7394a60726a1e8b2a0d54afaa74cbade2846696214ceaf8417171c3ba611f14a

Analysis

max time kernel
136s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
02-03-2023 11:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PO Match2023.xls
Size

1.4MB
MD5

92c740dbfda6abf84475076d68864f2c
SHA1

6bdbf063daf6b58958a7888aefe73229ce7cfae7
SHA256

7394a60726a1e8b2a0d54afaa74cbade2846696214ceaf8417171c3ba611f14a
SHA512

80f65bc03e1a410729ad5f32607551d73d599eca2941e0461efa3812ca5d248b72564b863fa4245f81c63c3f66f882395e8b53f3972483abd2a15270c51fae6c
SSDEEP

24576:lLKgWQmmav30xOnBZWQmmav30xfJsWQmmav30x8BhlWQmmav30xs69WvEONLyP4r:lLK1QmmQ30smQmmQ30NJBQmmQ30WnkQa

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1076	EXCEL.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1076	EXCEL.EXE
1076	EXCEL.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1076	EXCEL.EXE
1076	EXCEL.EXE
1076	EXCEL.EXE
1076	EXCEL.EXE
1076	EXCEL.EXE
1076	EXCEL.EXE
1076	EXCEL.EXE
1076	EXCEL.EXE
1076	EXCEL.EXE
1076	EXCEL.EXE
1076	EXCEL.EXE
1076	EXCEL.EXE

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\PO Match2023.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1076

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\C2F9CD36.emf

Filesize
577KB

MD5
ae689aefea9e9889be7e07e89b50606c

SHA1
441a5710e58d4dbe4436c989d5f5acbf9f6c0314

SHA256
ec7a39ccc0cb412c651986e3adc67cbf786cb7f74985abc203dffad63e02a262

SHA512
486d01e30c8897f216d3200932c52fad3f1da8f8181dba768addc6da416e44c8101dd1e42127a73dc108fa1e4deaa9a9f55a5582d4cfce90f44cb72bf25d8e4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\E02FBEE8.emf

Filesize
34KB

MD5
98d49b996eb4d333cff85c9b1f2da071

SHA1
6ec5cb8928132d12f9fabef8a54167541540eb94

SHA256
8f6c0f23c8396223bdd5cb4ca02140e8f2f5a9b1c31160e83d8274a63eef797f

SHA512
fbd5f8e9d1944afddbb56bb32c0b37980957803ad15957569a2fbc4e07118804e1f61919c0f11b19d86d70dde63453223bc88dbbffdc31183f4e7708f9559559

Download Submit
memory/1076-139-0x00007FFDC2330000-0x00007FFDC2340000-memory.dmp

Filesize
64KB

Download
memory/1076-136-0x00007FFDC4970000-0x00007FFDC4980000-memory.dmp

Filesize
64KB

Download
memory/1076-137-0x00007FFDC4970000-0x00007FFDC4980000-memory.dmp

Filesize
64KB

Download
memory/1076-138-0x00007FFDC2330000-0x00007FFDC2340000-memory.dmp

Filesize
64KB

Download
memory/1076-133-0x00007FFDC4970000-0x00007FFDC4980000-memory.dmp

Filesize
64KB

Download
memory/1076-135-0x00007FFDC4970000-0x00007FFDC4980000-memory.dmp

Filesize
64KB

Download
memory/1076-134-0x00007FFDC4970000-0x00007FFDC4980000-memory.dmp

Filesize
64KB

Download
memory/1076-194-0x00007FFDC4970000-0x00007FFDC4980000-memory.dmp

Filesize
64KB

Download
memory/1076-195-0x00007FFDC4970000-0x00007FFDC4980000-memory.dmp

Filesize
64KB

Download
memory/1076-196-0x00007FFDC4970000-0x00007FFDC4980000-memory.dmp

Filesize
64KB

Download
memory/1076-197-0x00007FFDC4970000-0x00007FFDC4980000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads