Payment Advise.xlsx

General
Target

Payment Advise.xlsx

Filesize

337KB

Completed

12-10-2021 15:37

Score
1/10
MD5

2a2774f89f6ac878975ef5227cc8a92b

SHA1

bfbfd645fed06b7598bfe1f583d0ba04ad943b29

SHA256

54167fce5b8273b4a21f9da96c32113ebe3e5831f51aebad3ae1e97d5165f263

Malware Config
Signatures 4

Filter: none

Discovery
  • Checks processor information in registry
    EXCEL.EXE

    Description

    Processor information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0EXCEL.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHzEXCEL.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameStringEXCEL.EXE
  • Enumerates system info in registry
    EXCEL.EXE

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\MACHINE\Hardware\Description\System\BIOSEXCEL.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamilyEXCEL.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKUEXCEL.EXE
  • Suspicious behavior: AddClipboardFormatListener
    EXCEL.EXE

    Reported IOCs

    pidprocess
    2396EXCEL.EXE
  • Suspicious use of SetWindowsHookEx
    EXCEL.EXE

    Reported IOCs

    pidprocess
    2396EXCEL.EXE
    2396EXCEL.EXE
    2396EXCEL.EXE
    2396EXCEL.EXE
    2396EXCEL.EXE
    2396EXCEL.EXE
    2396EXCEL.EXE
    2396EXCEL.EXE
    2396EXCEL.EXE
    2396EXCEL.EXE
    2396EXCEL.EXE
    2396EXCEL.EXE
Processes 1
  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Payment Advise.xlsx"
    Checks processor information in registry
    Enumerates system info in registry
    Suspicious behavior: AddClipboardFormatListener
    Suspicious use of SetWindowsHookEx
    PID:2396
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                      Privilege Escalation
                        Replay Monitor
                        00:00 00:00
                        Downloads
                        • memory/2396-116-0x00007FF978D00000-0x00007FF978D10000-memory.dmp

                        • memory/2396-117-0x00007FF978D00000-0x00007FF978D10000-memory.dmp

                        • memory/2396-118-0x00007FF978D00000-0x00007FF978D10000-memory.dmp

                        • memory/2396-119-0x00007FF978D00000-0x00007FF978D10000-memory.dmp

                        • memory/2396-120-0x000001AC10A70000-0x000001AC10A72000-memory.dmp

                        • memory/2396-121-0x000001AC10A70000-0x000001AC10A72000-memory.dmp

                        • memory/2396-122-0x00007FF978D00000-0x00007FF978D10000-memory.dmp

                        • memory/2396-123-0x000001AC10A70000-0x000001AC10A72000-memory.dmp

                        • memory/2396-129-0x00007FF9761B0000-0x00007FF9761C0000-memory.dmp

                        • memory/2396-130-0x00007FF9761B0000-0x00007FF9761C0000-memory.dmp