d91a7c741f9ab4ef681cb4924bb04453494c5a39762501258dabf202b8ec0f0a

Analysis

max time kernel
163s
max time network
173s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
12-05-2022 17:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

invoice-02-01-2022.xls
Size

51KB
MD5

04a6bacaf107ae57c0dad8e133997418
SHA1

9b3f379764d2501fc91164ecc67c5bbccad5d0ed
SHA256

a3f128976fb477883db4f7ecc2aae05e61e2de224ad584454022aced8f8f5ca5
SHA512

c1d90054931c457ae263746f26b3bcf2883d813c177078574aced6e49d197cb1794e5fb47e532dd2aca1646ac0d17baca10c59e42a59b04cc172ef2285d84d6c

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 2 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{6CEC699A-AA96-4194-89F4-FDFD7767D429}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{28D5ABE7-F420-4493-9D2D-D1175A1F19F4}.catalogItem	svchost.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	svchost.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\invoice-02-01-2022.xls"
1⤵
PID:1264

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
PID:1200

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1264-130-0x00007FFE82DF0000-0x00007FFE82E00000-memory.dmp

Filesize
64KB

Download
memory/1264-131-0x00007FFE82DF0000-0x00007FFE82E00000-memory.dmp

Filesize
64KB

Download
memory/1264-132-0x00007FFE82DF0000-0x00007FFE82E00000-memory.dmp

Filesize
64KB

Download
memory/1264-133-0x00007FFE82DF0000-0x00007FFE82E00000-memory.dmp

Filesize
64KB

Download
memory/1264-134-0x00007FFE82DF0000-0x00007FFE82E00000-memory.dmp

Filesize
64KB

Download