d90abe1e6539bf0479edd8f8c3f073dc6f3f39d5edceb43447f5abfce74b446d

General

Target

d90abe1e6539bf0479edd8f8c3f073dc6f3f39d5edceb43447f5abfce74b446d.xls
Size

56KB
MD5

5f5da55da2ad44b69a12e6279c9393de
SHA1

fa02688bafbd2a73de8951660f8f8c66e17462bc
SHA256

d90abe1e6539bf0479edd8f8c3f073dc6f3f39d5edceb43447f5abfce74b446d
SHA512

cd41a2882527aab2e69367ef15fad05088004f91226a556724a31068baa15b308c0daa110d7665fff712034f594ae0922daad79a51f648f0fc98be8345848e35
SSDEEP

1536:EUUUUYNsARl9gB2OwHyWMUNm0IZ95mKhlI7N7fa:khMBa

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 9 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEEXCEL.EXEWINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEWINWORD.EXEEXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid process

4560 EXCEL.EXE
3860 WINWORD.EXE

Suspicious use of SetWindowsHookEx 20 IoCs

Processes:

EXCEL.EXEEXCEL.EXEWINWORD.EXE

pid	process
4560	EXCEL.EXE
4560	EXCEL.EXE
4560	EXCEL.EXE
4560	EXCEL.EXE
4560	EXCEL.EXE
4560	EXCEL.EXE
4560	EXCEL.EXE
4560	EXCEL.EXE
4560	EXCEL.EXE
4560	EXCEL.EXE
4560	EXCEL.EXE
4560	EXCEL.EXE
4672	EXCEL.EXE
4672	EXCEL.EXE
4672	EXCEL.EXE
4672	EXCEL.EXE
4672	EXCEL.EXE
3860	WINWORD.EXE
3860	WINWORD.EXE
3860	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\d90abe1e6539bf0479edd8f8c3f073dc6f3f39d5edceb43447f5abfce74b446d.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4560

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:4672

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3860

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE
Filesize
471B

MD5
e49d3b6d31969649658a797adcbdb79e

SHA1
af5021b523c38ad0285023671e53f433ad606c2e

SHA256
23091154c783ca5022389f11e951b6e04dc9d2d2746a7f696e25137fcd8766d1

SHA512
fe88191580d85400a7bc919e9480e24b64542729a5070c978a96df45ba8ca00dee630ca13d67eb95a51ae71808e9e7be30ba1851fb59c972b471f288715b665c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE
Filesize
446B

MD5
5afb296b7631964810e2faf058329ef2

SHA1
338bd9c6c118b937bb51b8dd83286d4caaab584c

SHA256
0236338239e678dabf4684c2f3f053168e5ec29948c6ea4047c4c19ed30c965a

SHA512
966fadee364a86d13352fce1c71c7a66d50e6716bf429a82685aaf40636350bc4732b7d97829d795010c9d77de0c5e6f1feb50955f74d15288403382311a9c19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\2BBC297E-E2D4-4BD3-A370-EF05BD328602
Filesize
147KB

MD5
dd325bc3ae5ad1c8ef5e16bfd67ad471

SHA1
5f90e173dd83c1045a4ccec862b00753254b4615

SHA256
b5af58e79738b36d9629f69aab2475674e93411484161b3e776da8bd6cf98bc3

SHA512
a393817921cd2cc4004fa5d0871e927cd8cf912072f5c05a91e266f32cd0868e0d5c5184358126b36b762544299a7edaabc3dbe71a2dbc6cbfcee6e64c35c1bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
Filesize
323KB

MD5
c50827550db244f94f21d5378774f3fd

SHA1
7d135af0dc739123f5651bd4c8c97735a3847f68

SHA256
21c60156d20d33751174f284e14ddf4c90c5df71d02ed432ae8e717e6ee44594

SHA512
d48f5eec85027a3cfa12d20e4f989ec09b7edf37283ba9214852bfe38ae8587247e1a872e4a59f54e9528609080b28b21eb8ae05c4f1d7cafbeeb9ec5258c044

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\TenantInfo.xml
Filesize
76B

MD5
0f8eb2423d2bf6cb5b8bdb44cb170ca3

SHA1
242755226012b4449a49b45491c0b1538ebf6410

SHA256
385347c0cbacdd3c61d2635fbd390e0095a008fd75eeb23af2f14f975c083944

SHA512
a9f23a42340b83a2f59df930d7563e8abd669b9f0955562cd3c2872e2e081f26d6d8b26357972b6d0423af05b2392bddbb46da769788e77fd169b3264ff53886

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db
Filesize
4KB

MD5
f138a66469c10d5761c6cbb36f2163c3

SHA1
eea136206474280549586923b7a4a3c6d5db1e25

SHA256
c712d6c7a60f170a0c6c5ec768d962c58b1f59a2d417e98c7c528a037c427ab6

SHA512
9d25f943b6137dd2981ee75d57baf3a9e0ee27eea2df19591d580f02ec8520d837b8e419a8b1eb7197614a3c6d8793c56ebc848c38295ada23c31273daa302d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal
Filesize
48KB

MD5
f5460ac22a4d49c601def971b85f9927

SHA1
b509e8d85ddac05a88cd9e83aba96aa06971ae99

SHA256
107908c0d5cb5bf35e696fc3ca781d81c8db61be880ef4cbc23641e71f632d12

SHA512
068526f5692e269e6c44eeb13bae946abc7db1a5f80f810caf4362700187bde442b7c0d1fb11990c8677c5e44df22b2b8b85ad917daacad7fe84975f3c7cd93f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal
Filesize
48KB

MD5
f5460ac22a4d49c601def971b85f9927

SHA1
b509e8d85ddac05a88cd9e83aba96aa06971ae99

SHA256
107908c0d5cb5bf35e696fc3ca781d81c8db61be880ef4cbc23641e71f632d12

SHA512
068526f5692e269e6c44eeb13bae946abc7db1a5f80f810caf4362700187bde442b7c0d1fb11990c8677c5e44df22b2b8b85ad917daacad7fe84975f3c7cd93f

Download Submit
memory/3860-157-0x00007FFD5A380000-0x00007FFD5A390000-memory.dmp

Filesize
64KB

Download
memory/3860-155-0x00007FFD5A380000-0x00007FFD5A390000-memory.dmp

Filesize
64KB

Download
memory/4560-136-0x00007FFD5C5D0000-0x00007FFD5C5E0000-memory.dmp

Filesize
64KB

Download
memory/4560-132-0x00007FFD5C5D0000-0x00007FFD5C5E0000-memory.dmp

Filesize
64KB

Download
memory/4560-137-0x00007FFD5A380000-0x00007FFD5A390000-memory.dmp

Filesize
64KB

Download
memory/4560-135-0x00007FFD5C5D0000-0x00007FFD5C5E0000-memory.dmp

Filesize
64KB

Download
memory/4560-133-0x00007FFD5C5D0000-0x00007FFD5C5E0000-memory.dmp

Filesize
64KB

Download
memory/4560-134-0x00007FFD5C5D0000-0x00007FFD5C5E0000-memory.dmp

Filesize
64KB

Download
memory/4560-138-0x00007FFD5A380000-0x00007FFD5A390000-memory.dmp

Filesize
64KB

Download
memory/4672-145-0x00007FFD5A380000-0x00007FFD5A390000-memory.dmp

Filesize
64KB

Download
memory/4672-144-0x00007FFD5A380000-0x00007FFD5A390000-memory.dmp

Filesize
64KB

Download
memory/4672-162-0x00007FFD5C5D0000-0x00007FFD5C5E0000-memory.dmp

Filesize
64KB

Download
memory/4672-163-0x00007FFD5C5D0000-0x00007FFD5C5E0000-memory.dmp

Filesize
64KB

Download
memory/4672-164-0x00007FFD5C5D0000-0x00007FFD5C5E0000-memory.dmp

Filesize
64KB

Download
memory/4672-165-0x00007FFD5C5D0000-0x00007FFD5C5E0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads