d4e784b7a5cd9c8c2e8838b4b74e5cde203f069e56a4eb9f352e35148f4a30e0

Analysis

max time kernel
98s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
24-02-2023 13:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9019.xls
Size

1.1MB
MD5

e43ad32b14cf514db21c3f42b395bf91
SHA1

9a3a51fb5363dcf18279fc0cb32f55e35c438a7c
SHA256

d4e784b7a5cd9c8c2e8838b4b74e5cde203f069e56a4eb9f352e35148f4a30e0
SHA512

2d550d9167bf0f7dab3d2fdca5d08c8a5635b560a981f9aeaed3584b590fdb3ef79ddd03c7516de2c9f8dd9c00de41cc610245edee5555bc2857e9e8db0fbaeb
SSDEEP

24576:3Femy5hspmq1gkOFelnCEezjnk6mgTCTeyszEQrp31XAd6Fv1ib5XXXXXXXXXXXN:VOk+PQhOIOThhzEw3xM6Fu

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2384	EXCEL.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2384	EXCEL.EXE
2384	EXCEL.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2384	EXCEL.EXE
2384	EXCEL.EXE
2384	EXCEL.EXE
2384	EXCEL.EXE
2384	EXCEL.EXE
2384	EXCEL.EXE
2384	EXCEL.EXE
2384	EXCEL.EXE
2384	EXCEL.EXE
2384	EXCEL.EXE
2384	EXCEL.EXE
2384	EXCEL.EXE

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\9019.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2384

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\C757834B.emf

Filesize
485KB

MD5
ee0926f784374bc56c1bbb9bf7c58fc6

SHA1
cef843082e435d3db3f361e300b303a868c2d169

SHA256
ecd098c54f138c4ca2a75cae732d29ddeae630167548955257e2b07b6f89d229

SHA512
5c156691b95dabd95d5d92825626a27c4e88017b67a7a6048a71c0927da2d1aacc4d59b2615f1a19fac3df5edb2c470066b29cadbb8d1784e47c93a8e0bb3744

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\CCB14946.emf

Filesize
3.2MB

MD5
0ac29f307274008930bdd0f9f71ad66e

SHA1
fde9130304bbfa17d9e75e4dc05180eec02bc709

SHA256
9e3b6eedccb277a72a02d303c096e651dd36573d3a486d6eed2500e0963b6735

SHA512
2f437b4f3b0d12cee5ff0ea5f5abe2c70d66d32e2b1178e5ab4195fe05f3cbb367e132bd6142212edaa76288bea8fa23fdaf594e1c9de51e62b3a4acaad2d18b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\E6542475.emf

Filesize
34KB

MD5
5b29f34fb27ee89c9165a7d4d99d9db8

SHA1
05acca26aaed59fa633bbc1c7587806a5960e37c

SHA256
3a151e9d05f574ec3cb8d1675d9eebbdc34ff1cd9874541fdeb29cbfb7f3f119

SHA512
cb756e3893974b98c093bb1d9acb48348587b1bc125c4581c5fa6f14d59d2005a5a0f4fc02acd975821051c0c997af0bafa0ba06fecebfa8e63326054ce59bf0

Download Submit
memory/2384-136-0x00007FFD8AB30000-0x00007FFD8AB40000-memory.dmp

Filesize
64KB

Download
memory/2384-137-0x00007FFD8AB30000-0x00007FFD8AB40000-memory.dmp

Filesize
64KB

Download
memory/2384-138-0x00007FFD886C0000-0x00007FFD886D0000-memory.dmp

Filesize
64KB

Download
memory/2384-139-0x00007FFD886C0000-0x00007FFD886D0000-memory.dmp

Filesize
64KB

Download
memory/2384-133-0x00007FFD8AB30000-0x00007FFD8AB40000-memory.dmp

Filesize
64KB

Download
memory/2384-134-0x00007FFD8AB30000-0x00007FFD8AB40000-memory.dmp

Filesize
64KB

Download
memory/2384-135-0x00007FFD8AB30000-0x00007FFD8AB40000-memory.dmp

Filesize
64KB

Download
memory/2384-194-0x00007FFD8AB30000-0x00007FFD8AB40000-memory.dmp

Filesize
64KB

Download
memory/2384-196-0x00007FFD8AB30000-0x00007FFD8AB40000-memory.dmp

Filesize
64KB

Download
memory/2384-195-0x00007FFD8AB30000-0x00007FFD8AB40000-memory.dmp

Filesize
64KB

Download
memory/2384-197-0x00007FFD8AB30000-0x00007FFD8AB40000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads