dc045f955788a869d725560948fd929d179efe571bcaf0afa43dfb50565270e8

Analysis

max time kernel
140s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
22/09/2023, 06:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2246XSupplierXPurchaseXOrder.xls
Size

825KB
MD5

4057fa394d721ff19f725206f27b1b20
SHA1

8efbbd62cb6470d3a036d96f6e4c1dde00111b55
SHA256

dc045f955788a869d725560948fd929d179efe571bcaf0afa43dfb50565270e8
SHA512

7baafde95513cac87ede9d97e774c3d123b2032a89c6931cc6e83eb3192464be1b99254fdfab782b6a567da7c7dcb07426e2692215ad7cc361a8429f279df56a
SSDEEP

24576:HWQmmav30x5Zyiw6VW6NWh8KaZEHiYOzdRRfV:2QmmQ30du6VjetaCCYa5f

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1784	EXCEL.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1784	EXCEL.EXE
1784	EXCEL.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1784	EXCEL.EXE
1784	EXCEL.EXE
1784	EXCEL.EXE
1784	EXCEL.EXE
1784	EXCEL.EXE
1784	EXCEL.EXE
1784	EXCEL.EXE
1784	EXCEL.EXE
1784	EXCEL.EXE
1784	EXCEL.EXE
1784	EXCEL.EXE
1784	EXCEL.EXE

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\2246XSupplierXPurchaseXOrder.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\19QTJWOB\f[1].txt

Filesize
176KB

MD5
6e7e7c398666e55b7ba4e57b5680f2d9

SHA1
bce036b3f0b952548995bcde5dd0912e3923dfff

SHA256
e0e9f9628d942290ee2c573add1fef55c389702d21841fd23fed204db0af78f9

SHA512
27fc3c5b61a93afb660c0d7d6257ff35d6f09c7820d33b1f4ace1eed384b829d33c273701ff8dd848cec3814d93a7de5c7582f87316df6f2d6ac14a93de322ba

Download Submit
memory/1784-10-0x00007FFC5DD30000-0x00007FFC5DD40000-memory.dmp

Filesize
64KB

Download
memory/1784-12-0x00007FFCA04B0000-0x00007FFCA06A5000-memory.dmp

Filesize
2.0MB

Download
memory/1784-2-0x00007FFC60530000-0x00007FFC60540000-memory.dmp

Filesize
64KB

Download
memory/1784-5-0x00007FFC60530000-0x00007FFC60540000-memory.dmp

Filesize
64KB

Download
memory/1784-4-0x00007FFCA04B0000-0x00007FFCA06A5000-memory.dmp

Filesize
2.0MB

Download
memory/1784-6-0x00007FFCA04B0000-0x00007FFCA06A5000-memory.dmp

Filesize
2.0MB

Download
memory/1784-7-0x00007FFC60530000-0x00007FFC60540000-memory.dmp

Filesize
64KB

Download
memory/1784-8-0x00007FFCA04B0000-0x00007FFCA06A5000-memory.dmp

Filesize
2.0MB

Download
memory/1784-9-0x00007FFCA04B0000-0x00007FFCA06A5000-memory.dmp

Filesize
2.0MB

Download
memory/1784-13-0x00007FFCA04B0000-0x00007FFCA06A5000-memory.dmp

Filesize
2.0MB

Download
memory/1784-3-0x00007FFCA04B0000-0x00007FFCA06A5000-memory.dmp

Filesize
2.0MB

Download
memory/1784-11-0x00007FFCA04B0000-0x00007FFCA06A5000-memory.dmp

Filesize
2.0MB

Download
memory/1784-0-0x00007FFC60530000-0x00007FFC60540000-memory.dmp

Filesize
64KB

Download
memory/1784-14-0x00007FFCA04B0000-0x00007FFCA06A5000-memory.dmp

Filesize
2.0MB

Download
memory/1784-15-0x00007FFCA04B0000-0x00007FFCA06A5000-memory.dmp

Filesize
2.0MB

Download
memory/1784-17-0x00007FFC5DD30000-0x00007FFC5DD40000-memory.dmp

Filesize
64KB

Download
memory/1784-18-0x00007FFCA04B0000-0x00007FFCA06A5000-memory.dmp

Filesize
2.0MB

Download
memory/1784-16-0x00007FFCA04B0000-0x00007FFCA06A5000-memory.dmp

Filesize
2.0MB

Download
memory/1784-20-0x00007FFCA04B0000-0x00007FFCA06A5000-memory.dmp

Filesize
2.0MB

Download
memory/1784-19-0x00007FFCA04B0000-0x00007FFCA06A5000-memory.dmp

Filesize
2.0MB

Download
memory/1784-1-0x00007FFC60530000-0x00007FFC60540000-memory.dmp

Filesize
64KB

Download
memory/1784-96-0x00007FFCA04B0000-0x00007FFCA06A5000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads