Analysis
-
max time kernel
33s -
max time network
132s -
platform
windows10_x64 -
resource
win10 -
submitted
13-07-2020 15:05
Static task
static1
Behavioral task
behavioral1
Sample
4a1345030ec49f6f14b655fd70fbfb6b0822c8f0d373d2e88aaa4a0def887642.xls
Resource
win7
Behavioral task
behavioral2
Sample
4a1345030ec49f6f14b655fd70fbfb6b0822c8f0d373d2e88aaa4a0def887642.xls
Resource
win10
General
-
Target
4a1345030ec49f6f14b655fd70fbfb6b0822c8f0d373d2e88aaa4a0def887642.xls
-
Size
350KB
-
MD5
ff273218e30691fd7953a8d638a2aead
-
SHA1
9dc365694b427e16f0476ad8a623e5279add1a73
-
SHA256
4a1345030ec49f6f14b655fd70fbfb6b0822c8f0d373d2e88aaa4a0def887642
-
SHA512
5ec298cfb0c17b00f46da12901a9ba70aa2554c4cbc3427a65ef4ed64f98426eccd7ffb21a2b867eb344c7cf947fe5ca480e83c36f8a1d4022b30fb04dc75eb9
Malware Config
Signatures
-
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 3588 EXCEL.EXE 3588 EXCEL.EXE 3588 EXCEL.EXE 3588 EXCEL.EXE 3588 EXCEL.EXE 3588 EXCEL.EXE 3588 EXCEL.EXE 3588 EXCEL.EXE 3588 EXCEL.EXE 3588 EXCEL.EXE 3588 EXCEL.EXE 3588 EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 3588 EXCEL.EXE -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
EXCEL.EXEdescription pid process target process PID 3588 wrote to memory of 3992 3588 EXCEL.EXE ZVKeULZ.exe PID 3588 wrote to memory of 3992 3588 EXCEL.EXE ZVKeULZ.exe PID 3588 wrote to memory of 3992 3588 EXCEL.EXE ZVKeULZ.exe -
Executes dropped EXE 1 IoCs
Processes:
ZVKeULZ.exepid process 3992 ZVKeULZ.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\4a1345030ec49f6f14b655fd70fbfb6b0822c8f0d373d2e88aaa4a0def887642.xls"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of WriteProcessMemory
- Checks processor information in registry
- Enumerates system info in registry
PID:3588 -
C:\jSSFrSo\CQxPBFe\ZVKeULZ.exe"C:\jSSFrSo\CQxPBFe\ZVKeULZ.exe"2⤵
- Executes dropped EXE
PID:3992