Analysis
-
max time kernel
171s -
max time network
204s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 18:22
Behavioral task
behavioral1
Sample
d567d6b6121065f2f4651f98e32dcd4228128c208cd66329b1906e0ae35b1c45.xls
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
d567d6b6121065f2f4651f98e32dcd4228128c208cd66329b1906e0ae35b1c45.xls
Resource
win10v2004-20221111-en
General
-
Target
d567d6b6121065f2f4651f98e32dcd4228128c208cd66329b1906e0ae35b1c45.xls
-
Size
28KB
-
MD5
c26e811b04f27f1e71719a365256cf59
-
SHA1
94822660570f5e27d92c81a6660b5bac4f52033e
-
SHA256
d567d6b6121065f2f4651f98e32dcd4228128c208cd66329b1906e0ae35b1c45
-
SHA512
66fcbf9cd0f788a17af53895f4a6d1229158bca1882e3705ea89205b3e1da70c5156e23072dd0b81260c811dac8566f953b5462dacc3458ebd03c225e87ba442
-
SSDEEP
768:N2v38TehYTdeHVhjqabWHLtyeGxZNbUTISSxRZKOzXE9:NS38TehYTdeHVhjqabWHLtyeGxZZUTIi
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 3096 EXCEL.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
EXCEL.EXEpid process 3096 EXCEL.EXE 3096 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 14 IoCs
Processes:
EXCEL.EXEpid process 3096 EXCEL.EXE 3096 EXCEL.EXE 3096 EXCEL.EXE 3096 EXCEL.EXE 3096 EXCEL.EXE 3096 EXCEL.EXE 3096 EXCEL.EXE 3096 EXCEL.EXE 3096 EXCEL.EXE 3096 EXCEL.EXE 3096 EXCEL.EXE 3096 EXCEL.EXE 3096 EXCEL.EXE 3096 EXCEL.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\d567d6b6121065f2f4651f98e32dcd4228128c208cd66329b1906e0ae35b1c45.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3096-132-0x00007FFC36B70000-0x00007FFC36B80000-memory.dmpFilesize
64KB
-
memory/3096-133-0x00007FFC36B70000-0x00007FFC36B80000-memory.dmpFilesize
64KB
-
memory/3096-134-0x00007FFC36B70000-0x00007FFC36B80000-memory.dmpFilesize
64KB
-
memory/3096-135-0x00007FFC36B70000-0x00007FFC36B80000-memory.dmpFilesize
64KB
-
memory/3096-136-0x00007FFC36B70000-0x00007FFC36B80000-memory.dmpFilesize
64KB
-
memory/3096-137-0x00007FFC34210000-0x00007FFC34220000-memory.dmpFilesize
64KB
-
memory/3096-138-0x00007FFC34210000-0x00007FFC34220000-memory.dmpFilesize
64KB