eca1784247861d517c8d7626ef78669dcd1dc20e46fde840a45c7d26dae46886

General

Target

Wire_Slip.xlsx
Size

436KB
MD5

6a7d68de0b2d63cd53504e3abbf46996
SHA1

3bff34521fa2fe85a5fd8f1000bcd5db275bb199
SHA256

eca1784247861d517c8d7626ef78669dcd1dc20e46fde840a45c7d26dae46886
SHA512

d2946250478224dad711e0e2b74beaf71a1acd4ec8a9848c3485b699ef884c46267748b575bba296757ab1557acc5e547d55b69cc7567e373f08446f38dd01fd

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

4332 EXCEL.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXE

pid	process
4332	EXCEL.EXE
4332	EXCEL.EXE
4332	EXCEL.EXE
4332	EXCEL.EXE
4332	EXCEL.EXE
4332	EXCEL.EXE
4332	EXCEL.EXE
4332	EXCEL.EXE
4332	EXCEL.EXE
4332	EXCEL.EXE
4332	EXCEL.EXE
4332	EXCEL.EXE

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Wire_Slip.xlsx"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4332

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4332-115-0x00007FFBD7680000-0x00007FFBD7690000-memory.dmp

Filesize
64KB

Download
memory/4332-116-0x00007FFBD7680000-0x00007FFBD7690000-memory.dmp

Filesize
64KB

Download
memory/4332-117-0x00007FFBD7680000-0x00007FFBD7690000-memory.dmp

Filesize
64KB

Download
memory/4332-118-0x00007FFBD7680000-0x00007FFBD7690000-memory.dmp

Filesize
64KB

Download
memory/4332-119-0x000001F94BBC0000-0x000001F94BBC2000-memory.dmp

Filesize
8KB

Download
memory/4332-120-0x000001F94BBC0000-0x000001F94BBC2000-memory.dmp

Filesize
8KB

Download
memory/4332-121-0x00007FFBD7680000-0x00007FFBD7690000-memory.dmp

Filesize
64KB

Download
memory/4332-122-0x000001F94BBC0000-0x000001F94BBC2000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads