601421ad80704fa48cf10d3481751a17ae0a7970f0aa2903978fcfa34d270248

Analysis

max time kernel
134s
max time network
180s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
11/05/2023, 18:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RetirementPlan.xlsx.exe.xll
Size

541KB
MD5

6e48c62d75c15044b162ca5b2f78747b
SHA1

21e478e7ad791aecefb5e902ab03dd99bc28c2ec
SHA256

601421ad80704fa48cf10d3481751a17ae0a7970f0aa2903978fcfa34d270248
SHA512

fd3e41da4ae08cf999742c3119bc2effc26eecc082e22f314443b8bc63805f37e4e4cdf8b0ab138b66a2b5bb12f474fc8ab0d2fd32b6da43a05c7afa1b7f9c3a
SSDEEP

6144:QaasgQks5F4dTEii6o+GTzzxC46pe9jugAZ/+GhzwM7gbmhzKcgA9K7UMrF7GaTW:QaavtddTi6cz1DoZlsk7cZD1v4ZMH

Score

10^/10

Malware Config

Extracted

Language

xlm4.0

Source

Signatures

Deletes itself 1 IoCs

pid	Process
3356	EXCEL.EXE

Loads dropped DLL 2 IoCs

pid	Process
3356	EXCEL.EXE
3356	EXCEL.EXE

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3356	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4372	EXCEL.EXE
4372	EXCEL.EXE

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3356	EXCEL.EXE

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
3356	EXCEL.EXE
4372	EXCEL.EXE
4372	EXCEL.EXE
3356	EXCEL.EXE

Suspicious use of SetWindowsHookEx 24 IoCs

pid	Process
3356	EXCEL.EXE
3356	EXCEL.EXE
3356	EXCEL.EXE
3356	EXCEL.EXE
3356	EXCEL.EXE
3356	EXCEL.EXE
4372	EXCEL.EXE
4372	EXCEL.EXE
4372	EXCEL.EXE
4372	EXCEL.EXE
4372	EXCEL.EXE
4372	EXCEL.EXE
4372	EXCEL.EXE
4372	EXCEL.EXE
4372	EXCEL.EXE
4372	EXCEL.EXE
4372	EXCEL.EXE
4372	EXCEL.EXE
4372	EXCEL.EXE
3356	EXCEL.EXE
3356	EXCEL.EXE
3356	EXCEL.EXE
3356	EXCEL.EXE
3356	EXCEL.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3356 wrote to memory of 4372	3356	EXCEL.EXE	86
PID 3356 wrote to memory of 4372	3356	EXCEL.EXE	86
PID 3356 wrote to memory of 4372	3356	EXCEL.EXE	86

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\RetirementPlan.xlsx.exe.xll"
1⤵
- Deletes itself
- Loads dropped DLL
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: RenamesItself
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3356
- C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\RetirementPlan.xlsx.exe.xll"
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:4372

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177

Filesize
471B

MD5
d49dfadec8a1fb3e359200e537a996c3

SHA1
b3d2bb7d1b263468a9734d1f7efd18ff0c38c422

SHA256
1fba6fd3417d3ab222b6855411fb8e59dfad30b1d3fab3e7106dbb9bfacd59ea

SHA512
c8b3d61c480a350a6c37154ce9acf3c157d3498fa72fc395f54d27d583fd4736401b4f34d64d640da36d9d3937e72b715e5aa058c5e3dcc6e30b018d2cc175d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177

Filesize
442B

MD5
f1b04207e7034f1e7f75f2c9db5f25a9

SHA1
c0226db638588216742fb2bb9d871b418075e96b

SHA256
8b97eea72a91b46b2e80864541a00291b4097679610fe75ae88d9245a43c0d18

SHA512
2f3cee09d3988c7482bceac0af823c20927e32e05a02cc7e759e68ee07ec44b1747c611fe4e5a0d6755f984644455aa02630960cc4db84507750539b20fdc8ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

Filesize
323KB

MD5
9727b1893f4a4adc3107a50a77813c8e

SHA1
93f76aa52461deeeb49672f7dd497cef15470186

SHA256
a5faca4539374a78a69ef31163e96a358c49014fb3e1fa413f4463b008499d51

SHA512
acf7309e548ba621e94c32b9062149670012bea2eaf280b97359f2ece6d61e7d60eabeb295c7690b42ed3c52982b317d96aa6205cb58fa44dcd553d8468751d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db

Filesize
4KB

MD5
f138a66469c10d5761c6cbb36f2163c3

SHA1
eea136206474280549586923b7a4a3c6d5db1e25

SHA256
c712d6c7a60f170a0c6c5ec768d962c58b1f59a2d417e98c7c528a037c427ab6

SHA512
9d25f943b6137dd2981ee75d57baf3a9e0ee27eea2df19591d580f02ec8520d837b8e419a8b1eb7197614a3c6d8793c56ebc848c38295ada23c31273daa302d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal

Filesize
48KB

MD5
b87010e9eae94bccd97c43380fbe0315

SHA1
8f1c40be9dc41a7c07ef0a4e352287d0ad63ae20

SHA256
d0d6f51d6b6e8185d354ae3a3a75fd17dae8c5cbe7c41c41e18098aaf0ba4522

SHA512
069477a6eb4ad29fe74e876c3e5890c215bb527a992a9c6ed6bf9ca92aa5d142abffa9ffad36d03b3deac83578f427927b27c8dcd161889842e3b2c4a928c95b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RetirementPlan.xlsx.exe.xll

Filesize
541KB

MD5
6e48c62d75c15044b162ca5b2f78747b

SHA1
21e478e7ad791aecefb5e902ab03dd99bc28c2ec

SHA256
601421ad80704fa48cf10d3481751a17ae0a7970f0aa2903978fcfa34d270248

SHA512
fd3e41da4ae08cf999742c3119bc2effc26eecc082e22f314443b8bc63805f37e4e4cdf8b0ab138b66a2b5bb12f474fc8ab0d2fd32b6da43a05c7afa1b7f9c3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RetirementPlan.xlsx.exe.xll

Filesize
541KB

MD5
6e48c62d75c15044b162ca5b2f78747b

SHA1
21e478e7ad791aecefb5e902ab03dd99bc28c2ec

SHA256
601421ad80704fa48cf10d3481751a17ae0a7970f0aa2903978fcfa34d270248

SHA512
fd3e41da4ae08cf999742c3119bc2effc26eecc082e22f314443b8bc63805f37e4e4cdf8b0ab138b66a2b5bb12f474fc8ab0d2fd32b6da43a05c7afa1b7f9c3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RetirementPlan.xlsx.exe.xll

Filesize
13KB

MD5
d2321a705844d645b57987d86f07dd68

SHA1
b4cacba6f791e21ce0f6b6dc5ddc172627534fff

SHA256
04a8061dd2bb0f859ac808aa6236165c8ea06fcc69eb54f0bccdf16b58da4de5

SHA512
24418fea0982bc46c3931fb5a0127d4614e88d1b54609ade258131421e05f427d25719c79d645fd57c2646348562afa5db1a7cb74ebff65336cd0e0d2c8986f4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\59B9MSNW6GLT2KMP72Q6.temp

Filesize
24B

MD5
4fcb2a3ee025e4a10d21e1b154873fe2

SHA1
57658e2fa594b7d0b99d02e041d0f3418e58856b

SHA256
90bf6baa6f968a285f88620fbf91e1f5aa3e66e2bad50fd16f37913280ad8228

SHA512
4e85d48db8c0ee5c4dd4149ab01d33e4224456c3f3e3b0101544a5ca87a0d74b3ccd8c0509650008e2abed65efd1e140b1e65ae5215ab32de6f6a49c9d3ec3ff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
24B

MD5
4fcb2a3ee025e4a10d21e1b154873fe2

SHA1
57658e2fa594b7d0b99d02e041d0f3418e58856b

SHA256
90bf6baa6f968a285f88620fbf91e1f5aa3e66e2bad50fd16f37913280ad8228

SHA512
4e85d48db8c0ee5c4dd4149ab01d33e4224456c3f3e3b0101544a5ca87a0d74b3ccd8c0509650008e2abed65efd1e140b1e65ae5215ab32de6f6a49c9d3ec3ff

Download Submit
memory/3356-138-0x00007FFDC8620000-0x00007FFDC8630000-memory.dmp

Filesize
64KB

Download
memory/3356-139-0x00007FFDC8620000-0x00007FFDC8630000-memory.dmp

Filesize
64KB

Download
memory/3356-137-0x00007FFDCA7F0000-0x00007FFDCA800000-memory.dmp

Filesize
64KB

Download
memory/3356-136-0x00007FFDCA7F0000-0x00007FFDCA800000-memory.dmp

Filesize
64KB

Download
memory/3356-135-0x00007FFDCA7F0000-0x00007FFDCA800000-memory.dmp

Filesize
64KB

Download
memory/3356-134-0x00007FFDCA7F0000-0x00007FFDCA800000-memory.dmp

Filesize
64KB

Download
memory/3356-133-0x00007FFDCA7F0000-0x00007FFDCA800000-memory.dmp

Filesize
64KB

Download
memory/3356-150-0x00007FFDE72E0000-0x00007FFDE736F000-memory.dmp

Filesize
572KB

Download
memory/4372-190-0x00007FFDCA7F0000-0x00007FFDCA800000-memory.dmp

Filesize
64KB

Download
memory/4372-191-0x00007FFDCA7F0000-0x00007FFDCA800000-memory.dmp

Filesize
64KB

Download
memory/4372-192-0x00007FFDCA7F0000-0x00007FFDCA800000-memory.dmp

Filesize
64KB

Download
memory/4372-193-0x00007FFDCA7F0000-0x00007FFDCA800000-memory.dmp

Filesize
64KB

Download