5b7ff99c955fa55f1f884a09a912b64f5a1aea40caed0cdf86d0ebe4fe45a06e

Analysis

max time kernel
147s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
19-03-2023 04:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5b7ff99c955fa55f1f884a09a912b64f5a1aea40caed0cdf86d0ebe4fe45a06e.exe
Size

550KB
MD5

f955416a22928eb08bff910bc34fb920
SHA1

256721c9990152c749ef8f4f051e3999c2ec85e7
SHA256

5b7ff99c955fa55f1f884a09a912b64f5a1aea40caed0cdf86d0ebe4fe45a06e
SHA512

b1b979d3cb68ebdfc226fd1a799ff3f3a833026e77eb89caa251624571678aad8d9d35924fa7527491f765b78e4cd2507bdcb093b54edecfbf5feccb848231fb
SSDEEP

12288:KSRhpHuPu7JQXCTWc22je8qH4iHdraa6/0NZ443dXq9s:KshpSW/22je8qH4iHxHM0NZnV

Score

8^/10

macro macro_on_action

Malware Config

Signatures

Office macro that triggers on suspicious action 1 IoCs

Office document macro which triggers in special circumstances - often malicious.

macro macro_on_action

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\V760ES.Dll	office_macro_on_action

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 5 IoCs

Processes:

5b7ff99c955fa55f1f884a09a912b64f5a1aea40caed0cdf86d0ebe4fe45a06e.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.uab\Excel2EXE	5b7ff99c955fa55f1f884a09a912b64f5a1aea40caed0cdf86d0ebe4fe45a06e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.uab\Excel2EXE\EXE?? = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5b7ff99c955fa55f1f884a09a912b64f5a1aea40caed0cdf86d0ebe4fe45a06e.exe"	5b7ff99c955fa55f1f884a09a912b64f5a1aea40caed0cdf86d0ebe4fe45a06e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.uab\Excel2EXE\XLS?????? = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\INetCookies\\V760ES.Dll"	5b7ff99c955fa55f1f884a09a912b64f5a1aea40caed0cdf86d0ebe4fe45a06e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.uab\Excel2EXE\	5b7ff99c955fa55f1f884a09a912b64f5a1aea40caed0cdf86d0ebe4fe45a06e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.uab	5b7ff99c955fa55f1f884a09a912b64f5a1aea40caed0cdf86d0ebe4fe45a06e.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

3828 EXCEL.EXE

pid	process
3828	EXCEL.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

5b7ff99c955fa55f1f884a09a912b64f5a1aea40caed0cdf86d0ebe4fe45a06e.exeEXCEL.EXE

pid	process
4564	5b7ff99c955fa55f1f884a09a912b64f5a1aea40caed0cdf86d0ebe4fe45a06e.exe
3828	EXCEL.EXE
3828	EXCEL.EXE
3828	EXCEL.EXE
3828	EXCEL.EXE
3828	EXCEL.EXE
3828	EXCEL.EXE
3828	EXCEL.EXE
3828	EXCEL.EXE
3828	EXCEL.EXE
3828	EXCEL.EXE
3828	EXCEL.EXE

C:\Users\Admin\AppData\Local\Temp\5b7ff99c955fa55f1f884a09a912b64f5a1aea40caed0cdf86d0ebe4fe45a06e.exe
"C:\Users\Admin\AppData\Local\Temp\5b7ff99c955fa55f1f884a09a912b64f5a1aea40caed0cdf86d0ebe4fe45a06e.exe"
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4564

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3828

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\V760ES.Dll

Filesize
342KB

MD5
aa3dbd12739bd46fc2c7d6a3fa57ee70

SHA1
98767b2da5d82f14d2fbcedd9f706e2134e1b11d

SHA256
c8130704f324d48bac49814e6cdbac9f8aa00268f5d4f7bef0ac748f59ffd9f6

SHA512
292547d4ad672546bb8ba569a7aa825c00b68ab853461e0c543c8293e08bb4371a1ca6c81edba8e55c82bec43de7599f26c522be7c3eb55db0ee05816db97733

Download Submit
memory/3828-140-0x00007FFB16D90000-0x00007FFB16DA0000-memory.dmp

Filesize
64KB

Download
memory/3828-141-0x00007FFB16D90000-0x00007FFB16DA0000-memory.dmp

Filesize
64KB

Download
memory/3828-142-0x00007FFB16D90000-0x00007FFB16DA0000-memory.dmp

Filesize
64KB

Download
memory/3828-143-0x00007FFB16D90000-0x00007FFB16DA0000-memory.dmp

Filesize
64KB

Download
memory/3828-144-0x00007FFB16D90000-0x00007FFB16DA0000-memory.dmp

Filesize
64KB

Download
memory/3828-145-0x00007FFB14960000-0x00007FFB14970000-memory.dmp

Filesize
64KB

Download
memory/3828-146-0x00007FFB14960000-0x00007FFB14970000-memory.dmp

Filesize
64KB

Download
memory/3828-155-0x0000026906050000-0x0000026906250000-memory.dmp

Filesize
2.0MB

Download
memory/3828-172-0x0000026906050000-0x0000026906250000-memory.dmp

Filesize
2.0MB

Download