PROFORMA-PDA 00GGTBGX00001A.xlsx

General
Target

PROFORMA-PDA 00GGTBGX00001A.xlsx

Filesize

362KB

Completed

24-09-2021 12:22

Score
1 /10
MD5

3428e8b6d05df7add0dd9914432467a0

SHA1

89cd998b04e84731ebd9ec51c3d72ef40b15249e

SHA256

2a6b9eb5645b5e292c85eeb7236eb00361e74ece1e8debfb33873bc72461a67e

Malware Config
Signatures 4

Filter: none

Discovery
  • Checks processor information in registry
    EXCEL.EXE

    Description

    Processor information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0EXCEL.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHzEXCEL.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameStringEXCEL.EXE
  • Enumerates system info in registry
    EXCEL.EXE

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKUEXCEL.EXE
    Key opened\REGISTRY\MACHINE\Hardware\Description\System\BIOSEXCEL.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamilyEXCEL.EXE
  • Suspicious behavior: AddClipboardFormatListener
    EXCEL.EXE

    Reported IOCs

    pidprocess
    4796EXCEL.EXE
  • Suspicious use of SetWindowsHookEx
    EXCEL.EXE

    Reported IOCs

    pidprocess
    4796EXCEL.EXE
    4796EXCEL.EXE
    4796EXCEL.EXE
    4796EXCEL.EXE
    4796EXCEL.EXE
    4796EXCEL.EXE
    4796EXCEL.EXE
    4796EXCEL.EXE
    4796EXCEL.EXE
    4796EXCEL.EXE
    4796EXCEL.EXE
    4796EXCEL.EXE
Processes 1
  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\PROFORMA-PDA 00GGTBGX00001A.xlsx"
    Checks processor information in registry
    Enumerates system info in registry
    Suspicious behavior: AddClipboardFormatListener
    Suspicious use of SetWindowsHookEx
    PID:4796
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                      Privilege Escalation
                        Replay Monitor
                        00:00 00:00
                        Downloads
                        • memory/4796-114-0x00007FF765510000-0x00007FF768AC6000-memory.dmp

                        • memory/4796-115-0x00007FFD6E7C0000-0x00007FFD6E7D0000-memory.dmp

                        • memory/4796-116-0x00007FFD6E7C0000-0x00007FFD6E7D0000-memory.dmp

                        • memory/4796-117-0x00007FFD6E7C0000-0x00007FFD6E7D0000-memory.dmp

                        • memory/4796-118-0x00007FFD6E7C0000-0x00007FFD6E7D0000-memory.dmp

                        • memory/4796-119-0x00007FFD6E7C0000-0x00007FFD6E7D0000-memory.dmp

                        • memory/4796-122-0x00007FFD900C0000-0x00007FFD911AE000-memory.dmp

                        • memory/4796-123-0x0000020AF22D0000-0x0000020AF41C5000-memory.dmp

                        • memory/4796-319-0x00007FFD6E7C0000-0x00007FFD6E7D0000-memory.dmp

                        • memory/4796-320-0x00007FFD6E7C0000-0x00007FFD6E7D0000-memory.dmp

                        • memory/4796-321-0x00007FFD6E7C0000-0x00007FFD6E7D0000-memory.dmp

                        • memory/4796-322-0x00007FFD6E7C0000-0x00007FFD6E7D0000-memory.dmp