Analysis
-
max time kernel
152s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
02-12-2022 22:24
Static task
static1
Behavioral task
behavioral1
Sample
322cd3af7fc3586a4711ac5ac36e8b988f56c8abb4fe183b810bfcf80a0a6a58.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
322cd3af7fc3586a4711ac5ac36e8b988f56c8abb4fe183b810bfcf80a0a6a58.exe
Resource
win10v2004-20220812-en
General
-
Target
322cd3af7fc3586a4711ac5ac36e8b988f56c8abb4fe183b810bfcf80a0a6a58.exe
-
Size
674KB
-
MD5
372f433a1c78ee0060fb3a0718ecb4bc
-
SHA1
ba63c36fc195e5fc91688f963f01e842853516fe
-
SHA256
322cd3af7fc3586a4711ac5ac36e8b988f56c8abb4fe183b810bfcf80a0a6a58
-
SHA512
ecd13d97edf6a5cd239620648d1ca5528ffcc14565a698594b0ef179326f8658fa4204be8ef5c5451a3f4ce56380a7cca591c14649c0b18ac18b607bb76b87e8
-
SSDEEP
12288:rkMIese06snjBQ+H7Ab/rGIkQos6qcJWe8RI6srnycVP/9M:kTnjB1HQ/rGIkQJLcJiRIl7y6P/9M
Malware Config
Signatures
-
Office macro that triggers on suspicious action 1 IoCs
Office document macro which triggers in special circumstances - often malicious.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\8FA2.tmp office_macro_on_action -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1360 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 11 IoCs
Processes:
322cd3af7fc3586a4711ac5ac36e8b988f56c8abb4fe183b810bfcf80a0a6a58.exeEXCEL.EXEpid process 2232 322cd3af7fc3586a4711ac5ac36e8b988f56c8abb4fe183b810bfcf80a0a6a58.exe 1360 EXCEL.EXE 1360 EXCEL.EXE 1360 EXCEL.EXE 1360 EXCEL.EXE 1360 EXCEL.EXE 1360 EXCEL.EXE 1360 EXCEL.EXE 1360 EXCEL.EXE 1360 EXCEL.EXE 1360 EXCEL.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\322cd3af7fc3586a4711ac5ac36e8b988f56c8abb4fe183b810bfcf80a0a6a58.exe"C:\Users\Admin\AppData\Local\Temp\322cd3af7fc3586a4711ac5ac36e8b988f56c8abb4fe183b810bfcf80a0a6a58.exe"1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\8FA2.tmpFilesize
642KB
MD5b3290fa196728bb1dea18d009fa47c39
SHA14cd46f8e0492383d6f9f2ae586f8eaed16f6e015
SHA2564fe9a2db3a9ddd56d57e0e9b99f21f3dd5d53a9901393e72c01c5939d169738b
SHA512342522622d1f74f07150e3f6bf6c86b8a351c3c5b5e011f298e0e050537ae5209804c7b04e812d57b7516298b908c0089c1228970a1bdad07100df7bbfe99b9e
-
memory/1360-134-0x00007FFD1B230000-0x00007FFD1B240000-memory.dmpFilesize
64KB
-
memory/1360-135-0x00007FFD1B230000-0x00007FFD1B240000-memory.dmpFilesize
64KB
-
memory/1360-136-0x00007FFD1B230000-0x00007FFD1B240000-memory.dmpFilesize
64KB
-
memory/1360-137-0x00007FFD1B230000-0x00007FFD1B240000-memory.dmpFilesize
64KB
-
memory/1360-138-0x00007FFD1B230000-0x00007FFD1B240000-memory.dmpFilesize
64KB
-
memory/1360-139-0x00007FFD188D0000-0x00007FFD188E0000-memory.dmpFilesize
64KB
-
memory/1360-140-0x00007FFD188D0000-0x00007FFD188E0000-memory.dmpFilesize
64KB
-
memory/1360-142-0x0000023410040000-0x0000023410044000-memory.dmpFilesize
16KB