8be101509461d8954f93b6898c1fe407f6a95c78de3b64392e5b785ce55df5b0

Analysis

max time kernel
104s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
23-02-2023 09:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Quotation.xls
Size

1.1MB
MD5

919c0f851b252a6c834b5ba9470e6c0d
SHA1

df40f89bbc105c96aa93ce2465a3ed06cb7e065a
SHA256

8be101509461d8954f93b6898c1fe407f6a95c78de3b64392e5b785ce55df5b0
SHA512

ca41ce37d8d30a6549847df759dc810ea11d9b598a776bac28660c811fc479f7a6563004a851c1d786755ed0d94995e2086dd0d924f71d853c0d7c623f2cef9f
SSDEEP

24576:iFetUMdicm7bVFee59y5hm10LPHjAqbnpQ2IHYQRrGrdXXXXXXXXXXXXoXXXXXXf:ifRbHdybLbfnevHYQRz

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

2044 EXCEL.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXE

pid	process
2044	EXCEL.EXE
2044	EXCEL.EXE
2044	EXCEL.EXE
2044	EXCEL.EXE
2044	EXCEL.EXE
2044	EXCEL.EXE
2044	EXCEL.EXE
2044	EXCEL.EXE
2044	EXCEL.EXE
2044	EXCEL.EXE
2044	EXCEL.EXE
2044	EXCEL.EXE

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Quotation.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2044

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\379DEB16.emf
Filesize
34KB

MD5
50a2efdd301de2a272aa76cb7bfc5897

SHA1
c9f15e852fe55ac37edd08f8a61ff8840547804b

SHA256
ff73bd40a12e850336a53094fdded649f1e5705380c1399216e5f4489e2551be

SHA512
f0547c3f24fa8ec07b70ca5046c05f9a24b76488dcd3d488c874c3d1d8c2c81f4c4a3899a57469e887592240c97471a17da2dab5c7bc3bc981c4454d46282c7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\9DB51F29.emf
Filesize
3.2MB

MD5
d3645ec022b22cd69b407ae76e888112

SHA1
30b648bf67e44f5292622406597501f2b98a9787

SHA256
8220af7744ab84a78ddf9233e5281904a42dbd8b3f1c8098123825f1871605f7

SHA512
ca300c21cd20b05da0a6a249b34f29f6c450c300f851f000f5e16dbd02c5588a4e752a6f833ef4363e5496c6812574bbc5bbe89627f551f569593d30547e5ddf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\B4B07285.emf
Filesize
485KB

MD5
6fcc23c008fdc19bdda8e01d26e94149

SHA1
5419409ce4ab079def31ca74619d84062b1060ef

SHA256
5d6021f20aab9393e26f84d16e25de574b934d1cad569debb86847a33c529e8b

SHA512
2d6114392f437ce91774deb6b4760105672f1628273ea45e41f4af7454748ae8212db3047f27a15fc3ad4add15586a5d47a15519fb2200fe4ee7e4d5f87c3c9a

Download Submit
memory/2044-136-0x00007FFAE9A50000-0x00007FFAE9A60000-memory.dmp

Filesize
64KB

Download
memory/2044-137-0x00007FFAE9A50000-0x00007FFAE9A60000-memory.dmp

Filesize
64KB

Download
memory/2044-138-0x00007FFAE71F0000-0x00007FFAE7200000-memory.dmp

Filesize
64KB

Download
memory/2044-139-0x00007FFAE71F0000-0x00007FFAE7200000-memory.dmp

Filesize
64KB

Download
memory/2044-133-0x00007FFAE9A50000-0x00007FFAE9A60000-memory.dmp

Filesize
64KB

Download
memory/2044-135-0x00007FFAE9A50000-0x00007FFAE9A60000-memory.dmp

Filesize
64KB

Download
memory/2044-134-0x00007FFAE9A50000-0x00007FFAE9A60000-memory.dmp

Filesize
64KB

Download
memory/2044-189-0x00007FFAE9A50000-0x00007FFAE9A60000-memory.dmp

Filesize
64KB

Download
memory/2044-190-0x00007FFAE9A50000-0x00007FFAE9A60000-memory.dmp

Filesize
64KB

Download
memory/2044-191-0x00007FFAE9A50000-0x00007FFAE9A60000-memory.dmp

Filesize
64KB

Download
memory/2044-192-0x00007FFAE9A50000-0x00007FFAE9A60000-memory.dmp

Filesize
64KB

Download