d567d6b6121065f2f4651f98e32dcd4228128c208cd66329b1906e0ae35b1c45

Analysis

max time kernel
171s
max time network
204s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2022 18:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d567d6b6121065f2f4651f98e32dcd4228128c208cd66329b1906e0ae35b1c45.xls
Size

28KB
MD5

c26e811b04f27f1e71719a365256cf59
SHA1

94822660570f5e27d92c81a6660b5bac4f52033e
SHA256

d567d6b6121065f2f4651f98e32dcd4228128c208cd66329b1906e0ae35b1c45
SHA512

66fcbf9cd0f788a17af53895f4a6d1229158bca1882e3705ea89205b3e1da70c5156e23072dd0b81260c811dac8566f953b5462dacc3458ebd03c225e87ba442
SSDEEP

768:N2v38TehYTdeHVhjqabWHLtyeGxZNbUTISSxRZKOzXE9:NS38TehYTdeHVhjqabWHLtyeGxZZUTIi

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

3096 EXCEL.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

EXCEL.EXE

pid process

3096 EXCEL.EXE
3096 EXCEL.EXE

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

EXCEL.EXE

pid	process
3096	EXCEL.EXE
3096	EXCEL.EXE
3096	EXCEL.EXE
3096	EXCEL.EXE
3096	EXCEL.EXE
3096	EXCEL.EXE
3096	EXCEL.EXE
3096	EXCEL.EXE
3096	EXCEL.EXE
3096	EXCEL.EXE
3096	EXCEL.EXE
3096	EXCEL.EXE
3096	EXCEL.EXE
3096	EXCEL.EXE

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\d567d6b6121065f2f4651f98e32dcd4228128c208cd66329b1906e0ae35b1c45.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3096

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3096-132-0x00007FFC36B70000-0x00007FFC36B80000-memory.dmp

Filesize
64KB

Download
memory/3096-133-0x00007FFC36B70000-0x00007FFC36B80000-memory.dmp

Filesize
64KB

Download
memory/3096-134-0x00007FFC36B70000-0x00007FFC36B80000-memory.dmp

Filesize
64KB

Download
memory/3096-135-0x00007FFC36B70000-0x00007FFC36B80000-memory.dmp

Filesize
64KB

Download
memory/3096-136-0x00007FFC36B70000-0x00007FFC36B80000-memory.dmp

Filesize
64KB

Download
memory/3096-137-0x00007FFC34210000-0x00007FFC34220000-memory.dmp

Filesize
64KB

Download
memory/3096-138-0x00007FFC34210000-0x00007FFC34220000-memory.dmp

Filesize
64KB

Download