b9f83a0c5a486a759aa9879ad335a86a4f4e612f9fb61486e410a2e9999b4af3

General

Target

4ӦƸԱҵɹһ.xls
Size

56KB
MD5

5f5da55da2ad44b69a12e6279c9393de
SHA1

fa02688bafbd2a73de8951660f8f8c66e17462bc
SHA256

d90abe1e6539bf0479edd8f8c3f073dc6f3f39d5edceb43447f5abfce74b446d
SHA512

cd41a2882527aab2e69367ef15fad05088004f91226a556724a31068baa15b308c0daa110d7665fff712034f594ae0922daad79a51f648f0fc98be8345848e35
SSDEEP

1536:EUUUUYNsARl9gB2OwHyWMUNm0IZ95mKhlI7N7fa:khMBa

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 9 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEEXCEL.EXEWINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEEXCEL.EXEEXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid process

5072 EXCEL.EXE
1216 WINWORD.EXE

Suspicious use of SetWindowsHookEx 20 IoCs

Processes:

EXCEL.EXEEXCEL.EXEWINWORD.EXE

pid	process
5072	EXCEL.EXE
5072	EXCEL.EXE
5072	EXCEL.EXE
5072	EXCEL.EXE
5072	EXCEL.EXE
5072	EXCEL.EXE
5072	EXCEL.EXE
5072	EXCEL.EXE
5072	EXCEL.EXE
5072	EXCEL.EXE
5072	EXCEL.EXE
5072	EXCEL.EXE
4032	EXCEL.EXE
4032	EXCEL.EXE
4032	EXCEL.EXE
4032	EXCEL.EXE
4032	EXCEL.EXE
1216	WINWORD.EXE
1216	WINWORD.EXE
1216	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\4ӦƸԱҵɹһ.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5072

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:4032

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1216

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8A7891822FCFF127E4EADADE9757112B
Filesize
926B

MD5
4cba44f3f001d431f7e49270bd0f6db4

SHA1
dc75ec40f389866eacf0140c44f53f3947e72541

SHA256
0dfd9c9d1c4f7dea9adfe3ef6070c02d50cbf5f33f304ecc98a0ab89a346d7fe

SHA512
2c227ff133ef2838a246161a2e53ee657d0af9512b71cdf7d27627faecfde23ea2a499e3a9f0350775f4f8eb5cdcda96a85020bfb818f48d78c6e5f2b73d7ec2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8A7891822FCFF127E4EADADE9757112B
Filesize
246B

MD5
c68d1cddc4a7962911d559631f32e2c9

SHA1
8eaf6978a86f691514c04e53a78a60174fbbf1c9

SHA256
fae61353586ad9ed96ad6b8f5dde4dec652c31ade2616976d05456b9c2fa6209

SHA512
c3287262fe65c6ff624c5fe8a1b860f4e463d018c3217956c6730a0500907a9a952b02fdf16e7489e17f723f8eff3aa81c57e2cca6fcdbcb125502cfe1ead627

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\C30A51E9-EE47-4F42-9724-87FC195ED1CA
Filesize
147KB

MD5
dc9e492e8f205e9c7cbc4597495e59bf

SHA1
d570c98f04555df42f184ef91b1b5bdc652ad911

SHA256
979f4f605ca2742164ccbe36cd9d983897912f3d67208099b1177dd8a4b2fc57

SHA512
94d89a69646aa75f4bcdabd1af831d1b0878ae1f3ef44bb049200f2d6dde9f7a92a2dd8004b6789244df1d38e98028f5b55b4f34d36a89fb9060aec6f2bd0b73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
Filesize
323KB

MD5
c50827550db244f94f21d5378774f3fd

SHA1
7d135af0dc739123f5651bd4c8c97735a3847f68

SHA256
21c60156d20d33751174f284e14ddf4c90c5df71d02ed432ae8e717e6ee44594

SHA512
d48f5eec85027a3cfa12d20e4f989ec09b7edf37283ba9214852bfe38ae8587247e1a872e4a59f54e9528609080b28b21eb8ae05c4f1d7cafbeeb9ec5258c044

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\TenantInfo.xml
Filesize
76B

MD5
0f8eb2423d2bf6cb5b8bdb44cb170ca3

SHA1
242755226012b4449a49b45491c0b1538ebf6410

SHA256
385347c0cbacdd3c61d2635fbd390e0095a008fd75eeb23af2f14f975c083944

SHA512
a9f23a42340b83a2f59df930d7563e8abd669b9f0955562cd3c2872e2e081f26d6d8b26357972b6d0423af05b2392bddbb46da769788e77fd169b3264ff53886

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db
Filesize
4KB

MD5
f138a66469c10d5761c6cbb36f2163c3

SHA1
eea136206474280549586923b7a4a3c6d5db1e25

SHA256
c712d6c7a60f170a0c6c5ec768d962c58b1f59a2d417e98c7c528a037c427ab6

SHA512
9d25f943b6137dd2981ee75d57baf3a9e0ee27eea2df19591d580f02ec8520d837b8e419a8b1eb7197614a3c6d8793c56ebc848c38295ada23c31273daa302d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal
Filesize
48KB

MD5
21d3eb74b14169a9ab3cfefdec16c0ac

SHA1
3cba631b8983ded97e0b5be60474ec4a25d14d72

SHA256
7cd74c78aa179d82704a216c8cbea9b58d4f2210f8afe7ecfe5bf747573009ac

SHA512
3936cdaf8ecfd9a4da41a842453b4186a069b2ca45278c93d8cec3a83c7e60571cf733a771b6c9d3dfcc6c943cf8eaee515ad48b50b102570e321cf93230021d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal
Filesize
48KB

MD5
21d3eb74b14169a9ab3cfefdec16c0ac

SHA1
3cba631b8983ded97e0b5be60474ec4a25d14d72

SHA256
7cd74c78aa179d82704a216c8cbea9b58d4f2210f8afe7ecfe5bf747573009ac

SHA512
3936cdaf8ecfd9a4da41a842453b4186a069b2ca45278c93d8cec3a83c7e60571cf733a771b6c9d3dfcc6c943cf8eaee515ad48b50b102570e321cf93230021d

Download Submit
memory/1216-158-0x00007FFDBBF80000-0x00007FFDBBF90000-memory.dmp

Filesize
64KB

Download
memory/1216-166-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmp

Filesize
64KB

Download
memory/1216-163-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmp

Filesize
64KB

Download
memory/1216-165-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmp

Filesize
64KB

Download
memory/1216-156-0x00007FFDBBF80000-0x00007FFDBBF90000-memory.dmp

Filesize
64KB

Download
memory/1216-162-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmp

Filesize
64KB

Download
memory/4032-145-0x00007FFDBBF80000-0x00007FFDBBF90000-memory.dmp

Filesize
64KB

Download
memory/4032-146-0x00007FFDBBF80000-0x00007FFDBBF90000-memory.dmp

Filesize
64KB

Download
memory/5072-137-0x00007FFDBBF80000-0x00007FFDBBF90000-memory.dmp

Filesize
64KB

Download
memory/5072-134-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmp

Filesize
64KB

Download
memory/5072-133-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmp

Filesize
64KB

Download
memory/5072-135-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmp

Filesize
64KB

Download
memory/5072-136-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmp

Filesize
64KB

Download
memory/5072-132-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmp

Filesize
64KB

Download
memory/5072-144-0x000002635EFF6000-0x000002635EFF8000-memory.dmp

Filesize
8KB

Download
memory/5072-138-0x00007FFDBBF80000-0x00007FFDBBF90000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads