Analysis
-
max time kernel
101s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
24-02-2023 13:36
Behavioral task
behavioral1
Sample
DOC_NEW ORDER 548886.xls
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
DOC_NEW ORDER 548886.xls
Resource
win10v2004-20230220-en
General
-
Target
DOC_NEW ORDER 548886.xls
-
Size
1.1MB
-
MD5
644ea477b14e89d7f6075c7619d6cef7
-
SHA1
aafa3f8b5be0c7e569ba4e3ea85d2a2b9a14309d
-
SHA256
de2cc36754155ee17783f7f6df524a49e845208f3d58a8840210dc8101b60db8
-
SHA512
43b3d8992314a35b14306b94cb2d43664ee73bc6bb2ff9608986eecf11d93eb6c0bfe7ca6d5ca968af0008145ce7924ac10713763774eed0d452891ee23a8ffe
-
SSDEEP
24576:8Fe5Z59H8m7wRFe8EezjH5GmzbveNK7aqdid+GiAE8Nv7dXXXXXXXXXXXXAXXXXu:g0ZDwDwO1hvSK7aubGiAE8UA
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 3364 EXCEL.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
EXCEL.EXEpid process 3364 EXCEL.EXE 3364 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 3364 EXCEL.EXE 3364 EXCEL.EXE 3364 EXCEL.EXE 3364 EXCEL.EXE 3364 EXCEL.EXE 3364 EXCEL.EXE 3364 EXCEL.EXE 3364 EXCEL.EXE 3364 EXCEL.EXE 3364 EXCEL.EXE 3364 EXCEL.EXE 3364 EXCEL.EXE -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\DOC_NEW ORDER 548886.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3364
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.2MB
MD53213aa0ea4a3ea4177219017fce1392f
SHA1b14574a4a8bd9760dfebeaa659020d34fb1e4f39
SHA25696549f168356bfa223b5bf2d1a6e9936642969848673998d472fbf45b62c4f62
SHA512d423f5074ad425ff69163f29fb522c61d2c30657869210f371f84deb87a891ddc3f0cbfd1395ec7f26ed64d1a7c06e226ac97d9b42562b7cfb1c37d8aa861850
-
Filesize
485KB
MD58b28204a4376a165732831fca9eff04b
SHA17aa1861de7b2274ef9dca0fdb0046f5485b28251
SHA25689a73e1812d31a507e515f4c114e3c23bf08fcefd9ac5e01ed559144b8cace40
SHA512111c5827eb66ffaf94306eb7b224169649fb4b30b2c5da8ef5170f211c5e71251dda41b5a95694e518f10ced968ea3f58ff6caf1b1ab6ae7835a64b49a8450a9
-
Filesize
34KB
MD55082ff3196830938a53e44634e947b9d
SHA1aa1e6180203ea6d91f963e2a79749bdd0262ee2f
SHA2560ab040036872299bf386775a9fd2b6e4f1b21cc9732e25bd81eeff04afd99314
SHA51272f72ec14bd7500cec883134546a565342017c09f161653be8a100f7a4a7f9404f0a5ce0d548a11390e881c8458f6f3aa2a68a332d4f6416daa63f608c538886