Overview
overview
10Static
static
814118.biy.dll
windows7_x64
814118.biy.dll
windows10_x64
814118.xlsb
windows7_x64
114118.xlsb
windows10_x64
1B24C.tmp.dll
windows7_x64
10B24C.tmp.dll
windows10_x64
10NZM32A4.exe
windows7_x64
10NZM32A4.exe
windows10_x64
10subscripti...0.xlsb
windows7_x64
10subscripti...0.xlsb
windows10_x64
10thqsg.exe
windows7_x64
10thqsg.exe
windows10_x64
10Analysis
-
max time kernel
142s -
max time network
135s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
08-04-2021 05:42
Behavioral task
behavioral1
Sample
14118.biy.dll
Resource
win7v20201028
Behavioral task
behavioral2
Sample
14118.biy.dll
Resource
win10v20201028
Behavioral task
behavioral3
Sample
14118.xlsb
Resource
win7v20201028
Behavioral task
behavioral4
Sample
14118.xlsb
Resource
win10v20201028
Behavioral task
behavioral5
Sample
B24C.tmp.dll
Resource
win7v20201028
Behavioral task
behavioral6
Sample
B24C.tmp.dll
Resource
win10v20201028
Behavioral task
behavioral7
Sample
NZM32A4.exe
Resource
win7v20201028
Behavioral task
behavioral8
Sample
NZM32A4.exe
Resource
win10v20201028
Behavioral task
behavioral9
Sample
subscription_1617817060.xlsb
Resource
win7v20201028
Behavioral task
behavioral10
Sample
subscription_1617817060.xlsb
Resource
win10v20201028
Behavioral task
behavioral11
Sample
thqsg.exe
Resource
win7v20201028
Behavioral task
behavioral12
Sample
thqsg.exe
Resource
win10v20201028
General
-
Target
14118.xlsb
-
Size
56KB
-
MD5
317dfc2b5b8ced1ca8f228b251081eaf
-
SHA1
0d0c90c11e9413e38d1b7af7632022ca32af58dd
-
SHA256
5d75b97d969ff3eb4459e9bf5d21d650667e9094f527744c7384241d77a0281e
-
SHA512
be7a6bc219a6523c70b7701f269e933720f3cc7fef8a277cc03d781d56f660a97c950f1fbcc3f26270fae597128b3847233d8608964ba4789e3be8163401883b
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 3920 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 9 IoCs
Processes:
EXCEL.EXEpid process 3920 EXCEL.EXE 3920 EXCEL.EXE 3920 EXCEL.EXE 3920 EXCEL.EXE 3920 EXCEL.EXE 3920 EXCEL.EXE 3920 EXCEL.EXE 3920 EXCEL.EXE 3920 EXCEL.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\14118.xlsb"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3920-2-0x00007FF8C5770000-0x00007FF8C5780000-memory.dmpFilesize
64KB
-
memory/3920-3-0x00007FF8C5770000-0x00007FF8C5780000-memory.dmpFilesize
64KB
-
memory/3920-4-0x00007FF8C5770000-0x00007FF8C5780000-memory.dmpFilesize
64KB
-
memory/3920-5-0x00007FF8C5770000-0x00007FF8C5780000-memory.dmpFilesize
64KB
-
memory/3920-6-0x00007FF8E8D90000-0x00007FF8E93C7000-memory.dmpFilesize
6.2MB