Analysis
-
max time kernel
143s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
07/07/2023, 07:28
Static task
static1
Behavioral task
behavioral1
Sample
Order.xls
Resource
win7-20230703-en
Behavioral task
behavioral2
Sample
Order.xls
Resource
win10v2004-20230703-en
General
-
Target
Order.xls
-
Size
1.1MB
-
MD5
e61ef35786f8c9fc93775070a5fbeec5
-
SHA1
8ced2497907895641391537efdc9c9a354892a88
-
SHA256
9ef7b881397f3ad7d7c7a0b4fa8b4f5d88077df7327fad30a16e8ee633a282b1
-
SHA512
ca4ed78a94cf732cead859119e2f37ab394d8335911cc3797f23be74ff415d9bf766e139ff7da6e98ca3791b1f62b4a49053f1d980dc6eaeab2291c8873c93c0
-
SSDEEP
24576:GBlzWw6sIzvo0xfsjcUos+xKYw6s4zAo0xfsjcUos+xKw3dYjIqJPoaTwnx:wN6sI3xfsjdos+xKT6s4Axfsjdos+xKc
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 644 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 644 EXCEL.EXE 644 EXCEL.EXE 644 EXCEL.EXE 644 EXCEL.EXE 644 EXCEL.EXE 644 EXCEL.EXE 644 EXCEL.EXE 644 EXCEL.EXE 644 EXCEL.EXE 644 EXCEL.EXE 644 EXCEL.EXE 644 EXCEL.EXE -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Order.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:644
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD51fcb3f34b5588f6a647a06dff1811bf9
SHA11f5ef0e6e41c14795decedcefc883ab9000fac9a
SHA256a99e8172248dac0b2a6243d06a862901989857b0c2ecbed5f25ddb0d1a95154e
SHA51247e951583afff444f9adb09beab0d83f9792b46d3e1fabf05d21068218d64b3cba48e2dc22fe0a7bd3252a0e0c8866faa244b5dc3784bd336ecbc9f2924fb2aa