ffeb7d694c82c2dfa5344d082b61386561202ccde69fc11257916b0da515c922

General

Target

账号密码表.xls.exe
Size

1.5MB
MD5

2d2e2831ae6351fbee7810bfc0d10955
SHA1

52a95894b8551743058a1bfe56e38919f43819c4
SHA256

ffeb7d694c82c2dfa5344d082b61386561202ccde69fc11257916b0da515c922
SHA512

239d6ad7b0654146b8c5c08a9b2f07a770cfb0ddabbbcad03109f82b0e78494f80097a98de7d55487f90f41ac25e09f028b12f60c5fc30863d1c871dfbff8eb5

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1912-132-0x0000000000400000-0x0000000000910000-memory.dmp	upx
behavioral2/memory/1912-135-0x0000000000400000-0x0000000000910000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

cmd.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Control Panel\International\Geo\Nation cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Control Panel\International\Geo\Nation	cmd.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description flow ioc

HTTP User-Agent header 1 Go-http-client/1.1
Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings cmd.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

4444 EXCEL.EXE

description	flow	ioc
HTTP User-Agent header	1	Go-http-client/1.1

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings	cmd.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXE

pid	process
4444	EXCEL.EXE
4444	EXCEL.EXE
4444	EXCEL.EXE
4444	EXCEL.EXE
4444	EXCEL.EXE
4444	EXCEL.EXE
4444	EXCEL.EXE
4444	EXCEL.EXE
4444	EXCEL.EXE
4444	EXCEL.EXE
4444	EXCEL.EXE
4444	EXCEL.EXE

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

账号密码表.xls.execmd.exe

description	pid	process	target process
PID 1912 wrote to memory of 4760	1912	账号密码表.xls.exe	cmd.exe
PID 1912 wrote to memory of 4760	1912	账号密码表.xls.exe	cmd.exe
PID 4760 wrote to memory of 4444	4760	cmd.exe	EXCEL.EXE
PID 4760 wrote to memory of 4444	4760	cmd.exe	EXCEL.EXE
PID 4760 wrote to memory of 4444	4760	cmd.exe	EXCEL.EXE

C:\Users\Admin\AppData\Local\Temp\账号密码表.xls.exe
"C:\Users\Admin\AppData\Local\Temp\账号密码表.xls.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1912

\??\c:\windows\system32\cmd.exe
c:\windows\system32\cmd.exe /C start 涉疫轨迹检查表.xls
2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4760

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\涉疫轨迹检查表.xls"
3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4444

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\涉疫轨迹检查表.xls
Filesize
23KB

MD5
f5a8f916c2b8117dbf1cc1ea3319c8da

SHA1
b8e4b9e1247c54ed45bba90cd2f1aaedc0713372

SHA256
11e29e4983eab5bbc95b11b06c8ad11a7375017b99b10fde72f2669e5288e6be

SHA512
05f5189a4f09a442d07d9440156b4f18c67284130d545c79cd701c72af6a5b030df1fd7c83f46d934749eb28aef32936216ae4eb96d19129a5b3743b562f3dd8

Download Submit
memory/1912-135-0x0000000000400000-0x0000000000910000-memory.dmp

Filesize
5.1MB

Download
memory/1912-132-0x0000000000400000-0x0000000000910000-memory.dmp

Filesize
5.1MB

Download
memory/4444-140-0x00007FFAC4490000-0x00007FFAC44A0000-memory.dmp

Filesize
64KB

Download
memory/4444-136-0x0000000000000000-mapping.dmp

Download
memory/4444-137-0x00007FFAC4490000-0x00007FFAC44A0000-memory.dmp

Filesize
64KB

Download
memory/4444-138-0x00007FFAC4490000-0x00007FFAC44A0000-memory.dmp

Filesize
64KB

Download
memory/4444-139-0x00007FFAC4490000-0x00007FFAC44A0000-memory.dmp

Filesize
64KB

Download
memory/4444-141-0x00007FFAC4490000-0x00007FFAC44A0000-memory.dmp

Filesize
64KB

Download
memory/4444-142-0x00007FFAC1B30000-0x00007FFAC1B40000-memory.dmp

Filesize
64KB

Download
memory/4444-143-0x00007FFAC1B30000-0x00007FFAC1B40000-memory.dmp

Filesize
64KB

Download
memory/4444-145-0x00007FFAC4490000-0x00007FFAC44A0000-memory.dmp

Filesize
64KB

Download
memory/4444-146-0x00007FFAC4490000-0x00007FFAC44A0000-memory.dmp

Filesize
64KB

Download
memory/4444-147-0x00007FFAC4490000-0x00007FFAC44A0000-memory.dmp

Filesize
64KB

Download
memory/4444-148-0x00007FFAC4490000-0x00007FFAC44A0000-memory.dmp

Filesize
64KB

Download
memory/4760-133-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads