f62e16331ff6b8514bf7285df5f829f40c5eafb6c07180afc38bb670ff77a7d6

Resubmissions

12-09-2022 17:36

220912-v6ng1ahecq 4

12-09-2022 16:57

220912-vgcn7sdff7 1

12-09-2022 16:42

220912-t75x1adfe5 1

12-09-2022 16:35

220912-t3vlgahddr 1

Analysis

max time kernel
1392s
max time network
1222s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
12-09-2022 17:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Purchase Order FG-20220906 By Sea.xlsx
Size

48KB
MD5

e740f922b24a201d2d8deb4be08525d5
SHA1

fe8d9dcd67344dc6ddf6c6767279461d5754911c
SHA256

f62e16331ff6b8514bf7285df5f829f40c5eafb6c07180afc38bb670ff77a7d6
SHA512

9c94949f82c8748da1d0e1eed5b2c50641bc40d5d77faee6bb8b6cf2ebbf69be48548f06ab2a45cba310f292264d057f49c6b03098a0296fae6db5ce4daba242
SSDEEP

1536:1rPUVuh3RzNUEK+hM5AFlbCcCqB23Ix1FKe32ut:1rPUwfzKEThNbCqB2sYEVt

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 2 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3860	EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeRestorePrivilege	5100	7zG.exe
Token: 35	5100	7zG.exe
Token: SeSecurityPrivilege	5100	7zG.exe
Token: SeSecurityPrivilege	5100	7zG.exe
Token: SeRestorePrivilege	4028	7zG.exe
Token: 35	4028	7zG.exe
Token: SeSecurityPrivilege	4028	7zG.exe
Token: SeSecurityPrivilege	4028	7zG.exe
Token: SeRestorePrivilege	2824	7zG.exe
Token: 35	2824	7zG.exe
Token: SeSecurityPrivilege	2824	7zG.exe
Token: SeSecurityPrivilege	2824	7zG.exe
Token: SeRestorePrivilege	3336	7zG.exe
Token: 35	3336	7zG.exe
Token: SeSecurityPrivilege	3336	7zG.exe
Token: SeSecurityPrivilege	3336	7zG.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
5100	7zG.exe
4028	7zG.exe
2824	7zG.exe
3336	7zG.exe

Suspicious use of SetWindowsHookEx 32 IoCs

pid	Process
3860	EXCEL.EXE
3860	EXCEL.EXE
3860	EXCEL.EXE
3860	EXCEL.EXE
3860	EXCEL.EXE
3860	EXCEL.EXE
3860	EXCEL.EXE
3860	EXCEL.EXE
3860	EXCEL.EXE
3860	EXCEL.EXE
3860	EXCEL.EXE
3860	EXCEL.EXE
3860	EXCEL.EXE
3860	EXCEL.EXE
3860	EXCEL.EXE
3860	EXCEL.EXE
3860	EXCEL.EXE
3860	EXCEL.EXE
3860	EXCEL.EXE
3860	EXCEL.EXE
3860	EXCEL.EXE
3860	EXCEL.EXE
3860	EXCEL.EXE
3860	EXCEL.EXE
3860	EXCEL.EXE
3860	EXCEL.EXE
3860	EXCEL.EXE
3860	EXCEL.EXE
3860	EXCEL.EXE
3860	EXCEL.EXE
3860	EXCEL.EXE
3860	EXCEL.EXE

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Purchase Order FG-20220906 By Sea.xlsx"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3860

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4088

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\Purchase Order FG-20220906 By Sea\" -spe -an -ai#7zMap93:148:7zEvent12903
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5100

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\Purchase Order FG-20220906 By Sea\" -spe -an -ai#7zMap4115:148:7zEvent26689
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4028

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\Purchase Order FG-20220906 By Sea\EncryptedPackage~\" -spe -an -ai#7zMap16943:172:7zEvent15492
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2824

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\Purchase Order FG-20220906 By Sea\EncryptionInfo~\" -spe -an -ai#7zMap23516:168:7zEvent2407
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3336

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Purchase Order FG-20220906 By Sea\EncryptedPackage

Filesize
44KB

MD5
f2746feeeb5acd773a59863f95424179

SHA1
4b078df6038a3f0ed21ec2335fe816f53bf03cc3

SHA256
f3a4af6e87f3c57a45b9a5de28066d3a70e9c7ad3b3a83f3e87a71423e4b9858

SHA512
ecd076f8b9761f16ccb07c2137fa90b2c87c28ec00418b67caa1f2262c0b9c813752e84edae230013562c6d8bba78f8743eba15f7cc4eb5a39a0a1ed2c095208

Download Submit
C:\Users\Admin\AppData\Local\Temp\Purchase Order FG-20220906 By Sea\EncryptionInfo

Filesize
224B

MD5
3e93b7ec4e7eeeab05efff9f9fa39dec

SHA1
12e3d413995f820e1e3521445ee76f7e929b938f

SHA256
a5f4997f3452fb40cf39549d83df0e5d12042acf576b33843817a79680c84f1c

SHA512
1a8b2dbf30c45d02850ca8fd373cf3b46d279d5376710aef11b1d75c7f8659d3e74e41c59919df30a571082e918b959154a9f10064ede314e0834bf59c41b845

Download Submit
memory/3860-138-0x00007FFE708D0000-0x00007FFE708E0000-memory.dmp

Filesize
64KB

Download
memory/3860-135-0x00007FFE73230000-0x00007FFE73240000-memory.dmp

Filesize
64KB

Download
memory/3860-136-0x00007FFE73230000-0x00007FFE73240000-memory.dmp

Filesize
64KB

Download
memory/3860-137-0x00007FFE708D0000-0x00007FFE708E0000-memory.dmp

Filesize
64KB

Download
memory/3860-132-0x00007FFE73230000-0x00007FFE73240000-memory.dmp

Filesize
64KB

Download
memory/3860-140-0x00007FFE73230000-0x00007FFE73240000-memory.dmp

Filesize
64KB

Download
memory/3860-141-0x00007FFE73230000-0x00007FFE73240000-memory.dmp

Filesize
64KB

Download
memory/3860-142-0x00007FFE73230000-0x00007FFE73240000-memory.dmp

Filesize
64KB

Download
memory/3860-143-0x00007FFE73230000-0x00007FFE73240000-memory.dmp

Filesize
64KB

Download
memory/3860-134-0x00007FFE73230000-0x00007FFE73240000-memory.dmp

Filesize
64KB

Download
memory/3860-133-0x00007FFE73230000-0x00007FFE73240000-memory.dmp

Filesize
64KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads