efb5d3fd0ca7fb5ba1a1e7e88b8492b0d43a4e121326b03b7851cdf1d0730ec7

Analysis

max time kernel
104s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
14-03-2023 14:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

EFB5D3FD0CA7FB5BA1A1E7E88B8492B0D43A4E121326B03B7851CDF1D0730EC7.xls
Size

1019KB
MD5

904198ed96ec4ce6d011c037a2713fe4
SHA1

f025a41592eace75cff3d67c1c090dfcdbe2fd9b
SHA256

efb5d3fd0ca7fb5ba1a1e7e88b8492b0d43a4e121326b03b7851cdf1d0730ec7
SHA512

47aed404192373e26cf89bd80f5182caf9d58fb28f5788f61b99de8224d9afe0e551315f7f4eac5eca0341e50834a6616d536d05af965243c441f153046d5d77
SSDEEP

24576:2Fe4LFRBXm6FeD5hqLbm61CeEVG06M1/DRXXXXXXXXXXXXUrXXXXXXXXXXXXXtXY:WFp+Y1kZ6Mv

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

3852 EXCEL.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

EXCEL.EXE

pid process

3852 EXCEL.EXE
3852 EXCEL.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXE

pid	process
3852	EXCEL.EXE
3852	EXCEL.EXE
3852	EXCEL.EXE
3852	EXCEL.EXE
3852	EXCEL.EXE
3852	EXCEL.EXE
3852	EXCEL.EXE
3852	EXCEL.EXE
3852	EXCEL.EXE
3852	EXCEL.EXE
3852	EXCEL.EXE
3852	EXCEL.EXE

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\EFB5D3FD0CA7FB5BA1A1E7E88B8492B0D43A4E121326B03B7851CDF1D0730EC7.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3852

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\25E16E73.emf
Filesize
3.2MB

MD5
295175972a576d39de88bcaa31fe8e4e

SHA1
01aba5e597ff13a01591ded8577e4e2b3a436d2c

SHA256
eacb655e65703f0a74ac2401ace646773a3a7d9e813e3994fb4de9ad00827fe6

SHA512
4dc09378cb60b3b73e80bb6169da958dcfd1006a109d493d8a614a17e5520858683d3f484f3282f2e87404cea5152db1ad2da6b921f3f57f61309a72092de025

Download Submit
memory/3852-133-0x00007FFABE410000-0x00007FFABE420000-memory.dmp

Filesize
64KB

Download
memory/3852-134-0x00007FFABE410000-0x00007FFABE420000-memory.dmp

Filesize
64KB

Download
memory/3852-135-0x00007FFABE410000-0x00007FFABE420000-memory.dmp

Filesize
64KB

Download
memory/3852-136-0x00007FFABE410000-0x00007FFABE420000-memory.dmp

Filesize
64KB

Download
memory/3852-137-0x00007FFABE410000-0x00007FFABE420000-memory.dmp

Filesize
64KB

Download
memory/3852-138-0x00007FFABBBC0000-0x00007FFABBBD0000-memory.dmp

Filesize
64KB

Download
memory/3852-139-0x00007FFABBBC0000-0x00007FFABBBD0000-memory.dmp

Filesize
64KB

Download
memory/3852-184-0x00007FFABE410000-0x00007FFABE420000-memory.dmp

Filesize
64KB

Download
memory/3852-185-0x00007FFABE410000-0x00007FFABE420000-memory.dmp

Filesize
64KB

Download
memory/3852-186-0x00007FFABE410000-0x00007FFABE420000-memory.dmp

Filesize
64KB

Download
memory/3852-187-0x00007FFABE410000-0x00007FFABE420000-memory.dmp

Filesize
64KB

Download