55e070a86b3ef2488d0e58f945f432aca494bfe65c9c4363d739649225efbbd1

Reason

Machine shutdown

General

Target

55e070a86b3ef2488d0e58f945f432aca494bfe65c9c4363d739649225efbbd1.exe
Size

1.6MB
MD5

334fd98ab462edc1274fecdb89fb0791
SHA1

e3496a341c96d77c0ef9bdeec333dd98e2215527
SHA256

55e070a86b3ef2488d0e58f945f432aca494bfe65c9c4363d739649225efbbd1
SHA512

150ff915ace0253dded6ed6ae860bcf2f3a43295cf434ceddf61554597665a159135011694321622d40ca1df3142afb1c6bed8ed61abf244799d820068ae4961
SSDEEP

24576:pBz37bSK2rgyik2VZGiOYnSadiUm6M551SaJkqFYUe3xHj96khCkyITnoXlIEvXX:px6Rvik2VUKnzhQ4IkWXUy

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "147"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4612	EXCEL.EXE
792	EXCEL.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
792	EXCEL.EXE
792	EXCEL.EXE

Suspicious use of SetWindowsHookEx 29 IoCs

pid	Process
4612	EXCEL.EXE
4612	EXCEL.EXE
4612	EXCEL.EXE
4612	EXCEL.EXE
4612	EXCEL.EXE
4612	EXCEL.EXE
4612	EXCEL.EXE
4612	EXCEL.EXE
4612	EXCEL.EXE
4612	EXCEL.EXE
4612	EXCEL.EXE
4612	EXCEL.EXE
4612	EXCEL.EXE
792	EXCEL.EXE
792	EXCEL.EXE
792	EXCEL.EXE
792	EXCEL.EXE
792	EXCEL.EXE
792	EXCEL.EXE
792	EXCEL.EXE
792	EXCEL.EXE
792	EXCEL.EXE
792	EXCEL.EXE
792	EXCEL.EXE
792	EXCEL.EXE
792	EXCEL.EXE
792	EXCEL.EXE
792	EXCEL.EXE
4604	LogonUI.exe

C:\Users\Admin\AppData\Local\Temp\55e070a86b3ef2488d0e58f945f432aca494bfe65c9c4363d739649225efbbd1.exe
"C:\Users\Admin\AppData\Local\Temp\55e070a86b3ef2488d0e58f945f432aca494bfe65c9c4363d739649225efbbd1.exe"
1⤵
PID:4576

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\CloseConnect.xla"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4612

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\ExitPush.csv"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:792

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3983855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4604

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE

Filesize
471B

MD5
0180cf73e833d3bf5b2c1baa14b4a59b

SHA1
a5f83f3035bc359acca18e079b02f135a760a60e

SHA256
89f54cf41606c63f76bde5d279722e1036bac29a10341c515aae25e16811e86d

SHA512
0e09c468b582ae254847a04301f2e7a60e803afda3476568c70e49f9f00312d1b3322a52eba45d438aea9b1f9c8a35d4eaf2f72e95dc1b1def216ff35f73c71f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE

Filesize
416B

MD5
a325cbef9a4021f72bf4b46deffcd43c

SHA1
bb8dabe4d7e385472fed231762967a5fd92ea689

SHA256
70a5dd01b50faaf957ebd0187b04e6ca47434a48a5d1297c6060495d010077d4

SHA512
3ce33ab94246d6919f48aba2b51708e3d0a02bb76fca501fdeab3f757826ad713773f5966d0b1924b4f4c61c39e80a1d06e1893767a19a190454d812547a25f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\1949B9BC-A0BF-4A5A-A05B-9B19F096AF7F

Filesize
149KB

MD5
2f1f768dfa19f54a27a04e16f9d6ec49

SHA1
b68d34d5ac29a9f319b26786cdc46b0688651b9e

SHA256
2caa3bcbaa3fa95e2488b4fd705b3ee02bcd7f8fb45d27b0df22d105956a0c00

SHA512
534c6dae5c2f090c42073a40303509f94f62462067f0c4dd6c390b6bbb3b724dde17bf0e73bdd1bc24e14265928a20495dca407c345c697e766587943c99954d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

Filesize
324KB

MD5
09054487e8c69240c9416b375b2916a9

SHA1
f00ff01ae8c39170c57f9b27cedea8ef75f455b3

SHA256
2d895d38c2f9874b296b8d5d8eef1e3738230d416f4b10517099027c0fe9b876

SHA512
971c817f16331dbf06bd908ae5440ee5bc55ddab549cee258b792170c1f2144d4cfcbd14cee31e3e2f9606d0e3e48f226564131023fc035ed67d4e1b171b97f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db

Filesize
24KB

MD5
a6064fc9ce640751e063d9af443990da

SHA1
367a3a7d57bfb3e9a6ec356dfc411a5f14dfde2a

SHA256
5f72c11fd2fa88d8b8bfae1214551f8d5ee07b8895df824fa717ebbcec118a6c

SHA512
0e42dd8e341e2334eda1e19e1a344475ed3a0539a21c70ba2247f480c706ab8e2ff6dbeb790614cbde9fb547699b24e69c85c54e99ed77a08fe7e1d1b4b488d0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
312B

MD5
0b83666f89d092a8234f40ac4d7beded

SHA1
84d0c749738b63bf6345c17988cd452049ba5f95

SHA256
4b8593e13104c93376a2bc6ba918186afba0731ab36f94f2f3e6a8e3028c6d67

SHA512
09bd4ec7eca182f049ac6e8e1d7c965aecc456c667ce18346d92bc9c7e17c82de00425fd4e0f3d850413901e109d083bc959b83e6ead8471872bdfd97645f6ef

Download Submit
memory/4612-136-0x00007FF885A70000-0x00007FF885A80000-memory.dmp

Filesize
64KB

Download
memory/4612-140-0x00007FF885A70000-0x00007FF885A80000-memory.dmp

Filesize
64KB

Download
memory/4612-141-0x00007FF885A70000-0x00007FF885A80000-memory.dmp

Filesize
64KB

Download
memory/4612-142-0x00007FF885A70000-0x00007FF885A80000-memory.dmp

Filesize
64KB

Download
memory/4612-143-0x00007FF885A70000-0x00007FF885A80000-memory.dmp

Filesize
64KB

Download
memory/4612-138-0x00007FF8838B0000-0x00007FF8838C0000-memory.dmp

Filesize
64KB

Download
memory/4612-137-0x00007FF8838B0000-0x00007FF8838C0000-memory.dmp

Filesize
64KB

Download
memory/4612-132-0x00007FF885A70000-0x00007FF885A80000-memory.dmp

Filesize
64KB

Download
memory/4612-135-0x00007FF885A70000-0x00007FF885A80000-memory.dmp

Filesize
64KB

Download
memory/4612-134-0x00007FF885A70000-0x00007FF885A80000-memory.dmp

Filesize
64KB

Download
memory/4612-133-0x00007FF885A70000-0x00007FF885A80000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads