Analysis
-
max time kernel
101s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21/06/2022, 08:21
Static task
static1
Behavioral task
behavioral1
Sample
Fawaz 2100355_1.xlsx
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Fawaz 2100355_1.xlsx
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
decrypted.xlsx
Resource
win7-20220414-en
Behavioral task
behavioral4
Sample
decrypted.xlsx
Resource
win10v2004-20220414-en
General
-
Target
decrypted.xlsx
-
Size
75KB
-
MD5
7637745419817a7d66d853585be6373e
-
SHA1
4dcb9a7dfc259c501f53a5e05ed111fc14147496
-
SHA256
2a1fa8f1c00738e5717268f09ff66995ceceb8528ae5b5d8cd3fd3522f502642
-
SHA512
4a567b0072a88618a01a93bd67ad02cd9e1ae076077c7e6e7332863ad9f6e755a95922a8f8a062456d730dd688bff065f381f128b2444b2f5312e7d41d17443a
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1404 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 1404 EXCEL.EXE 1404 EXCEL.EXE 1404 EXCEL.EXE 1404 EXCEL.EXE 1404 EXCEL.EXE 1404 EXCEL.EXE 1404 EXCEL.EXE 1404 EXCEL.EXE 1404 EXCEL.EXE 1404 EXCEL.EXE 1404 EXCEL.EXE 1404 EXCEL.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\decrypted.xlsx"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1404