Analysis
-
max time kernel
98s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
24-02-2023 13:26
Behavioral task
behavioral1
Sample
9019.xls
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
9019.xls
Resource
win10v2004-20230220-en
General
-
Target
9019.xls
-
Size
1.1MB
-
MD5
e43ad32b14cf514db21c3f42b395bf91
-
SHA1
9a3a51fb5363dcf18279fc0cb32f55e35c438a7c
-
SHA256
d4e784b7a5cd9c8c2e8838b4b74e5cde203f069e56a4eb9f352e35148f4a30e0
-
SHA512
2d550d9167bf0f7dab3d2fdca5d08c8a5635b560a981f9aeaed3584b590fdb3ef79ddd03c7516de2c9f8dd9c00de41cc610245edee5555bc2857e9e8db0fbaeb
-
SSDEEP
24576:3Femy5hspmq1gkOFelnCEezjnk6mgTCTeyszEQrp31XAd6Fv1ib5XXXXXXXXXXXN:VOk+PQhOIOThhzEw3xM6Fu
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 2384 EXCEL.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
EXCEL.EXEpid process 2384 EXCEL.EXE 2384 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 2384 EXCEL.EXE 2384 EXCEL.EXE 2384 EXCEL.EXE 2384 EXCEL.EXE 2384 EXCEL.EXE 2384 EXCEL.EXE 2384 EXCEL.EXE 2384 EXCEL.EXE 2384 EXCEL.EXE 2384 EXCEL.EXE 2384 EXCEL.EXE 2384 EXCEL.EXE -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\9019.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2384
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
485KB
MD5ee0926f784374bc56c1bbb9bf7c58fc6
SHA1cef843082e435d3db3f361e300b303a868c2d169
SHA256ecd098c54f138c4ca2a75cae732d29ddeae630167548955257e2b07b6f89d229
SHA5125c156691b95dabd95d5d92825626a27c4e88017b67a7a6048a71c0927da2d1aacc4d59b2615f1a19fac3df5edb2c470066b29cadbb8d1784e47c93a8e0bb3744
-
Filesize
3.2MB
MD50ac29f307274008930bdd0f9f71ad66e
SHA1fde9130304bbfa17d9e75e4dc05180eec02bc709
SHA2569e3b6eedccb277a72a02d303c096e651dd36573d3a486d6eed2500e0963b6735
SHA5122f437b4f3b0d12cee5ff0ea5f5abe2c70d66d32e2b1178e5ab4195fe05f3cbb367e132bd6142212edaa76288bea8fa23fdaf594e1c9de51e62b3a4acaad2d18b
-
Filesize
34KB
MD55b29f34fb27ee89c9165a7d4d99d9db8
SHA105acca26aaed59fa633bbc1c7587806a5960e37c
SHA2563a151e9d05f574ec3cb8d1675d9eebbdc34ff1cd9874541fdeb29cbfb7f3f119
SHA512cb756e3893974b98c093bb1d9acb48348587b1bc125c4581c5fa6f14d59d2005a5a0f4fc02acd975821051c0c997af0bafa0ba06fecebfa8e63326054ce59bf0