Analysis
-
max time kernel
141s -
max time network
146s -
platform
windows10_x64 -
resource
win10-de-20210920 -
submitted
14-10-2021 15:09
Behavioral task
behavioral1
Sample
Bill_PYWTF0.xlsb
Resource
win7-de-20210920
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Bill_PYWTF0.xlsb
Resource
win10-de-20210920
windows10_x64
0 signatures
0 seconds
General
-
Target
Bill_PYWTF0.xlsb
-
Size
264KB
-
MD5
29be144375ee1609c2c1fd63ae2ff514
-
SHA1
f37a8d5da9424bd916ed1c572b15173b5f430dd2
-
SHA256
1296ca015baa3dfae62d8cd6f6c1c1513fb919201a6c11f3df1474700d57fb26
-
SHA512
7873fffbc179dc3e8b415b72c2c3b736c7f4164e1a8a33c6d38cae5902466059f2fe50adf9ff0f2bba8411d373ceca02a950df9fd263624ab03014cf9879d752
Score
1/10
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 4264 EXCEL.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
EXCEL.EXEpid process 4264 EXCEL.EXE 4264 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 22 IoCs
Processes:
EXCEL.EXEpid process 4264 EXCEL.EXE 4264 EXCEL.EXE 4264 EXCEL.EXE 4264 EXCEL.EXE 4264 EXCEL.EXE 4264 EXCEL.EXE 4264 EXCEL.EXE 4264 EXCEL.EXE 4264 EXCEL.EXE 4264 EXCEL.EXE 4264 EXCEL.EXE 4264 EXCEL.EXE 4264 EXCEL.EXE 4264 EXCEL.EXE 4264 EXCEL.EXE 4264 EXCEL.EXE 4264 EXCEL.EXE 4264 EXCEL.EXE 4264 EXCEL.EXE 4264 EXCEL.EXE 4264 EXCEL.EXE 4264 EXCEL.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Bill_PYWTF0.xlsb"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4264-115-0x00007FFC62540000-0x00007FFC62550000-memory.dmpFilesize
64KB
-
memory/4264-116-0x00007FFC62540000-0x00007FFC62550000-memory.dmpFilesize
64KB
-
memory/4264-117-0x00007FFC62540000-0x00007FFC62550000-memory.dmpFilesize
64KB
-
memory/4264-118-0x00007FFC62540000-0x00007FFC62550000-memory.dmpFilesize
64KB
-
memory/4264-119-0x00007FFC62540000-0x00007FFC62550000-memory.dmpFilesize
64KB
-
memory/4264-120-0x000001CC3DDE0000-0x000001CC3DDE2000-memory.dmpFilesize
8KB
-
memory/4264-121-0x000001CC3DDE0000-0x000001CC3DDE2000-memory.dmpFilesize
8KB
-
memory/4264-122-0x000001CC3DDE0000-0x000001CC3DDE2000-memory.dmpFilesize
8KB