367f43f9444ce24cad2611f59e61608566a772fe098d081e20349440010681d7

Analysis

max time kernel
142s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
02-03-2023 11:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CUSTOM FORM E.xls
Size

1.0MB
MD5

d221ce0d91ef94f55dff3560fe260c45
SHA1

a5fef0be95fafd95a8e95742e10de6e34c52420d
SHA256

367f43f9444ce24cad2611f59e61608566a772fe098d081e20349440010681d7
SHA512

d543a590a5150de7c539ef264017f018c5f0d1c9ae14ce21ec7fc1d260962553beea3186f1856eec5af0be9b5300a4a060cf3c459a4bbff95fc59531057a5ec1
SSDEEP

24576:1LKswByWQmmav30xImiIBJRWQmmav30xBmD9cf9gX1zb1slqxke8:1LKhtQmmQ30AIzgQmmQ30k9Rcq4

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4216	EXCEL.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4216	EXCEL.EXE
4216	EXCEL.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
4216	EXCEL.EXE
4216	EXCEL.EXE
4216	EXCEL.EXE
4216	EXCEL.EXE
4216	EXCEL.EXE
4216	EXCEL.EXE
4216	EXCEL.EXE
4216	EXCEL.EXE
4216	EXCEL.EXE
4216	EXCEL.EXE
4216	EXCEL.EXE
4216	EXCEL.EXE

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\CUSTOM FORM E.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4216

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\56F0050.emf

Filesize
577KB

MD5
c66a3200e21bdbd893a777827175e28b

SHA1
a005604fce42311a25d648c2a20ff1860d63b30e

SHA256
7de235fa8091bf6b9c1e6d4985c061a90cdc43327e9cbb90ee836a348fe9ca61

SHA512
a0d4ee5e57e165d25d5f13cde1fbe589074b4f76034e92d37af6d154f2b2db727b08958143a4b6c7efee1881e482a451144f8d47334a56d9273a38a321e91faa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\F9922A9C.emf

Filesize
34KB

MD5
b6e54116894c48ebc63cfd17a58b13fd

SHA1
0ca24ecbbd8878d028e3f0b33bb3bd96fe82325f

SHA256
404912154cccf762274cde6db03ce1ffca85784f081296e70b1bd325314d4313

SHA512
4f9f81c90fbefa7a7bfc14caf947c7cea7ecd45a8321289b04a645412218774f03e8949d04faa3f0cc8a4548eeb9eb0635d370d7a0041a9971aaed954fc3a04a

Download Submit
memory/4216-136-0x00007FFA5B9B0000-0x00007FFA5B9C0000-memory.dmp

Filesize
64KB

Download
memory/4216-133-0x00007FFA5B9B0000-0x00007FFA5B9C0000-memory.dmp

Filesize
64KB

Download
memory/4216-137-0x00007FFA5B9B0000-0x00007FFA5B9C0000-memory.dmp

Filesize
64KB

Download
memory/4216-138-0x00007FFA59520000-0x00007FFA59530000-memory.dmp

Filesize
64KB

Download
memory/4216-139-0x00007FFA59520000-0x00007FFA59530000-memory.dmp

Filesize
64KB

Download
memory/4216-159-0x000002C6E6EC0000-0x000002C6E6F02000-memory.dmp

Filesize
264KB

Download
memory/4216-135-0x00007FFA5B9B0000-0x00007FFA5B9C0000-memory.dmp

Filesize
64KB

Download
memory/4216-134-0x00007FFA5B9B0000-0x00007FFA5B9C0000-memory.dmp

Filesize
64KB

Download
memory/4216-206-0x00007FFA5B9B0000-0x00007FFA5B9C0000-memory.dmp

Filesize
64KB

Download
memory/4216-207-0x00007FFA5B9B0000-0x00007FFA5B9C0000-memory.dmp

Filesize
64KB

Download
memory/4216-208-0x00007FFA5B9B0000-0x00007FFA5B9C0000-memory.dmp

Filesize
64KB

Download
memory/4216-209-0x00007FFA5B9B0000-0x00007FFA5B9C0000-memory.dmp

Filesize
64KB

Download
memory/4216-210-0x000002C6E6EC0000-0x000002C6E6F02000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads