Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
10-08-2022 14:05
Behavioral task
behavioral1
Sample
FIS_Remittance_Advice_ACH26596.xls
Resource
win7-20220718-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
FIS_Remittance_Advice_ACH26596.xls
Resource
win10v2004-20220721-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
FIS_Remittance_Advice_ACH26596.xls
-
Size
234KB
-
MD5
e0946a78fc26ca171545392a44be7889
-
SHA1
072868e101afb93de47fc2b38832f24e8011a1c6
-
SHA256
33f4cdc87f17fb37ad8b3dd956e90a807dda3c65537bad975de6c0ef287282c1
-
SHA512
e4b947eb7816971e584438b91c2995c88e395ecc4636421608fc89d48c5c18856ac472ad004ee00d7e3dc45580e6caab1df50c98b7fd120d2d69bb33b7bc9ef7
Score
1/10
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Modifies registry class 2 IoCs
Processes:
EXCEL.EXEdescription ioc process Set value (data) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots EXCEL.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff EXCEL.EXE -
NTFS ADS 1 IoCs
Processes:
EXCEL.EXEdescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Temp\{1140A9A3-923D-4F6D-A166-D4C19301A106}\xeUMa.txt:Zone.Identifier EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 4448 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 16 IoCs
Processes:
EXCEL.EXEpid process 4448 EXCEL.EXE 4448 EXCEL.EXE 4448 EXCEL.EXE 4448 EXCEL.EXE 4448 EXCEL.EXE 4448 EXCEL.EXE 4448 EXCEL.EXE 4448 EXCEL.EXE 4448 EXCEL.EXE 4448 EXCEL.EXE 4448 EXCEL.EXE 4448 EXCEL.EXE 4448 EXCEL.EXE 4448 EXCEL.EXE 4448 EXCEL.EXE 4448 EXCEL.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\FIS_Remittance_Advice_ACH26596.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4448-130-0x00007FF9A0DB0000-0x00007FF9A0DC0000-memory.dmpFilesize
64KB
-
memory/4448-131-0x00007FF9A0DB0000-0x00007FF9A0DC0000-memory.dmpFilesize
64KB
-
memory/4448-132-0x00007FF9A0DB0000-0x00007FF9A0DC0000-memory.dmpFilesize
64KB
-
memory/4448-133-0x00007FF9A0DB0000-0x00007FF9A0DC0000-memory.dmpFilesize
64KB
-
memory/4448-134-0x00007FF9A0DB0000-0x00007FF9A0DC0000-memory.dmpFilesize
64KB
-
memory/4448-135-0x00007FF99ED50000-0x00007FF99ED60000-memory.dmpFilesize
64KB
-
memory/4448-136-0x00007FF99ED50000-0x00007FF99ED60000-memory.dmpFilesize
64KB