e5a4eec751296e5d2cd97e1d6135ac92cb83fa25cc3f3a6b286090552c76edea

Analysis

max time kernel
209s
max time network
225s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
24/11/2022, 07:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

QYGWLT20140125团结镇友谊小区(太和村安置小区)FTTH-余碧金/(分光器信息)团结镇�.xls
Size

26KB
MD5

5287b9ee43143eb7f02b000176a310eb
SHA1

e7cace4b643b6a87ed583d07e6a5b8c474cc1720
SHA256

78e55b16c008ea6e6ce34f898c20b7da6ced9f3e67b0e973bc88ec97d9fcb23e
SHA512

ab1a354af0977dde42ce9e66c2ccbc5d7adfc3b2281d19f3fc0c1d5fd7e86249d4dc6c3674b030f40b44b25b028d2f6e8084080098fb6610f44a745a75ee7499
SSDEEP

768:I+++zPQbV18Q8JkvstecS4kQqekQ5R21MEmYqVF9LAXSbXYJhGM:I+++zPQbV18Q8JkvstecS4kQqekQ8ME5

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1656	EXCEL.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1656	EXCEL.EXE
1656	EXCEL.EXE
1656	EXCEL.EXE
1656	EXCEL.EXE
1656	EXCEL.EXE
1656	EXCEL.EXE
1656	EXCEL.EXE
1656	EXCEL.EXE
1656	EXCEL.EXE
1656	EXCEL.EXE
1656	EXCEL.EXE
1656	EXCEL.EXE

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\QYGWLT20140125团结镇友谊小区(太和村安置小区)FTTH-余碧金\(分光器信息)团结镇�.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1656

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1656-132-0x00007FFBEFBD0000-0x00007FFBEFBE0000-memory.dmp

Filesize
64KB

Download
memory/1656-134-0x00007FFBEFBD0000-0x00007FFBEFBE0000-memory.dmp

Filesize
64KB

Download
memory/1656-133-0x00007FFBEFBD0000-0x00007FFBEFBE0000-memory.dmp

Filesize
64KB

Download
memory/1656-135-0x00007FFBEFBD0000-0x00007FFBEFBE0000-memory.dmp

Filesize
64KB

Download
memory/1656-136-0x00007FFBEFBD0000-0x00007FFBEFBE0000-memory.dmp

Filesize
64KB

Download
memory/1656-137-0x00007FFBEDA70000-0x00007FFBEDA80000-memory.dmp

Filesize
64KB

Download
memory/1656-138-0x00007FFBEDA70000-0x00007FFBEDA80000-memory.dmp

Filesize
64KB

Download
memory/1656-140-0x00007FFBEFBD0000-0x00007FFBEFBE0000-memory.dmp

Filesize
64KB

Download
memory/1656-141-0x00007FFBEFBD0000-0x00007FFBEFBE0000-memory.dmp

Filesize
64KB

Download
memory/1656-142-0x00007FFBEFBD0000-0x00007FFBEFBE0000-memory.dmp

Filesize
64KB

Download
memory/1656-143-0x00007FFBEFBD0000-0x00007FFBEFBE0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads