4a1345030ec49f6f14b655fd70fbfb6b0822c8f0d373d2e88aaa4a0def887642

Analysis

max time kernel
33s
max time network
132s
platform
windows10_x64
resource
win10
submitted
13-07-2020 15:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4a1345030ec49f6f14b655fd70fbfb6b0822c8f0d373d2e88aaa4a0def887642.xls
Size

350KB
MD5

ff273218e30691fd7953a8d638a2aead
SHA1

9dc365694b427e16f0476ad8a623e5279add1a73
SHA256

4a1345030ec49f6f14b655fd70fbfb6b0822c8f0d373d2e88aaa4a0def887642
SHA512

5ec298cfb0c17b00f46da12901a9ba70aa2554c4cbc3427a65ef4ed64f98426eccd7ffb21a2b867eb344c7cf947fe5ca480e83c36f8a1d4022b30fb04dc75eb9

Score

8^/10

Malware Config

Signatures

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXE

pid	process
3588	EXCEL.EXE
3588	EXCEL.EXE
3588	EXCEL.EXE
3588	EXCEL.EXE
3588	EXCEL.EXE
3588	EXCEL.EXE
3588	EXCEL.EXE
3588	EXCEL.EXE
3588	EXCEL.EXE
3588	EXCEL.EXE
3588	EXCEL.EXE
3588	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

3588 EXCEL.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

EXCEL.EXE

description	pid	process	target process
PID 3588 wrote to memory of 3992	3588	EXCEL.EXE	ZVKeULZ.exe
PID 3588 wrote to memory of 3992	3588	EXCEL.EXE	ZVKeULZ.exe
PID 3588 wrote to memory of 3992	3588	EXCEL.EXE	ZVKeULZ.exe

Executes dropped EXE 1 IoCs

Processes:

ZVKeULZ.exe

pid process

3992 ZVKeULZ.exe

pid	process
3992	ZVKeULZ.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\4a1345030ec49f6f14b655fd70fbfb6b0822c8f0d373d2e88aaa4a0def887642.xls"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of WriteProcessMemory
- Checks processor information in registry
- Enumerates system info in registry
PID:3588

C:\jSSFrSo\CQxPBFe\ZVKeULZ.exe
"C:\jSSFrSo\CQxPBFe\ZVKeULZ.exe"
2⤵
- Executes dropped EXE
PID:3992

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\jSSFrSo\CQxPBFe\ZVKeULZ.exe

Download Submit
C:\jSSFrSo\CQxPBFe\ZVKeULZ.exe

Download Submit
memory/3992-0-0x0000000000000000-mapping.dmp

Download