8d2d914d6df682b4466da6dbcc41a0b1eac9f1111ade631d1c442de5732c6e3b

General

Target

8d2d914d6df682b4466da6dbcc41a0b1eac9f1111ade631d1c442de5732c6e3b.xls
Size

26KB
MD5

789f8601cf6d6637248a31a15264ca0b
SHA1

56de3b4f21a907dd4ad3488d446cedf4336091a2
SHA256

8d2d914d6df682b4466da6dbcc41a0b1eac9f1111ade631d1c442de5732c6e3b
SHA512

06bfc92b6a2dcf406c4047bd6cd9ad6424053d416f67e15dc1a6b08ec5c77ff3444962991fe1633bec5f52e6decb5fe516658de59cefdbb0e664d03c810a4266
SSDEEP

384:KmmmCr0et5b41qjpaKFHDoKUOIp8/XulVSYWM9O:KmmmCr0ejb41qjcMsKhIp6ulVSYv9O

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 9 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEEXCEL.EXEWINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEEXCEL.EXEWINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid process

5064 EXCEL.EXE
3108 WINWORD.EXE

Suspicious use of SetWindowsHookEx 20 IoCs

Processes:

EXCEL.EXEEXCEL.EXEWINWORD.EXE

pid	process
5064	EXCEL.EXE
5064	EXCEL.EXE
5064	EXCEL.EXE
5064	EXCEL.EXE
5064	EXCEL.EXE
5064	EXCEL.EXE
5064	EXCEL.EXE
5064	EXCEL.EXE
5064	EXCEL.EXE
5064	EXCEL.EXE
5064	EXCEL.EXE
5064	EXCEL.EXE
3372	EXCEL.EXE
3372	EXCEL.EXE
3372	EXCEL.EXE
3372	EXCEL.EXE
3372	EXCEL.EXE
3108	WINWORD.EXE
3108	WINWORD.EXE
3108	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\8d2d914d6df682b4466da6dbcc41a0b1eac9f1111ade631d1c442de5732c6e3b.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5064

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:3372

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3108

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE
Filesize
471B

MD5
9f238721e0dfd68d1fd20c56c25bcdac

SHA1
9ef4ee704db25d9688bd479cbfb0b0c4dae94c87

SHA256
d56a5dc2d1392484b9743fee8570b8414f1bfede7f0614141a86448c465b58c1

SHA512
13dfbf83e7f8a5a18867af9de512943ddebf8a3c1c6d24521e23b4558b16c1a7cdfa2004ebbd4393bae4908c4d1e2a5579e1fe7a56547b5f13b0b171a9775c8a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE
Filesize
446B

MD5
0e049b07a680441092cc316e53dbcfc2

SHA1
46e0ecf2a4d97ae1715ee3e5b8a70ad143817aa6

SHA256
57c42983f23b58097aec4f1033e87522e83e86b724fde753c33aae99f322957a

SHA512
97516e9773bf2fcb4a5e4f56fc7d4e3374ce7c9dae2f343ae6d54950b3ec92cb40adcf9e9d535fdd315c2cdba1794dfc33e57a85d5dd6754e34e0b4cef1bcfba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\6ED5894B-B777-4886-8CB5-EA5610EE010A
Filesize
147KB

MD5
6470ecef244a091ebbf997b42aec5413

SHA1
38a13ab74eab2a2a8c08cb2a7ee025706d86cd8f

SHA256
c2807d8355817dab0a94fb8815306d00a16a6bd9998aefc6fd10d13d2915f371

SHA512
57384ae27618d429553a166236c06f3146fbfa3e2d28d638c82dd240a6ab287e468554cb65983f7b152bcb5da61ab0a7c67b6fce633c172ae6b94be334af972f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
Filesize
324KB

MD5
09054487e8c69240c9416b375b2916a9

SHA1
f00ff01ae8c39170c57f9b27cedea8ef75f455b3

SHA256
2d895d38c2f9874b296b8d5d8eef1e3738230d416f4b10517099027c0fe9b876

SHA512
971c817f16331dbf06bd908ae5440ee5bc55ddab549cee258b792170c1f2144d4cfcbd14cee31e3e2f9606d0e3e48f226564131023fc035ed67d4e1b171b97f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\TenantInfo.xml
Filesize
76B

MD5
0f8eb2423d2bf6cb5b8bdb44cb170ca3

SHA1
242755226012b4449a49b45491c0b1538ebf6410

SHA256
385347c0cbacdd3c61d2635fbd390e0095a008fd75eeb23af2f14f975c083944

SHA512
a9f23a42340b83a2f59df930d7563e8abd669b9f0955562cd3c2872e2e081f26d6d8b26357972b6d0423af05b2392bddbb46da769788e77fd169b3264ff53886

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db
Filesize
4KB

MD5
f138a66469c10d5761c6cbb36f2163c3

SHA1
eea136206474280549586923b7a4a3c6d5db1e25

SHA256
c712d6c7a60f170a0c6c5ec768d962c58b1f59a2d417e98c7c528a037c427ab6

SHA512
9d25f943b6137dd2981ee75d57baf3a9e0ee27eea2df19591d580f02ec8520d837b8e419a8b1eb7197614a3c6d8793c56ebc848c38295ada23c31273daa302d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal
Filesize
48KB

MD5
18c8ea54aee31de300ce5b0bcfc035f8

SHA1
31effa4cb7f35b1192b43eabf355a11e0f9787f3

SHA256
cc197e1f298b6cce535aaad4dad0e2d60165f7aed9f338b9656d3cfb11716133

SHA512
f557028d4b3e58928d08acedd389e38f0f54840ee080910b6ec1e1ade03ca474fea0c8b16faec53f68be00fa21fbf2daffeabe4c60894122fbe212d2684da946

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal
Filesize
48KB

MD5
18c8ea54aee31de300ce5b0bcfc035f8

SHA1
31effa4cb7f35b1192b43eabf355a11e0f9787f3

SHA256
cc197e1f298b6cce535aaad4dad0e2d60165f7aed9f338b9656d3cfb11716133

SHA512
f557028d4b3e58928d08acedd389e38f0f54840ee080910b6ec1e1ade03ca474fea0c8b16faec53f68be00fa21fbf2daffeabe4c60894122fbe212d2684da946

Download Submit
memory/3108-165-0x00007FFA96690000-0x00007FFA966A0000-memory.dmp

Filesize
64KB

Download
memory/3108-167-0x00007FFA96690000-0x00007FFA966A0000-memory.dmp

Filesize
64KB

Download
memory/3108-166-0x00007FFA96690000-0x00007FFA966A0000-memory.dmp

Filesize
64KB

Download
memory/3108-169-0x00007FFA96690000-0x00007FFA966A0000-memory.dmp

Filesize
64KB

Download
memory/3372-164-0x00007FFA93F80000-0x00007FFA93F90000-memory.dmp

Filesize
64KB

Download
memory/5064-138-0x00007FFA93F80000-0x00007FFA93F90000-memory.dmp

Filesize
64KB

Download
memory/5064-137-0x00007FFA93F80000-0x00007FFA93F90000-memory.dmp

Filesize
64KB

Download
memory/5064-136-0x00007FFA96690000-0x00007FFA966A0000-memory.dmp

Filesize
64KB

Download
memory/5064-135-0x00007FFA96690000-0x00007FFA966A0000-memory.dmp

Filesize
64KB

Download
memory/5064-134-0x00007FFA96690000-0x00007FFA966A0000-memory.dmp

Filesize
64KB

Download
memory/5064-132-0x00007FFA96690000-0x00007FFA966A0000-memory.dmp

Filesize
64KB

Download
memory/5064-133-0x00007FFA96690000-0x00007FFA966A0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads