Analysis
-
max time kernel
120s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20220722-en -
resource tags
arch:x64arch:x86image:win10v2004-20220722-enlocale:en-usos:windows10-2004-x64system -
submitted
05-08-2022 07:51
Behavioral task
behavioral1
Sample
账号密码表.xls.exe
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
账号密码表.xls.exe
Resource
win10v2004-20220722-en
General
-
Target
账号密码表.xls.exe
-
Size
1.5MB
-
MD5
2d2e2831ae6351fbee7810bfc0d10955
-
SHA1
52a95894b8551743058a1bfe56e38919f43819c4
-
SHA256
ffeb7d694c82c2dfa5344d082b61386561202ccde69fc11257916b0da515c922
-
SHA512
239d6ad7b0654146b8c5c08a9b2f07a770cfb0ddabbbcad03109f82b0e78494f80097a98de7d55487f90f41ac25e09f028b12f60c5fc30863d1c871dfbff8eb5
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/1912-132-0x0000000000400000-0x0000000000910000-memory.dmp upx behavioral2/memory/1912-135-0x0000000000400000-0x0000000000910000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Control Panel\International\Geo\Nation cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
Processes:
description flow ioc HTTP User-Agent header 1 Go-http-client/1.1 -
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings cmd.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 4444 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 4444 EXCEL.EXE 4444 EXCEL.EXE 4444 EXCEL.EXE 4444 EXCEL.EXE 4444 EXCEL.EXE 4444 EXCEL.EXE 4444 EXCEL.EXE 4444 EXCEL.EXE 4444 EXCEL.EXE 4444 EXCEL.EXE 4444 EXCEL.EXE 4444 EXCEL.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
账号密码表.xls.execmd.exedescription pid process target process PID 1912 wrote to memory of 4760 1912 账号密码表.xls.exe cmd.exe PID 1912 wrote to memory of 4760 1912 账号密码表.xls.exe cmd.exe PID 4760 wrote to memory of 4444 4760 cmd.exe EXCEL.EXE PID 4760 wrote to memory of 4444 4760 cmd.exe EXCEL.EXE PID 4760 wrote to memory of 4444 4760 cmd.exe EXCEL.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\账号密码表.xls.exe"C:\Users\Admin\AppData\Local\Temp\账号密码表.xls.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system32\cmd.exec:\windows\system32\cmd.exe /C start 涉疫轨迹检查表.xls2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\涉疫轨迹检查表.xls"3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\涉疫轨迹检查表.xlsFilesize
23KB
MD5f5a8f916c2b8117dbf1cc1ea3319c8da
SHA1b8e4b9e1247c54ed45bba90cd2f1aaedc0713372
SHA25611e29e4983eab5bbc95b11b06c8ad11a7375017b99b10fde72f2669e5288e6be
SHA51205f5189a4f09a442d07d9440156b4f18c67284130d545c79cd701c72af6a5b030df1fd7c83f46d934749eb28aef32936216ae4eb96d19129a5b3743b562f3dd8
-
memory/1912-135-0x0000000000400000-0x0000000000910000-memory.dmpFilesize
5.1MB
-
memory/1912-132-0x0000000000400000-0x0000000000910000-memory.dmpFilesize
5.1MB
-
memory/4444-140-0x00007FFAC4490000-0x00007FFAC44A0000-memory.dmpFilesize
64KB
-
memory/4444-136-0x0000000000000000-mapping.dmp
-
memory/4444-137-0x00007FFAC4490000-0x00007FFAC44A0000-memory.dmpFilesize
64KB
-
memory/4444-138-0x00007FFAC4490000-0x00007FFAC44A0000-memory.dmpFilesize
64KB
-
memory/4444-139-0x00007FFAC4490000-0x00007FFAC44A0000-memory.dmpFilesize
64KB
-
memory/4444-141-0x00007FFAC4490000-0x00007FFAC44A0000-memory.dmpFilesize
64KB
-
memory/4444-142-0x00007FFAC1B30000-0x00007FFAC1B40000-memory.dmpFilesize
64KB
-
memory/4444-143-0x00007FFAC1B30000-0x00007FFAC1B40000-memory.dmpFilesize
64KB
-
memory/4444-145-0x00007FFAC4490000-0x00007FFAC44A0000-memory.dmpFilesize
64KB
-
memory/4444-146-0x00007FFAC4490000-0x00007FFAC44A0000-memory.dmpFilesize
64KB
-
memory/4444-147-0x00007FFAC4490000-0x00007FFAC44A0000-memory.dmpFilesize
64KB
-
memory/4444-148-0x00007FFAC4490000-0x00007FFAC44A0000-memory.dmpFilesize
64KB
-
memory/4760-133-0x0000000000000000-mapping.dmp