6fda16b3435cfef430101a7579333b9394131084796fbd93bdafee288f84e8c1

Analysis

max time kernel
156s
max time network
181s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2022 19:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Աϱϸ/370727194706289329.xls
Size

13KB
MD5

29d222a6bbb4b34c5782ab7ca0328819
SHA1

6ddd969e4f473672a9259e85e35598e400b8e51d
SHA256

571fab6aad2f116e316adffb7f59ab35b000e36dc01b6718e0d9b7584e647d6a
SHA512

1e63246c4f689e73c034d79ea14c5f9a038680630011d7ec4ccc08a0a125ab1f8df23aadadde7f04a9a251bbf605a485be7b1aeced692606e43cac6e46c825f1
SSDEEP

48:rYLZgDTRczPS3VduILPrqt1ay75Gcr74fVqHz62dhhyJTR6LU3+:UqDdcGHLqavcrbtRETRVO

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 2 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{BFF5B2FD-EB24-49F3-84AB-97468A025DA7}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{ED21D993-4461-417C-9213-8F022EE31263}.catalogItem	svchost.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exeEXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exeEXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	svchost.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1008 EXCEL.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXE

pid	process
1008	EXCEL.EXE
1008	EXCEL.EXE
1008	EXCEL.EXE
1008	EXCEL.EXE
1008	EXCEL.EXE
1008	EXCEL.EXE
1008	EXCEL.EXE
1008	EXCEL.EXE
1008	EXCEL.EXE
1008	EXCEL.EXE
1008	EXCEL.EXE
1008	EXCEL.EXE

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Աϱϸ\370727194706289329.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1008

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
PID:3616

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1008-132-0x00007FFD4B270000-0x00007FFD4B280000-memory.dmp

Filesize
64KB

Download
memory/1008-133-0x00007FFD4B270000-0x00007FFD4B280000-memory.dmp

Filesize
64KB

Download
memory/1008-134-0x00007FFD4B270000-0x00007FFD4B280000-memory.dmp

Filesize
64KB

Download
memory/1008-135-0x00007FFD4B270000-0x00007FFD4B280000-memory.dmp

Filesize
64KB

Download
memory/1008-136-0x00007FFD4B270000-0x00007FFD4B280000-memory.dmp

Filesize
64KB

Download
memory/1008-137-0x00007FFD49000000-0x00007FFD49010000-memory.dmp

Filesize
64KB

Download
memory/1008-138-0x00007FFD49000000-0x00007FFD49010000-memory.dmp

Filesize
64KB

Download