47116af96aa033477617b2b06bbe5b409b7702169f14a7abfdf7ae8517ee4e24

Analysis

max time kernel
109s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
18/05/2023, 01:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

47116AF96AA033477617B2B06BBE5B409B7702169F14A7ABFDF7AE8517EE4E24.xls
Size

1.2MB
MD5

b877b1ff6a16f737e2075ec91e67b45a
SHA1

2147bfaec1487d080ec14103a20d89da1c7589fe
SHA256

47116af96aa033477617b2b06bbe5b409b7702169f14a7abfdf7ae8517ee4e24
SHA512

52dd4c3b5926411776f9cbed84118455a5109f203dae1486cb44a581794f62e6154a632bedc5f68db5ba10960da6fb72925051b285460e1c77655414c8d2f791
SSDEEP

24576:OLKeBXtHlxpWQmmav30xTBj/tHlxNWQmmav30x/h6FwEzuAaBk0R:OLKeT74QmmQ30l5Z7sQmmQ30lh6KSuAC

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1860	EXCEL.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1860	EXCEL.EXE
1860	EXCEL.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1860	EXCEL.EXE
1860	EXCEL.EXE
1860	EXCEL.EXE
1860	EXCEL.EXE
1860	EXCEL.EXE
1860	EXCEL.EXE
1860	EXCEL.EXE
1860	EXCEL.EXE
1860	EXCEL.EXE
1860	EXCEL.EXE
1860	EXCEL.EXE
1860	EXCEL.EXE

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\47116AF96AA033477617B2B06BBE5B409B7702169F14A7ABFDF7AE8517EE4E24.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1860

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\73AFD519.emf

Filesize
34KB

MD5
c548d879c9e79f360bb80d4c1cfeb99a

SHA1
f1eee2951068df3f1062d1e070ca5f9c75a0c7e3

SHA256
bd8211c1827c4f01a342c714844b9901552f34596700f7303fb1812ded9d22cb

SHA512
49e08b3545b90d5595815bf0746bd31d9f52cd7ad1a751469bc80c9c1a83bc4e294f6f53bda1d82b32da1fceef1fa41e9942e8d3630b63e44b8e46e9e7191581

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\BC8F3B78.emf

Filesize
577KB

MD5
81acced1bbe4a6804927e2e83e1fe1ea

SHA1
d5a27891d163974ecdf9b5205b16e5a491921d5c

SHA256
7743847302b1b15e7c3391d7ede58bdb21bfc96348e6c59f88b72a65c0f52b49

SHA512
e2240e2d042ddad2fcd838e0aaf298e0ee449e6cb3698af030c39d001f30903f0cde4850cb7f3b8b4e0307c67a9f4e77639bf6c4c1223661cd098d66a97315de

Download Submit
memory/1860-139-0x00007FFB158C0000-0x00007FFB158D0000-memory.dmp

Filesize
64KB

Download
memory/1860-136-0x00007FFB17C30000-0x00007FFB17C40000-memory.dmp

Filesize
64KB

Download
memory/1860-137-0x00007FFB17C30000-0x00007FFB17C40000-memory.dmp

Filesize
64KB

Download
memory/1860-138-0x00007FFB158C0000-0x00007FFB158D0000-memory.dmp

Filesize
64KB

Download
memory/1860-133-0x00007FFB17C30000-0x00007FFB17C40000-memory.dmp

Filesize
64KB

Download
memory/1860-134-0x00007FFB17C30000-0x00007FFB17C40000-memory.dmp

Filesize
64KB

Download
memory/1860-135-0x00007FFB17C30000-0x00007FFB17C40000-memory.dmp

Filesize
64KB

Download
memory/1860-188-0x00007FFB17C30000-0x00007FFB17C40000-memory.dmp

Filesize
64KB

Download
memory/1860-189-0x00007FFB17C30000-0x00007FFB17C40000-memory.dmp

Filesize
64KB

Download
memory/1860-190-0x00007FFB17C30000-0x00007FFB17C40000-memory.dmp

Filesize
64KB

Download
memory/1860-191-0x00007FFB17C30000-0x00007FFB17C40000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads