	EXCEL.EXE
3612	EXCEL.EXE
3612	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3612	EXCEL.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3612 wrote to memory of 2316	3612	EXCEL.EXE	71
PID 3612 wrote to memory of 2316	3612	EXCEL.EXE	71
PID 3612 wrote to memory of 2316	3612	EXCEL.EXE	71

Executes dropped EXE 1 IoCs

pid	Process
2316	ZVKeULZ.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\c3b92516dd77bf745e32aa4ffc4db810f0dbb9d290989235c71489b75910917d.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of WriteProcessMemory
PID:3612
- C:\jSSFrSo\CQxPBFe\ZVKeULZ.exe
  "C:\jSSFrSo\CQxPBFe\ZVKeULZ.exe"
  2⤵
  - Executes dropped EXE
  PID:2316

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads