eb3bcf3af0923527d21b12e73e63d10c9beb4062259c7e007e88b3ef50b46384

Analysis

max time kernel
114s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
14-03-2023 08:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2c20d5c459e438b7728382aea32256ec.xls
Size

67KB
MD5

2c20d5c459e438b7728382aea32256ec
SHA1

4ecc40e3b3f01d0ffaeafb34416a4d2d405794da
SHA256

eb3bcf3af0923527d21b12e73e63d10c9beb4062259c7e007e88b3ef50b46384
SHA512

33a7c173b9c6eb7fd43c5613be57bcf43a2db487bbe593cf6db1668d8d757a151793eaafb755a2efed00f96c461cf6baa771a210bf4269a3e73fe7eb91120863
SSDEEP

1536:qhIxEtjPOtioVjDGUU1qfDlaGGx+cW/IEAR2h4eazOIP3vMDbpXqNa1JQGal:6IxEtjPOtioVjDGUU1qfDlaGGx+cW/Ib

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1896 EXCEL.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

EXCEL.EXE

pid process

1896 EXCEL.EXE
1896 EXCEL.EXE

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

EXCEL.EXE

pid	process
1896	EXCEL.EXE
1896	EXCEL.EXE
1896	EXCEL.EXE
1896	EXCEL.EXE
1896	EXCEL.EXE
1896	EXCEL.EXE
1896	EXCEL.EXE
1896	EXCEL.EXE
1896	EXCEL.EXE
1896	EXCEL.EXE
1896	EXCEL.EXE
1896	EXCEL.EXE
1896	EXCEL.EXE
1896	EXCEL.EXE

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\2c20d5c459e438b7728382aea32256ec.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1896

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\VB9CA3.tmp
Filesize
1KB

MD5
e0b4af46b1587926166aae3c3400611d

SHA1
bf05e32b09a232a57b56593e6d3457c43418eba4

SHA256
a5fb22102f4e50f71186a98b9ed5fec5efdf36a29a369545f4ab6ff31e32a70a

SHA512
04351cb88b65fd9a134bc06c55aa9b26adb8a0dc14fc953bd45c2ae3b0b0c052ac64f82e05159b0ef8016da907b1042a0a24d8a2493e8e4a48d4396bf0763a90

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
Filesize
254B

MD5
1d8898b38935e94bf59422ab3695b961

SHA1
41ea21fcf504044cd5f5f47bacd69a9db5184530

SHA256
51160099ae9b27bb81b178e45f9c3d81e19d501fb3792101431cf964b1dec07f

SHA512
7945876efbf91efce2b33ae9072f191cadc8836c190f5af8a9980c70934551402e0d4ef2f31dc98bd1ded6070d0a8815ced688501763c344d4908461f3dbb80b

Download Submit
memory/1896-139-0x00007FFD1F7E0000-0x00007FFD1F7F0000-memory.dmp

Filesize
64KB

Download
memory/1896-136-0x00007FFD220B0000-0x00007FFD220C0000-memory.dmp

Filesize
64KB

Download
memory/1896-137-0x00007FFD220B0000-0x00007FFD220C0000-memory.dmp

Filesize
64KB

Download
memory/1896-138-0x00007FFD1F7E0000-0x00007FFD1F7F0000-memory.dmp

Filesize
64KB

Download
memory/1896-133-0x00007FFD220B0000-0x00007FFD220C0000-memory.dmp

Filesize
64KB

Download
memory/1896-135-0x00007FFD220B0000-0x00007FFD220C0000-memory.dmp

Filesize
64KB

Download
memory/1896-134-0x00007FFD220B0000-0x00007FFD220C0000-memory.dmp

Filesize
64KB

Download
memory/1896-198-0x00007FFD220B0000-0x00007FFD220C0000-memory.dmp

Filesize
64KB

Download
memory/1896-199-0x00007FFD220B0000-0x00007FFD220C0000-memory.dmp

Filesize
64KB

Download
memory/1896-200-0x00007FFD220B0000-0x00007FFD220C0000-memory.dmp

Filesize
64KB

Download
memory/1896-201-0x00007FFD220B0000-0x00007FFD220C0000-memory.dmp

Filesize
64KB

Download