Analysis
-
max time kernel
198s -
max time network
210s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
30-11-2022 21:47
Static task
static1
Behavioral task
behavioral1
Sample
051780f02c9584cbaf53c96977d1e7055a2e9e4d9281e50189b869ae87348d7c.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
051780f02c9584cbaf53c96977d1e7055a2e9e4d9281e50189b869ae87348d7c.exe
Resource
win10v2004-20221111-en
General
-
Target
051780f02c9584cbaf53c96977d1e7055a2e9e4d9281e50189b869ae87348d7c.exe
-
Size
674KB
-
MD5
320053c311af600448ab3c5ae332fc88
-
SHA1
4a0e444937006948abc14f336eada255e03354ea
-
SHA256
051780f02c9584cbaf53c96977d1e7055a2e9e4d9281e50189b869ae87348d7c
-
SHA512
8afcf1707f702fb7ff0cb1d73d556a4a1bfe17b3c068ee0290ba3e760e7d3a2d50cfedee76f23bdf624c080bce8e9765f1095156ef1a442cb2afa600a728197c
-
SSDEEP
12288:rkMIese06snjBQ+H7Ab/rGIkQos6qcJWe8RI6srnycVP/bM:kTnjB1HQ/rGIkQJLcJiRIl7y6P/bM
Malware Config
Signatures
-
Office macro that triggers on suspicious action 1 IoCs
Office document macro which triggers in special circumstances - often malicious.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\BECC.tmp office_macro_on_action -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 564 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
051780f02c9584cbaf53c96977d1e7055a2e9e4d9281e50189b869ae87348d7c.exeEXCEL.EXEpid process 1312 051780f02c9584cbaf53c96977d1e7055a2e9e4d9281e50189b869ae87348d7c.exe 564 EXCEL.EXE 564 EXCEL.EXE 564 EXCEL.EXE 564 EXCEL.EXE 564 EXCEL.EXE 564 EXCEL.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\051780f02c9584cbaf53c96977d1e7055a2e9e4d9281e50189b869ae87348d7c.exe"C:\Users\Admin\AppData\Local\Temp\051780f02c9584cbaf53c96977d1e7055a2e9e4d9281e50189b869ae87348d7c.exe"1⤵
- Suspicious use of SetWindowsHookEx
PID:1312
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:564
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\BECC.tmpFilesize
642KB
MD58f52d03c18dbdda80fa2724f02a2cc3f
SHA1efc6551d79dd6e1cfc4a5eb7ac84318a1a26e3cf
SHA256345ebf763b1b5ab84f3b856b13bebc0c68562526a7faf834ee5eabd6cf138386
SHA512586b1ff030acf6b5b6d881c0b5007da92a4a48955e30b9fb4bb7e7e0156cf4128cfeec3be2746bcc9b74cb5532c478a361d17c33482e2307ff904becbdb2665a
-
memory/564-134-0x00007FF7FA290000-0x00007FF7FA2A0000-memory.dmpFilesize
64KB
-
memory/564-135-0x00007FF7FA290000-0x00007FF7FA2A0000-memory.dmpFilesize
64KB
-
memory/564-136-0x00007FF7FA290000-0x00007FF7FA2A0000-memory.dmpFilesize
64KB
-
memory/564-137-0x00007FF7FA290000-0x00007FF7FA2A0000-memory.dmpFilesize
64KB
-
memory/564-138-0x00007FF7FA290000-0x00007FF7FA2A0000-memory.dmpFilesize
64KB
-
memory/564-139-0x00007FF7F7930000-0x00007FF7F7940000-memory.dmpFilesize
64KB
-
memory/564-140-0x00007FF7F7930000-0x00007FF7F7940000-memory.dmpFilesize
64KB
-
memory/564-142-0x0000028BB71C0000-0x0000028BB71C4000-memory.dmpFilesize
16KB