Overview

overview

8

Static

static

1

CIPLCOACOO...ls.xls

windows7-x64

8

CIPLCOACOO...ls.xls

windows10-2004-x64

1

Analysis

  • max time kernel
    143s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230621-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/07/2023, 18:01

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    CIPLCOACOOQCET230428GOxls.xls

  • Size

    209KB

  • MD5

    36c189f80d7ea1d308f10ecc0091c1c2

  • SHA1

    a789b6fdb3c1361aa29213ee05cf21c5644f5d28

  • SHA256

    193fe8c9f0b3ba4a43ae50b0217407410e29c0d2939396433f3bfaaa062ca3cf

  • SHA512

    b60756afd3a7ccf35ab25b561f415107a887bce7e75a676e546fafffbdef1effc50ca16a3adc110d6072268f0b78d1edfb31a6e75395861c543fd0ae02bbaaab

  • SSDEEP

    6144:FZ+RwPONXoRjDhIcp0fDlavx+W26nA/qvBhBi0pnRrk5jMVWltEg0S:DvZi4rkKVWlOZS

Score
1/10

Malware Config

Signatures

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\CIPLCOACOOQCET230428GOxls.xls"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:2004

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/2004-133-0x00007FF939F70000-0x00007FF939F80000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2004-134-0x00007FF939F70000-0x00007FF939F80000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2004-135-0x00007FF939F70000-0x00007FF939F80000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2004-136-0x00007FF939F70000-0x00007FF939F80000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2004-137-0x00007FF939F70000-0x00007FF939F80000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2004-138-0x00007FF937820000-0x00007FF937830000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2004-140-0x00007FF937820000-0x00007FF937830000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2004-164-0x00007FF939F70000-0x00007FF939F80000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2004-165-0x00007FF939F70000-0x00007FF939F80000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2004-166-0x00007FF939F70000-0x00007FF939F80000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2004-167-0x00007FF939F70000-0x00007FF939F80000-memory.dmp

          Filesize

          64KB

          Download