CI&BL shipping documents.xlsx

General
Target

CI&BL shipping documents.xlsx

Filesize

311KB

Completed

10-11-2021 11:15

Score
1/10
MD5

bc374aadfcfd5dfafaa96a8461f109bf

SHA1

bdfb5c095a97035e29ac95a1f7cbf5f561224af8

SHA256

678d94aaf0de5200cbb7ec2d1829c4264019325a8d4f7000fc330d56844615a4

Malware Config
Signatures 4

Filter: none

Discovery
  • Checks processor information in registry
    EXCEL.EXE

    Description

    Processor information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0EXCEL.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHzEXCEL.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameStringEXCEL.EXE
  • Enumerates system info in registry
    EXCEL.EXE

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\MACHINE\Hardware\Description\System\BIOSEXCEL.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamilyEXCEL.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKUEXCEL.EXE
  • Suspicious behavior: AddClipboardFormatListener
    EXCEL.EXE

    Reported IOCs

    pidprocess
    3972EXCEL.EXE
  • Suspicious use of SetWindowsHookEx
    EXCEL.EXE

    Reported IOCs

    pidprocess
    3972EXCEL.EXE
    3972EXCEL.EXE
    3972EXCEL.EXE
    3972EXCEL.EXE
    3972EXCEL.EXE
    3972EXCEL.EXE
    3972EXCEL.EXE
    3972EXCEL.EXE
    3972EXCEL.EXE
    3972EXCEL.EXE
    3972EXCEL.EXE
    3972EXCEL.EXE
Processes 1
  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\CI&BL shipping documents.xlsx"
    Checks processor information in registry
    Enumerates system info in registry
    Suspicious behavior: AddClipboardFormatListener
    Suspicious use of SetWindowsHookEx
    PID:3972
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                      Privilege Escalation
                        Replay Monitor
                        00:00 00:00
                        Downloads
                        • memory/3972-118-0x00007FFC4DF10000-0x00007FFC4DF20000-memory.dmp

                        • memory/3972-119-0x00007FFC4DF10000-0x00007FFC4DF20000-memory.dmp

                        • memory/3972-120-0x00007FFC4DF10000-0x00007FFC4DF20000-memory.dmp

                        • memory/3972-121-0x00007FFC4DF10000-0x00007FFC4DF20000-memory.dmp

                        • memory/3972-122-0x00007FFC4DF10000-0x00007FFC4DF20000-memory.dmp

                        • memory/3972-123-0x000001E9860C0000-0x000001E9860C2000-memory.dmp

                        • memory/3972-124-0x000001E9860C0000-0x000001E9860C2000-memory.dmp

                        • memory/3972-125-0x000001E9860C0000-0x000001E9860C2000-memory.dmp