e5a4eec751296e5d2cd97e1d6135ac92cb83fa25cc3f3a6b286090552c76edea

Analysis

max time kernel
166s
max time network
175s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
24/11/2022, 07:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

QYGWLT20140125团结镇友谊小区(太和村安置小区)FTTH-余碧金/（新FTTH光路）团结��.xls
Size

24KB
MD5

7b80d5201c22d0ba22f2a539c8765e28
SHA1

848abeae4f9327d4392025acff8fb03f93ccf410
SHA256

366860a59207fa658db22e1bc1d148fc48d367eef44f882f2f0c289ac89337eb
SHA512

21745ba6cf8b714e8ec127a7483d45bc0d80a61e1f75bca62fd0a12f54c33b27f6d1b9f3e940f9a8de58698e200021195fd6b4fc672957786b41b1578c1d220a
SSDEEP

768:Cwm5mHaLw/hwHFw9oxuuu/Qc8ze1tVbsQvPkpS8jDHbWeqaDPqaadNR274mYqaOO:uuuu/Qc8ze1tVbsQvPkpS8jDHbWeqaDk

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3880	EXCEL.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
3880	EXCEL.EXE
3880	EXCEL.EXE
3880	EXCEL.EXE
3880	EXCEL.EXE
3880	EXCEL.EXE
3880	EXCEL.EXE
3880	EXCEL.EXE
3880	EXCEL.EXE
3880	EXCEL.EXE
3880	EXCEL.EXE
3880	EXCEL.EXE
3880	EXCEL.EXE

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\QYGWLT20140125团结镇友谊小区(太和村安置小区)FTTH-余碧金\（新FTTH光路）团结��.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3880

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3880-132-0x00007FF9E06B0000-0x00007FF9E06C0000-memory.dmp

Filesize
64KB

Download
memory/3880-133-0x00007FF9E06B0000-0x00007FF9E06C0000-memory.dmp

Filesize
64KB

Download
memory/3880-134-0x00007FF9E06B0000-0x00007FF9E06C0000-memory.dmp

Filesize
64KB

Download
memory/3880-135-0x00007FF9E06B0000-0x00007FF9E06C0000-memory.dmp

Filesize
64KB

Download
memory/3880-136-0x00007FF9E06B0000-0x00007FF9E06C0000-memory.dmp

Filesize
64KB

Download
memory/3880-137-0x00007FF9DE600000-0x00007FF9DE610000-memory.dmp

Filesize
64KB

Download
memory/3880-138-0x00007FF9DE600000-0x00007FF9DE610000-memory.dmp

Filesize
64KB

Download
memory/3880-140-0x00007FF9E06B0000-0x00007FF9E06C0000-memory.dmp

Filesize
64KB

Download
memory/3880-141-0x00007FF9E06B0000-0x00007FF9E06C0000-memory.dmp

Filesize
64KB

Download
memory/3880-142-0x00007FF9E06B0000-0x00007FF9E06C0000-memory.dmp

Filesize
64KB

Download
memory/3880-143-0x00007FF9E06B0000-0x00007FF9E06C0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads