11a01b9c73c2ed2bc22dcd56b2925ecde913e7c2c37996da0584c124a0a00df2

Analysis

max time kernel
124s
max time network
134s
platform
windows10_x64
resource
win10-en-20210920
submitted
13-10-2021 07:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PROFORMA INVOICE4567.xlsx
Size

657KB
MD5

2aef1857cad31496174b607df0bfbfe9
SHA1

878676c90762705166888bcc41ab51f8f4e92868
SHA256

11a01b9c73c2ed2bc22dcd56b2925ecde913e7c2c37996da0584c124a0a00df2
SHA512

d0f5fac446050d1b022c1a904717ab0b695e2ad83a5938545fe1e9a54b4eb2129ab788b7d40cad49f17d57c0f26c0b39da728c4d0550974612ded6876e4f74e2

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

2160 EXCEL.EXE

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

EXCEL.EXE

pid	process
2160	EXCEL.EXE
2160	EXCEL.EXE
2160	EXCEL.EXE
2160	EXCEL.EXE
2160	EXCEL.EXE
2160	EXCEL.EXE
2160	EXCEL.EXE
2160	EXCEL.EXE
2160	EXCEL.EXE
2160	EXCEL.EXE
2160	EXCEL.EXE
2160	EXCEL.EXE
2160	EXCEL.EXE

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

EXCEL.EXE

description	pid	process	target process
PID 2160 wrote to memory of 3276	2160	EXCEL.EXE	splwow64.exe
PID 2160 wrote to memory of 3276	2160	EXCEL.EXE	splwow64.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE4567.xlsx"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2160
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:3276

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2160-115-0x00007FF937A30000-0x00007FF937A40000-memory.dmp

Filesize
64KB

Download
memory/2160-117-0x00007FF937A30000-0x00007FF937A40000-memory.dmp

Filesize
64KB

Download
memory/2160-116-0x00007FF937A30000-0x00007FF937A40000-memory.dmp

Filesize
64KB

Download
memory/2160-118-0x00007FF937A30000-0x00007FF937A40000-memory.dmp

Filesize
64KB

Download
memory/2160-119-0x0000026AAB2E0000-0x0000026AAB2E2000-memory.dmp

Filesize
8KB

Download
memory/2160-120-0x0000026AAB2E0000-0x0000026AAB2E2000-memory.dmp

Filesize
8KB

Download
memory/2160-121-0x00007FF937A30000-0x00007FF937A40000-memory.dmp

Filesize
64KB

Download
memory/2160-122-0x0000026AAB2E0000-0x0000026AAB2E2000-memory.dmp

Filesize
8KB

Download
memory/3276-276-0x0000000000000000-mapping.dmp

Download