3d751898a915e9e5f6a89d140364e596b68e0255a3c6aebd85cfe51f57e36ec2

Analysis

max time kernel
101s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
08/03/2023, 20:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PO SHEET.xls
Size

1.3MB
MD5

d141a3f91eeb323993381bfc0d13bf55
SHA1

46fe21afc5908b8581b8d66898d8df9c173ff11e
SHA256

3d751898a915e9e5f6a89d140364e596b68e0255a3c6aebd85cfe51f57e36ec2
SHA512

6243447531eebf92f9860f8de0c3b6f314018811728c7e8b5b47090328d371cdf805c31ad00755e2958acd3fe4f6d48a86278144405b4e8616ef54eb4933e0fe
SSDEEP

24576:TLKtB1tHlxHWQmmav30xV2B9ntHlx2WQmmav30x96YNIE/5NF+aZKhQU+5n:TLKt572QmmQ30+rh7rQmmQ30H6FE/5f3

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4980	EXCEL.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4980	EXCEL.EXE
4980	EXCEL.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
4980	EXCEL.EXE
4980	EXCEL.EXE
4980	EXCEL.EXE
4980	EXCEL.EXE
4980	EXCEL.EXE
4980	EXCEL.EXE
4980	EXCEL.EXE
4980	EXCEL.EXE
4980	EXCEL.EXE
4980	EXCEL.EXE
4980	EXCEL.EXE
4980	EXCEL.EXE

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\PO SHEET.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4980

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\49BE14C.emf

Filesize
577KB

MD5
ac8716d60833180f422f86e1b1381326

SHA1
a4ad4161840c6643bc8196efb0b0565aee798091

SHA256
9fc5494929322490eda73d8c0933a727bd3f71518a707d05aeef4bf96e63b4ef

SHA512
085cfae097665c383cdc696f2cf32741819d4493a3bab969ca92149069b222fbd1f207cf71b52bac2cfa7f82ef8b799d1d1bbe59b7719a84016963f69c66a0c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\AD0626B7.emf

Filesize
34KB

MD5
93c7ea051e90411393deffce1930d0a0

SHA1
1f1f80ee7de337b1e941c86b4eff09a00fe0a8c8

SHA256
d45413841fae0ecd534b4bd23860b98ad791b4bd863bcc8091a32bf91e647e75

SHA512
84337406e1ab778283254a6ee103c1401b7be9150477114f7fdf7cf50958f4329f89b7dbaa3fe359c700ec2431950f25540650ff7d0bf079920ec5aa2cac42ed

Download Submit
memory/4980-136-0x00007FF842D90000-0x00007FF842DA0000-memory.dmp

Filesize
64KB

Download
memory/4980-133-0x00007FF842D90000-0x00007FF842DA0000-memory.dmp

Filesize
64KB

Download
memory/4980-137-0x00007FF842D90000-0x00007FF842DA0000-memory.dmp

Filesize
64KB

Download
memory/4980-138-0x00007FF840A10000-0x00007FF840A20000-memory.dmp

Filesize
64KB

Download
memory/4980-139-0x00007FF840A10000-0x00007FF840A20000-memory.dmp

Filesize
64KB

Download
memory/4980-158-0x000001B2D5950000-0x000001B2D5BAF000-memory.dmp

Filesize
2.4MB

Download
memory/4980-134-0x00007FF842D90000-0x00007FF842DA0000-memory.dmp

Filesize
64KB

Download
memory/4980-135-0x00007FF842D90000-0x00007FF842DA0000-memory.dmp

Filesize
64KB

Download
memory/4980-200-0x00007FF842D90000-0x00007FF842DA0000-memory.dmp

Filesize
64KB

Download
memory/4980-201-0x00007FF842D90000-0x00007FF842DA0000-memory.dmp

Filesize
64KB

Download
memory/4980-203-0x00007FF842D90000-0x00007FF842DA0000-memory.dmp

Filesize
64KB

Download
memory/4980-202-0x00007FF842D90000-0x00007FF842DA0000-memory.dmp

Filesize
64KB

Download
memory/4980-204-0x000001B2D5950000-0x000001B2D5BAF000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads