0cc3785f3c1cae8dafa323283b42b8f08dccbf8c4212bc96e80854f18fa9a548

Analysis

max time kernel
144s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
14-03-2023 08:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e6fa8f20f52fe04d59f826df051dd8d2.xls
Size

67KB
MD5

e6fa8f20f52fe04d59f826df051dd8d2
SHA1

ed3ec4d899eb9e00b0f34258a914f67dd54c1093
SHA256

0cc3785f3c1cae8dafa323283b42b8f08dccbf8c4212bc96e80854f18fa9a548
SHA512

d0f909558682426662a39f32fccc7bd4871b53fe9542ef78d77af1650c1d6f8e475551dc1da63cb7ebe9a2388033284dc879fd475ff23a719bc41a6543b5f8f7
SSDEEP

1536:8hIxEtjPOtioVjDGUU1qfDlaGGx+cW/IEAR2h4eazOIP3vMDbpXqNa1JQGal:wIxEtjPOtioVjDGUU1qfDlaGGx+cW/Ib

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

3928 EXCEL.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

EXCEL.EXE

pid process

3928 EXCEL.EXE
3928 EXCEL.EXE

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

EXCEL.EXE

pid	process
3928	EXCEL.EXE
3928	EXCEL.EXE
3928	EXCEL.EXE
3928	EXCEL.EXE
3928	EXCEL.EXE
3928	EXCEL.EXE
3928	EXCEL.EXE
3928	EXCEL.EXE
3928	EXCEL.EXE
3928	EXCEL.EXE
3928	EXCEL.EXE
3928	EXCEL.EXE
3928	EXCEL.EXE
3928	EXCEL.EXE

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\e6fa8f20f52fe04d59f826df051dd8d2.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3928

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\VBB26D.tmp
Filesize
1KB

MD5
e0b4af46b1587926166aae3c3400611d

SHA1
bf05e32b09a232a57b56593e6d3457c43418eba4

SHA256
a5fb22102f4e50f71186a98b9ed5fec5efdf36a29a369545f4ab6ff31e32a70a

SHA512
04351cb88b65fd9a134bc06c55aa9b26adb8a0dc14fc953bd45c2ae3b0b0c052ac64f82e05159b0ef8016da907b1042a0a24d8a2493e8e4a48d4396bf0763a90

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
Filesize
254B

MD5
1d8898b38935e94bf59422ab3695b961

SHA1
41ea21fcf504044cd5f5f47bacd69a9db5184530

SHA256
51160099ae9b27bb81b178e45f9c3d81e19d501fb3792101431cf964b1dec07f

SHA512
7945876efbf91efce2b33ae9072f191cadc8836c190f5af8a9980c70934551402e0d4ef2f31dc98bd1ded6070d0a8815ced688501763c344d4908461f3dbb80b

Download Submit
memory/3928-139-0x00007FF995E50000-0x00007FF995E60000-memory.dmp

Filesize
64KB

Download
memory/3928-136-0x00007FF9987B0000-0x00007FF9987C0000-memory.dmp

Filesize
64KB

Download
memory/3928-137-0x00007FF9987B0000-0x00007FF9987C0000-memory.dmp

Filesize
64KB

Download
memory/3928-138-0x00007FF995E50000-0x00007FF995E60000-memory.dmp

Filesize
64KB

Download
memory/3928-133-0x00007FF9987B0000-0x00007FF9987C0000-memory.dmp

Filesize
64KB

Download
memory/3928-135-0x00007FF9987B0000-0x00007FF9987C0000-memory.dmp

Filesize
64KB

Download
memory/3928-134-0x00007FF9987B0000-0x00007FF9987C0000-memory.dmp

Filesize
64KB

Download
memory/3928-198-0x00007FF9987B0000-0x00007FF9987C0000-memory.dmp

Filesize
64KB

Download
memory/3928-199-0x00007FF9987B0000-0x00007FF9987C0000-memory.dmp

Filesize
64KB

Download
memory/3928-200-0x00007FF9987B0000-0x00007FF9987C0000-memory.dmp

Filesize
64KB

Download
memory/3928-201-0x00007FF9987B0000-0x00007FF9987C0000-memory.dmp

Filesize
64KB

Download