Analysis
-
max time kernel
27s -
max time network
133s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
14-07-2020 14:55
Static task
static1
Behavioral task
behavioral1
Sample
payment_499285.xls
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
payment_499285.xls
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
payment_499285.xls
-
Size
520KB
-
MD5
0cbeaee243b3d87ebde4437a38da1a3e
-
SHA1
89d03d4e777ba41ad8071ecb5123aa52c9b856eb
-
SHA256
7c398cc722f79e55d41ae267d2ab35cb401e721f710ce7ba249a864195c33af3
-
SHA512
050172e36bdc49689ad3b6ec0d0ec800af23148e932d0107e31f081967939e6f091bcbb70d069f2895debba8ec823a5274a6b72556712eb7971711709f175952
Score
8/10
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 1516 EXCEL.EXE 1516 EXCEL.EXE 1516 EXCEL.EXE 1516 EXCEL.EXE 1516 EXCEL.EXE 1516 EXCEL.EXE 1516 EXCEL.EXE 1516 EXCEL.EXE 1516 EXCEL.EXE 1516 EXCEL.EXE 1516 EXCEL.EXE 1516 EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1516 EXCEL.EXE -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
EXCEL.EXEdescription pid process target process PID 1516 wrote to memory of 2752 1516 EXCEL.EXE jeTneVi.exe PID 1516 wrote to memory of 2752 1516 EXCEL.EXE jeTneVi.exe PID 1516 wrote to memory of 2752 1516 EXCEL.EXE jeTneVi.exe -
Executes dropped EXE 1 IoCs
Processes:
jeTneVi.exepid process 2752 jeTneVi.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\payment_499285.xls"1⤵
- Enumerates system info in registry
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\scbPBcy\LZHYKOo\jeTneVi.exe"C:\scbPBcy\LZHYKOo\jeTneVi.exe"2⤵
- Executes dropped EXE
PID:2752