de2cc36754155ee17783f7f6df524a49e845208f3d58a8840210dc8101b60db8

Analysis

max time kernel
101s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
24-02-2023 13:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DOC_NEW ORDER 548886.xls
Size

1.1MB
MD5

644ea477b14e89d7f6075c7619d6cef7
SHA1

aafa3f8b5be0c7e569ba4e3ea85d2a2b9a14309d
SHA256

de2cc36754155ee17783f7f6df524a49e845208f3d58a8840210dc8101b60db8
SHA512

43b3d8992314a35b14306b94cb2d43664ee73bc6bb2ff9608986eecf11d93eb6c0bfe7ca6d5ca968af0008145ce7924ac10713763774eed0d452891ee23a8ffe
SSDEEP

24576:8Fe5Z59H8m7wRFe8EezjH5GmzbveNK7aqdid+GiAE8Nv7dXXXXXXXXXXXXAXXXXu:g0ZDwDwO1hvSK7aubGiAE8UA

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3364	EXCEL.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3364	EXCEL.EXE
3364	EXCEL.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
3364	EXCEL.EXE
3364	EXCEL.EXE
3364	EXCEL.EXE
3364	EXCEL.EXE
3364	EXCEL.EXE
3364	EXCEL.EXE
3364	EXCEL.EXE
3364	EXCEL.EXE
3364	EXCEL.EXE
3364	EXCEL.EXE
3364	EXCEL.EXE
3364	EXCEL.EXE

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\DOC_NEW ORDER 548886.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3364

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\116980C1.emf

Filesize
3.2MB

MD5
3213aa0ea4a3ea4177219017fce1392f

SHA1
b14574a4a8bd9760dfebeaa659020d34fb1e4f39

SHA256
96549f168356bfa223b5bf2d1a6e9936642969848673998d472fbf45b62c4f62

SHA512
d423f5074ad425ff69163f29fb522c61d2c30657869210f371f84deb87a891ddc3f0cbfd1395ec7f26ed64d1a7c06e226ac97d9b42562b7cfb1c37d8aa861850

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\7AC3E19D.emf

Filesize
485KB

MD5
8b28204a4376a165732831fca9eff04b

SHA1
7aa1861de7b2274ef9dca0fdb0046f5485b28251

SHA256
89a73e1812d31a507e515f4c114e3c23bf08fcefd9ac5e01ed559144b8cace40

SHA512
111c5827eb66ffaf94306eb7b224169649fb4b30b2c5da8ef5170f211c5e71251dda41b5a95694e518f10ced968ea3f58ff6caf1b1ab6ae7835a64b49a8450a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\7E816FCE.emf

Filesize
34KB

MD5
5082ff3196830938a53e44634e947b9d

SHA1
aa1e6180203ea6d91f963e2a79749bdd0262ee2f

SHA256
0ab040036872299bf386775a9fd2b6e4f1b21cc9732e25bd81eeff04afd99314

SHA512
72f72ec14bd7500cec883134546a565342017c09f161653be8a100f7a4a7f9404f0a5ce0d548a11390e881c8458f6f3aa2a68a332d4f6416daa63f608c538886

Download Submit
memory/3364-136-0x00007FFD220B0000-0x00007FFD220C0000-memory.dmp

Filesize
64KB

Download
memory/3364-137-0x00007FFD220B0000-0x00007FFD220C0000-memory.dmp

Filesize
64KB

Download
memory/3364-138-0x00007FFD1F7E0000-0x00007FFD1F7F0000-memory.dmp

Filesize
64KB

Download
memory/3364-139-0x00007FFD1F7E0000-0x00007FFD1F7F0000-memory.dmp

Filesize
64KB

Download
memory/3364-133-0x00007FFD220B0000-0x00007FFD220C0000-memory.dmp

Filesize
64KB

Download
memory/3364-134-0x00007FFD220B0000-0x00007FFD220C0000-memory.dmp

Filesize
64KB

Download
memory/3364-135-0x00007FFD220B0000-0x00007FFD220C0000-memory.dmp

Filesize
64KB

Download
memory/3364-190-0x00007FFD220B0000-0x00007FFD220C0000-memory.dmp

Filesize
64KB

Download
memory/3364-191-0x00007FFD220B0000-0x00007FFD220C0000-memory.dmp

Filesize
64KB

Download
memory/3364-192-0x00007FFD220B0000-0x00007FFD220C0000-memory.dmp

Filesize
64KB

Download
memory/3364-193-0x00007FFD220B0000-0x00007FFD220C0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads