67417004d245a2f3fa094f92d501e902c7e994b017e8ce457154c7c2e55a2b65

Analysis

max time kernel
149s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
01/03/2023, 18:56 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7_202303391169545251.xls
Size

48KB
MD5

451d2a04d1d4f31f3cfc3858e12c7d21
SHA1

45227c6e18c64dc2f7060107a7166d55a2f4f5ca
SHA256

67417004d245a2f3fa094f92d501e902c7e994b017e8ce457154c7c2e55a2b65
SHA512

8668392431b8b817d94daa9f9d0f10e28193bb1eb9046bf7d348d4750dd4070990ed039a9581bfc9b9d81ca3f05c7d42a623555e4a80eec75d135fbb52274e4f
SSDEEP

1536:xblYkEIbSkKBEqEXPgsRZmbaoFhZhR0cixIHm02RT1Dg0QbGsU:xblYkEIuPm3fNRZmbaoFhZhR0cixIHmn

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1116	EXCEL.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1116	EXCEL.EXE
1116	EXCEL.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1116	EXCEL.EXE
1116	EXCEL.EXE
1116	EXCEL.EXE
1116	EXCEL.EXE
1116	EXCEL.EXE
1116	EXCEL.EXE
1116	EXCEL.EXE
1116	EXCEL.EXE
1116	EXCEL.EXE
1116	EXCEL.EXE
1116	EXCEL.EXE
1116	EXCEL.EXE

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\7_202303391169545251.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1116

Network

DNS

209.205.72.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

209.205.72.20.in-addr.arpa

IN PTR

Response
DNS

210.81.184.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

210.81.184.52.in-addr.arpa

IN PTR

Response
DNS

141.76.109.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

141.76.109.52.in-addr.arpa

IN PTR

Response
DNS

45.8.109.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

45.8.109.52.in-addr.arpa

IN PTR

Response
DNS

63.141.182.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

63.141.182.52.in-addr.arpa

IN PTR

Response
DNS

58.55.71.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

58.55.71.13.in-addr.arpa

IN PTR

Response
DNS

1.77.109.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

1.77.109.52.in-addr.arpa

IN PTR

Response
DNS

202.74.101.95.in-addr.arpa

Remote address:

8.8.8.8:53

Request

202.74.101.95.in-addr.arpa

IN PTR

Response

202.74.101.95.in-addr.arpa

IN PTR

a95-101-74-202deploystaticakamaitechnologiescom
DNS

202.74.101.95.in-addr.arpa

Remote address:

8.8.8.8:53

Request

202.74.101.95.in-addr.arpa

IN PTR

Response

202.74.101.95.in-addr.arpa

IN PTR

a95-101-74-202deploystaticakamaitechnologiescom

8.238.177.126:80

46 B
40 B
1
1
52.168.112.66:443

322 B
7
173.223.113.164:443

322 B
7
173.223.113.131:80

322 B
7
204.79.197.203:80

322 B
7
8.238.177.126:80

322 B
7
8.238.177.126:80

322 B
7
8.238.177.126:80

322 B
7
173.223.113.131:80

322 B
7
204.79.197.203:80

322 B
7
93.184.220.29:80

322 B
7
93.184.220.29:80

322 B
7
93.184.220.29:80

322 B
7

8.8.8.8:53

209.205.72.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

209.205.72.20.in-addr.arpa
8.8.8.8:53

210.81.184.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

210.81.184.52.in-addr.arpa
8.8.8.8:53

141.76.109.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

141.76.109.52.in-addr.arpa
8.8.8.8:53

45.8.109.52.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

45.8.109.52.in-addr.arpa
8.8.8.8:53

63.141.182.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

63.141.182.52.in-addr.arpa
8.8.8.8:53

58.55.71.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

58.55.71.13.in-addr.arpa
8.8.8.8:53

1.77.109.52.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

1.77.109.52.in-addr.arpa
8.8.8.8:53

202.74.101.95.in-addr.arpa

dns

144 B
274 B
2
2

DNS Request

202.74.101.95.in-addr.arpa

DNS Request

202.74.101.95.in-addr.arpa

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1116-133-0x00007FF8912D0000-0x00007FF8912E0000-memory.dmp

Filesize
64KB

Download
memory/1116-134-0x00007FF8912D0000-0x00007FF8912E0000-memory.dmp

Filesize
64KB

Download
memory/1116-135-0x00007FF8912D0000-0x00007FF8912E0000-memory.dmp

Filesize
64KB

Download
memory/1116-136-0x00007FF8912D0000-0x00007FF8912E0000-memory.dmp

Filesize
64KB

Download
memory/1116-137-0x00007FF8912D0000-0x00007FF8912E0000-memory.dmp

Filesize
64KB

Download
memory/1116-138-0x00007FF88EC90000-0x00007FF88ECA0000-memory.dmp

Filesize
64KB

Download
memory/1116-139-0x00007FF88EC90000-0x00007FF88ECA0000-memory.dmp

Filesize
64KB

Download
memory/1116-168-0x00007FF8912D0000-0x00007FF8912E0000-memory.dmp

Filesize
64KB

Download
memory/1116-169-0x00007FF8912D0000-0x00007FF8912E0000-memory.dmp

Filesize
64KB

Download
memory/1116-170-0x00007FF8912D0000-0x00007FF8912E0000-memory.dmp

Filesize
64KB

Download
memory/1116-171-0x00007FF8912D0000-0x00007FF8912E0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.