Behavioral Report

Resubmissions

01-02-2023 17:02

230201-vj6p3aah39 10

01-02-2023 17:00

230201-vjf5eacg4s 10

01-02-2023 16:57

230201-vgbrxacg2y 10

Analysis

max time kernel
303s
max time network
415s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
01-02-2023 17:02

Sharing

Copy URL

Twitter E-mail

Report Files Registry Network Processes Mutex Misc

General

Target

PO-8372929.xls
Size

461KB
MD5

e08cf4b188d5f8bf190189983b262ea7
SHA1

f84bb8baa69ca833c271697dded917bdf710c4ba
SHA256

a9c45f9d9af92c5a6c64c679414488d0d60916b501768379f8ca5e15d8955bab
SHA512

d7f7fb63b80a26cd8f02a38bb5ad757441013a81ad190072abdc896a9d800f4079ec28f6653acb78b17c494e6425ef35d2d297e5083a06182b91bd49e3bbdb07
SSDEEP

6144:2PXZ+RwPONXoRjDhIcp0fDlavx+W26nA1V0Y5ObF0I5eMFRI5elF0I5exF0I5eC:W6GYmWIvjIcWImWI

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

TTPs:

Query Registry System Information Discovery

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

TTPs:

Query Registry System Information Discovery

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

2628 EXCEL.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXE

pid	process
2628	EXCEL.EXE
2628	EXCEL.EXE
2628	EXCEL.EXE
2628	EXCEL.EXE
2628	EXCEL.EXE
2628	EXCEL.EXE
2628	EXCEL.EXE
2628	EXCEL.EXE
2628	EXCEL.EXE
2628	EXCEL.EXE
2628	EXCEL.EXE
2628	EXCEL.EXE

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\PO-8372929.xls"

Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx

PID:2628

Network

MITRE ATT&CK Matrix

Collection

Command and Control

Credential Access

Defense Evasion

Discovery

Query Registry

T1012

System Information Discovery

T1082

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

Replay Monitor

00:00 00:00

Downloads

memory/2628-120-0x00007FFAE0AA0000-0x00007FFAE0AB0000-memory.dmp

Filesize
64KB

Download
memory/2628-121-0x00007FFAE0AA0000-0x00007FFAE0AB0000-memory.dmp

Filesize
64KB

Download
memory/2628-122-0x00007FFAE0AA0000-0x00007FFAE0AB0000-memory.dmp

Filesize
64KB

Download
memory/2628-123-0x00007FFAE0AA0000-0x00007FFAE0AB0000-memory.dmp

Filesize
64KB

Download
memory/2628-132-0x00007FFADDC10000-0x00007FFADDC20000-memory.dmp

Filesize
64KB

Download
memory/2628-133-0x00007FFADDC10000-0x00007FFADDC20000-memory.dmp

Filesize
64KB

Download
memory/2628-296-0x00007FFAE0AA0000-0x00007FFAE0AB0000-memory.dmp

Filesize
64KB

Download
memory/2628-297-0x00007FFAE0AA0000-0x00007FFAE0AB0000-memory.dmp

Filesize
64KB

Download
memory/2628-298-0x00007FFAE0AA0000-0x00007FFAE0AB0000-memory.dmp

Filesize
64KB

Download
memory/2628-299-0x00007FFAE0AA0000-0x00007FFAE0AB0000-memory.dmp

Filesize
64KB

Download