PO doc 42782.xlsx

General
Target

PO doc 42782.xlsx

Filesize

369KB

Completed

21-10-2021 18:02

Score
1/10
MD5

9c5486b2167c91562d09db0f5b1025e2

SHA1

535baeb13752700a26bda678a6c85d003db29397

SHA256

bc081b96be044e4fd5b0d0a48151aac96251ba275c9a66e9add9daf1d2e12380

Malware Config
Signatures 4

Filter: none

Discovery
  • Checks processor information in registry
    EXCEL.EXE

    Description

    Processor information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0EXCEL.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHzEXCEL.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameStringEXCEL.EXE
  • Enumerates system info in registry
    EXCEL.EXE

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\MACHINE\Hardware\Description\System\BIOSEXCEL.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamilyEXCEL.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKUEXCEL.EXE
  • Suspicious behavior: AddClipboardFormatListener
    EXCEL.EXE

    Reported IOCs

    pidprocess
    2332EXCEL.EXE
  • Suspicious use of SetWindowsHookEx
    EXCEL.EXE

    Reported IOCs

    pidprocess
    2332EXCEL.EXE
    2332EXCEL.EXE
    2332EXCEL.EXE
    2332EXCEL.EXE
    2332EXCEL.EXE
    2332EXCEL.EXE
    2332EXCEL.EXE
    2332EXCEL.EXE
    2332EXCEL.EXE
    2332EXCEL.EXE
    2332EXCEL.EXE
    2332EXCEL.EXE
Processes 1
  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\PO doc 42782.xlsx"
    Checks processor information in registry
    Enumerates system info in registry
    Suspicious behavior: AddClipboardFormatListener
    Suspicious use of SetWindowsHookEx
    PID:2332
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                      Privilege Escalation
                        Replay Monitor
                        00:00 00:00
                        Downloads
                        • memory/2332-115-0x00007FFD2B5F0000-0x00007FFD2B600000-memory.dmp

                        • memory/2332-116-0x00007FFD2B5F0000-0x00007FFD2B600000-memory.dmp

                        • memory/2332-117-0x00007FFD2B5F0000-0x00007FFD2B600000-memory.dmp

                        • memory/2332-118-0x00007FFD2B5F0000-0x00007FFD2B600000-memory.dmp

                        • memory/2332-119-0x00007FFD2B5F0000-0x00007FFD2B600000-memory.dmp

                        • memory/2332-121-0x000002075F6A0000-0x000002075F6A2000-memory.dmp

                        • memory/2332-120-0x000002075F6A0000-0x000002075F6A2000-memory.dmp

                        • memory/2332-122-0x000002075F6A0000-0x000002075F6A2000-memory.dmp