Analysis
-
max time kernel
118s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20220310-en -
submitted
29-03-2022 18:02
Behavioral task
behavioral1
Sample
04981834becf18d3203eb1b21d6b377df3b840c2fdc24bf358b9362ada387c20.xlsb
Resource
win7-20220311-en
Behavioral task
behavioral2
Sample
04981834becf18d3203eb1b21d6b377df3b840c2fdc24bf358b9362ada387c20.xlsb
Resource
win10v2004-20220310-en
General
-
Target
04981834becf18d3203eb1b21d6b377df3b840c2fdc24bf358b9362ada387c20.xlsb
-
Size
357KB
-
MD5
7049e29713a7bb517a3a7920df5dbac1
-
SHA1
f119cf61514483d27d35c29487dfdc242ad1e6df
-
SHA256
04981834becf18d3203eb1b21d6b377df3b840c2fdc24bf358b9362ada387c20
-
SHA512
dc4516b7d6885aca1037e411ef49b4f183fe2d275b030e3e0536bb96583156a16f08d3cfa58bc377b4baaa844f37f7248696e40bbfc46ed0dc949133e49d751b
Malware Config
Extracted
http://alpine.kz/ds/161120.gif
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3904 4652 WerFault.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Modifies data under HKEY_USERS 6 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\ApplicationFlags = "1" svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\IdentityCRL\Immersive\production\Property svchost.exe Set value (data) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Property\0018400674E4A989 = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000d79ef4adb8e2df4e96c16fb9ef12577e000000000200000000001066000000010000200000002bea5a0990999157cd8753b4cbd43424af72b0e5c07c345343879a83ecd39271000000000e800000000200002000000089914135df2da2e79cd10d7eb61ceb87e56ca3948d82bfd65de9f68cff5fea0e800000005bc7f336a4919f7bcf4b4b7a247e880abadff09d9e5937801f0e2a22fcb8d64793b7d87a79c254100be5cdc8c27e5e6cfbd4361ba0bf5c26430a704eb8b18dabca14daaba1e228960d854ebf629e686ccc3021bce8b84669b279b61194bbbfff64abe0951105dfad9c6ac31577b5a91d202521f7524ea8c7695d1abbd3c57b83400000008d848a668ea9ba70137389b9c7857e61184a6c272e381e1440145b9476b343727462e0730fa0b5b6fa377fbf663c45c2cbd7f2c5b85f9a5e18eef6f9c6afc3d0 svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5} svchost.exe Set value (data) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\DeviceTicket = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000d79ef4adb8e2df4e96c16fb9ef12577e00000000020000000000106600000001000020000000931caccfaee4f3c7058f22aeac132997620379d929faf573bcb11255b62c6b54000000000e8000000002000020000000ce7587561b1486c45348939a2123e9d5e85fef8e2d10d939220c832596e8dc5f200d00003bf1bdb96c1ee3cca2876d6ff96c966684024515dcf1c8314f484ef9b1d9753cf1ec8d4e0df3f84a5fb3434dc78adac4a2f9ddf636baa757dce5d41b53707accb233ff22840e4e5408a0188d9b491cae7551d62c44833d43cc5e173c8daa0fbeb916b5553d09ca89fe7bb3f1dcfd7daf908fa8028085b06035c52a679dc77bbbeae7e7735d600edc1342bba5cd82ae079dd3c72f4dd9252ec8e5dc3dd0e6b5bf8e021c76e2c648aa961f7475ae22ca59f76c021528f1961f3531cc0c828f3572f78c81c77c193d43c939026a6ae6babe6b00c57140377c00038a7afbc15389ac18b7194c3c9cd96f67e1ca59740b494c9a49ef15b245cf4b08ddd28b8fd3b2af66e11ba4e3888a39420a2c474ff5f57d00c7f017f1519605f12064329d17727d28d084453650a882c5872f035c32df37844abf63377653fff7df1edeac489e6ef9ed3829bdccb89523e286e087bf9d6bae12453d78c4068e3aca539ab0049f484c2408757b6378378cbc2f941af586d4a75eae87ac7e419d833c94d88ec1ab025775e0f3d893e288cd6e92f703419b5eba2d67fa3fdaa86e8f69395daa112c7f6a7ff41b33d2d6e5020180a5b9e14b4f30511fae86af095838bae10e03f58f94c842147db8c4846156a51420a4b24e6fb63dda403d1dce1cd8026efc0b2f65907dd44ed316cab728f4ab767f6f6d3132bc0b33f93e24a24ef5c75eef31e5923b262c05252e9978f3da5af8d0f35e06fc98f38b714490389fed61f2413c96f9fa53a723b8388802deafa7dd32a5b362fc410f3d4e0e3f448f0114cde9c7b564618fedab85fa73773edd61c92ac2741e65fdb7e8ab07699c5db9043d84789dedb4ef3af8a158f738553d291f1ebf4692dd7983b3c75f43e4372e0458cc8d263cd84f49cd1bcd896f8f615309ab2050cd5e03e918171fdea579473c722e92bdfde6d7133df62aaf7c2a61458a872e1cc67cc9bc9e028c1b53c315a0d8ae422bded3071b4ea8c22020fd48085a8c3040c64d909e977c5f92cca6dc778668e05fe612ebf886f287f28e215feb3f2136e61b002af6f95282d495c3d27fe2b10dbfb202f2391c57449ab2118cf08a90eb57654251552544a7188a441afbd44b76b1b6a5651dfc64ec310272526c0f8cae734159e4134e3345f629bb4671bde8c055cd4cccca9eb67fc50fee9ce049257e4aca0f01f1a1b58b50162b6dcb893b2edf945878dbc182139d174a90a764fd62d0b3d2e73c77713525276212e33b5329a115ff5dda5dc7d3ec9549afc0936f31d89701ed851ca856100145ff91def4dbbe44ef53d04305a79820d2f60c3fedc1d6154a04695cef8e128a7aa75e771884be1d394bbb63cf2c0bd850e5fa574889dfe726b9db79f140a36ae75aa9182c6c589307b33a9c03fcc505cbe1306148ddcaa32b41eb781aa9fe1b595a0aa3882f03bfce354daf81e23a3e4fbd4a10e04805ed5ed9421d720dacfc0abb7307418cbc99956d72bb64e4145ff99ee895b4c33747cb3f29a0e3ad4c8bd38f6d9e3758c969afb05002d7eba18beeb9c3363ec8c05bdc7552cde6f78c65b82b272acb8ca484bfb64ebf2df5befa597dc3ec860a0689b6816d2c2f5589f9cf644d75a2cc7bcfc69905c71eb9ef91471247e95a44f9adbaa677b8fe6730c4efbbbaa4ec072f70d23d1baaae2180f03133be646ad22b19d698bcf484a0eb2765f385385194344979ca524035aa6ffdfc471d29679e5f0952c5e1830ed66a9587ef416e2e8124edf7d81fb46bc18a31b80d41bcf0c84be9bc29a6e7cb0034cb1c325f24765a7d2342d94347be0ed1da93e1a528e6ee1bbf6e07aef226e06e99bbec4c67c48e2a5d42fc6564aee6e77460e08410c6cd355961c8353c7461d16e58d01abf52efd289965ece0fb20bcfa792528144de3d02245d217630908716fd9cdb453f1193cb518b4df2580648fe54d76efbff853a677090b5a38b3e43f033002f585bfd37c29fbe4e5b5e94f9618506d796e9def4166572665c3294d232caf8b37d4952b2675d09e74c6acea33e558b78acb963beb4ab80dd1c7237fbdb69f2f8f493084227b6960d254266418b87510b948b4a1d85300fa0112357aadbf33f79ecf786ad7d75e982cacecb8cf53201c346c2d399ec01fcda5335bcd5d7aba51800fe371740e312db3b763fe1b6a3d9b6359425b3fc0437c3d82f3c48e2f53654606fe8b2531bac2ce875c460cd9e0be9ec072ca0149f22ca10f7b780756b82d5890a9e0cb74f5c51528777ab49cd43200904a0051b335e3a4fe8757c15f93089bf913d9267909ab61285e1e0171b7782b8c36cae3d1b42969904293df6a70e5480e5ef76f1a097d6bc24eb8438ab949faad74a56f84a8118a70ba2a10b421a2e8322008cc849515b27a60dbedda8448633392ffb48a882d8b38584ee4e07d0782cf17d4adcf8485170697973b5a81d9ce316231d56e6cc3649c5bd4beeb57b471fe88493c1a22482f506fe832e44bbe1a6a1464f6bddf4a429218008d268d6bef6ad27b2b08b8ce95b5cd580af2435f8073bb9e4a44f24f7af046504e5c3204be9e565b03fa1d5669650367facef96d18d1bc89375da13296eba365367f431115901b0d29a4cfbdbe02c3bc3ad8dd9ca996180b10a857511bf1834a5dc98061c464720c6a8e4df1862642fb121078a0fa6bd6e150ee3d5e3151104457982d5827eda9367876f09a736a5679f940643834aecfdd4840351ad3a4178b7fdbb070a1a0f161bfbf73285f0a781b0c593c32c19b0fde5d5592130a8e94f3526a6de93dee5d2dd91d96ad3b2ad92ce7fecc92a4acc6f2e9857c42881ea4b93420e0cec347d5528840a795dd13b35c803bb1f4ff56bfd724984d3b2500c2ccfa17017ccd5b5860bbb7c7a2bfb82da8ffa73c4ee6a07970426e508b4a36295a853eeb66783bbe877090aba685e614a9c4a957b295075b43445092dae2d3e90458257af32bc1cc2c681b2da9521eeeb5ad246d3ce5d7f1031e47c6ccb79763bb1b89af51dab1e260d1680b843f01823d05dac9f76a43a5c45eefaf863ccc5279fea324aab87e5574b2228d9ccdf8f9bf07057ca4c7813c72d67fee48e5538c3c9b5689af4c929330e2a98b6412989c633fabe933dc634bed207e52178b3c33081691f521e0db4e7106f2d8e2586cd5ade5ce641e89006f784666e13b7741dc00b5fdf01920f996c39d7906887aee8a1d0afd2a4aa8e72a70d653e358a0bf278ef34bba167639d6e393b86b6f17a9603f9edd5d1802edc277ff0573c281def1b5f6ab01cacce97b6884274b957fea5b67871b923d50a91aad97f5f58f319154053915752eb19c03e61d0880a258ab4591e4d055f07bf5fa8b30d3e7952a7064accc76822866dcdf012d7a88517e5ac5d206880dd8c1096e8fe6b2930d6913388665df6c81216635b67d71c21e42b1f3f4051e8e876cd8499492280348469c392cc624348a96b040e4d8b591510014495144821f2b023e07de76b2951e234aec3dabb81526a54e9c5037b37e3f49a1382fa88f104ed004b385ae7f2217402ce6524317f5ad419ae7ad0b40a31b0251b2b8367537babf62c5c07897fb28ccb495eeac81c12822f3a7489f96f5661a0882daadfa6cf263e76b7b9998f5c2273405f33877ff5031cfc4c801fa3f0f2a70d5e92f461d15210806006a204647326114df3645ba795e54fde021fe0530db8281d49ace1c81a8f4105459d0dfd795194f8993df08b1f2c8663be45c92d1ef2c1edee2a5f920d6410b4e78fca8fb6cedf01233211358bc2916aa3c6cc74e684bfdfd743b7962fd40442eec9a12f981f7434b601b76a4172f2e3a9782cdb35e5e727c96a1a68cf46979660f1223193d42d60a3962e5bcb3974e409fda4db92524e74bdb3646007fd730e2b3d137dbf91af7b9b2c2db92a5e957f4f931486ce0ee62c1b30ddae80449e51d72342dda6b7a2698e0c2a948337a13d59aa515d1594e35acda46f006b4e3b9b15803a4f2d90bc6c5db9b07c11dd3e88ed90cc43450bf051574209ba272c7dd11b566fecbc607bb74a7452a6af45e53445b941c8d0ce0286f03396462d0d135f8f28e61f4951335cdd53b78f0b4ba6a98669b5427c4b36e4b1ae033e7712dc584f07ed724739a2baab2c4a1d0a3166fb372f884730edea5a45fcfba1402a85cda5b50458ed69c984f36b2fa64c7388662bb5b1cfc3ae832fe1aaab59c315af26328cc82727fe2e4b20c4d89dbf1db06e165e70c4e3609d37e19cd75398dd0b89504d2a9bdfc77a5501b12c5e0e8f28c90e0d048da5fbade4608234393acb5dce2b8debdc014524fb87e65fa3d41a9c256d6cf0f0e6ec7902841da5dc93ccfdd4dc126ca7ef4157d1d9aefeb988b934eae0250421d3fa62f0748a9b01d89135ff10820538da2b0ddac3e4520723fc8b38e84ce08764843b873c71e892b6da321f68b6b69be1fbe8835577a2135e8c1de6173f779a677b62890015111d208f9d6771a9b1c0f14265d2768e3acc7ac428e60c06281daec756b2cd2c523da42a08e4382de0c622c90ca817c21149b80f93bf52dd5ae9b2899ae2b0aa6bf77a459d07edb48da2702af4b8dde77106a57f9f45389d7a6745d1312e65deb42d7d6617257f893b0b1881e36d55e71fabd68db378bbf70fe1908dde32d156c719beaa69a384dc5e100f3bc8578a92669d3c4754215d7cae1d31affbf0065c9047ef4a9d715cd671dcf054b0899f22749cdee57595b8a33a0c400000002d0a24aed0770464b1642f9cec0387a4de80b6c9407dd874cd4948bf73a951ec13db91f15c64add49f7e244d3754dcfc77a794ae2c696b52507ec4f58c8d4bfe svchost.exe Set value (str) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\DeviceId = "0018400674E4A989" svchost.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 3508 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 3508 EXCEL.EXE 3508 EXCEL.EXE 3508 EXCEL.EXE 3508 EXCEL.EXE 3508 EXCEL.EXE 3508 EXCEL.EXE 3508 EXCEL.EXE 3508 EXCEL.EXE 3508 EXCEL.EXE 3508 EXCEL.EXE 3508 EXCEL.EXE 3508 EXCEL.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\04981834becf18d3203eb1b21d6b377df3b840c2fdc24bf358b9362ada387c20.xlsb"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 476 -p 4652 -ip 46521⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4652 -s 20761⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3508-134-0x00007FFCC98D0000-0x00007FFCC98E0000-memory.dmpFilesize
64KB
-
memory/3508-135-0x00007FFCC98D0000-0x00007FFCC98E0000-memory.dmpFilesize
64KB
-
memory/3508-136-0x00007FFCC98D0000-0x00007FFCC98E0000-memory.dmpFilesize
64KB
-
memory/3508-137-0x00007FFCC98D0000-0x00007FFCC98E0000-memory.dmpFilesize
64KB
-
memory/3508-138-0x00007FFCC98D0000-0x00007FFCC98E0000-memory.dmpFilesize
64KB
-
memory/3508-139-0x00007FFCC98D0000-0x00007FFCC98E0000-memory.dmpFilesize
64KB
-
memory/3508-140-0x00007FFCC98D0000-0x00007FFCC98E0000-memory.dmpFilesize
64KB
-
memory/3508-141-0x00007FFCC98D0000-0x00007FFCC98E0000-memory.dmpFilesize
64KB
-
memory/3508-142-0x00007FFCC98D0000-0x00007FFCC98E0000-memory.dmpFilesize
64KB