Analysis
-
max time kernel
105s -
max time network
139s -
platform
windows10_x64 -
resource
win10-en -
submitted
15-09-2021 06:13
Static task
static1
Behavioral task
behavioral1
Sample
INVOICE = 212888585 .xlsx
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
INVOICE = 212888585 .xlsx
Resource
win10-en
windows10_x64
0 signatures
0 seconds
General
-
Target
INVOICE = 212888585 .xlsx
-
Size
732KB
-
MD5
145e00853b80fb2d97676c4416f984a9
-
SHA1
fa80c59ebbafc435e88ffdceae00450b56ec5d48
-
SHA256
e9c342550d334bffc58a310997673e24eed03f4d2b9c441dec943b24e7d29d08
-
SHA512
6e150bd0e392f3bb7696a0f8dcffcc453c508879165e0bef4eec268e0b5aebe40f03b4bb683970e91e4d3b010481c18c81d697f186cb813cb299deb4767d9467
Score
1/10
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 2280 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 13 IoCs
Processes:
EXCEL.EXEpid process 2280 EXCEL.EXE 2280 EXCEL.EXE 2280 EXCEL.EXE 2280 EXCEL.EXE 2280 EXCEL.EXE 2280 EXCEL.EXE 2280 EXCEL.EXE 2280 EXCEL.EXE 2280 EXCEL.EXE 2280 EXCEL.EXE 2280 EXCEL.EXE 2280 EXCEL.EXE 2280 EXCEL.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
EXCEL.EXEdescription pid process target process PID 2280 wrote to memory of 2776 2280 EXCEL.EXE splwow64.exe PID 2280 wrote to memory of 2776 2280 EXCEL.EXE splwow64.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\INVOICE = 212888585 .xlsx"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2280-123-0x00007FFDAC070000-0x00007FFDAD15E000-memory.dmpFilesize
16.9MB
-
memory/2280-116-0x00007FFD89D80000-0x00007FFD89D90000-memory.dmpFilesize
64KB
-
memory/2280-117-0x00007FFD89D80000-0x00007FFD89D90000-memory.dmpFilesize
64KB
-
memory/2280-118-0x00007FFD89D80000-0x00007FFD89D90000-memory.dmpFilesize
64KB
-
memory/2280-119-0x00007FFD89D80000-0x00007FFD89D90000-memory.dmpFilesize
64KB
-
memory/2280-122-0x00007FFD89D80000-0x00007FFD89D90000-memory.dmpFilesize
64KB
-
memory/2280-115-0x00007FF662600000-0x00007FF665BB6000-memory.dmpFilesize
53.7MB
-
memory/2280-124-0x00007FFDAA170000-0x00007FFDAC065000-memory.dmpFilesize
31.0MB
-
memory/2280-289-0x00007FFD89D80000-0x00007FFD89D90000-memory.dmpFilesize
64KB
-
memory/2280-290-0x00007FFD89D80000-0x00007FFD89D90000-memory.dmpFilesize
64KB
-
memory/2280-291-0x00007FFD89D80000-0x00007FFD89D90000-memory.dmpFilesize
64KB
-
memory/2280-292-0x00007FFD89D80000-0x00007FFD89D90000-memory.dmpFilesize
64KB
-
memory/2776-203-0x0000000000000000-mapping.dmp