81ef3e251264b6490d3b716ace5cb5ef82d9758e99ba7309d77fff93c2483a48

General

Target

TT Copy.xls
Size

1.2MB
MD5

030b548e1f2483239465d609b6d7b182
SHA1

f65d3927fc2e76ab8c66b8f5c077dc4e88539135
SHA256

81ef3e251264b6490d3b716ace5cb5ef82d9758e99ba7309d77fff93c2483a48
SHA512

0fc60dba1636d34186c805bd19200ec3b266bf763061b0450d4f0cee477a93c80b551e7a9a82fa5702da875f1b5f37f3dc74306aa65e87f14f23bff74a562904
SSDEEP

24576:gWQmmav30xwZyGw6Vi+MNJJZyfw6VUYe+IEW98bO8QnhhCFSi3dwSx:1QmmQ30gW6VmL6VsCO7nyFSitx

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3732	EXCEL.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
3732	EXCEL.EXE
3732	EXCEL.EXE
3732	EXCEL.EXE
3732	EXCEL.EXE
3732	EXCEL.EXE
3732	EXCEL.EXE
3732	EXCEL.EXE
3732	EXCEL.EXE
3732	EXCEL.EXE
3732	EXCEL.EXE
3732	EXCEL.EXE
3732	EXCEL.EXE

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\TT Copy.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\D640E58E.emf

Filesize
526KB

MD5
8318d56bb157ea1ca565745d62ef20e6

SHA1
0fb6a5db79ba8e92e2de95c457188847b949b87d

SHA256
53f6447e44194d7d8b9e66c782fb0827f5e1ef7b1dd66587cf3838779f49b506

SHA512
d49e83458935c7e0c504126d893a6b771e36f350cec87f4b2ca9d4ae610eef3b38f338fc05796467a4e5a4a3aaa76c482793d5a13147502b93c0519a5250dc58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\DB8CEA5D.emf

Filesize
1.4MB

MD5
a01b9617553432807b9b58025b338d97

SHA1
439bdcc450408b9735b2428c2d53d2e6977fa58c

SHA256
7a0426ed2e2349916969ff7087c0f76089fb8ce7f4627f3d11ccbc1aaefcedce

SHA512
312cc2563fa865d6a939fea85a520627c73ed9a95bafc98c89495f21d535dc658825be74b64f0f5c5815d1d234fc6e77a71779247e4973e39ba8dccec2f09bee

Download Submit
memory/3732-17-0x00007FFBE98F0000-0x00007FFBE9AE5000-memory.dmp

Filesize
2.0MB

Download
memory/3732-73-0x00007FFBA9970000-0x00007FFBA9980000-memory.dmp

Filesize
64KB

Download
memory/3732-3-0x00007FFBA9970000-0x00007FFBA9980000-memory.dmp

Filesize
64KB

Download
memory/3732-6-0x00007FFBE98F0000-0x00007FFBE9AE5000-memory.dmp

Filesize
2.0MB

Download
memory/3732-7-0x00007FFBA9970000-0x00007FFBA9980000-memory.dmp

Filesize
64KB

Download
memory/3732-5-0x00007FFBA9970000-0x00007FFBA9980000-memory.dmp

Filesize
64KB

Download
memory/3732-21-0x00007FFBE98F0000-0x00007FFBE9AE5000-memory.dmp

Filesize
2.0MB

Download
memory/3732-9-0x00007FFBE98F0000-0x00007FFBE9AE5000-memory.dmp

Filesize
2.0MB

Download
memory/3732-10-0x00007FFBE98F0000-0x00007FFBE9AE5000-memory.dmp

Filesize
2.0MB

Download
memory/3732-12-0x00007FFBE98F0000-0x00007FFBE9AE5000-memory.dmp

Filesize
2.0MB

Download
memory/3732-13-0x00007FFBE98F0000-0x00007FFBE9AE5000-memory.dmp

Filesize
2.0MB

Download
memory/3732-14-0x00007FFBA7410000-0x00007FFBA7420000-memory.dmp

Filesize
64KB

Download
memory/3732-15-0x00007FFBE98F0000-0x00007FFBE9AE5000-memory.dmp

Filesize
2.0MB

Download
memory/3732-11-0x00007FFBE98F0000-0x00007FFBE9AE5000-memory.dmp

Filesize
2.0MB

Download
memory/3732-76-0x00007FFBE98F0000-0x00007FFBE9AE5000-memory.dmp

Filesize
2.0MB

Download
memory/3732-4-0x00007FFBE98F0000-0x00007FFBE9AE5000-memory.dmp

Filesize
2.0MB

Download
memory/3732-8-0x00007FFBE98F0000-0x00007FFBE9AE5000-memory.dmp

Filesize
2.0MB

Download
memory/3732-22-0x00007FFBE98F0000-0x00007FFBE9AE5000-memory.dmp

Filesize
2.0MB

Download
memory/3732-23-0x00007FFBE98F0000-0x00007FFBE9AE5000-memory.dmp

Filesize
2.0MB

Download
memory/3732-19-0x00007FFBE98F0000-0x00007FFBE9AE5000-memory.dmp

Filesize
2.0MB

Download
memory/3732-18-0x00007FFBE98F0000-0x00007FFBE9AE5000-memory.dmp

Filesize
2.0MB

Download
memory/3732-16-0x00007FFBA7410000-0x00007FFBA7420000-memory.dmp

Filesize
64KB

Download
memory/3732-33-0x00007FFBE98F0000-0x00007FFBE9AE5000-memory.dmp

Filesize
2.0MB

Download
memory/3732-2-0x00007FFBA9970000-0x00007FFBA9980000-memory.dmp

Filesize
64KB

Download
memory/3732-1-0x00007FFBE98F0000-0x00007FFBE9AE5000-memory.dmp

Filesize
2.0MB

Download
memory/3732-70-0x00007FFBA9970000-0x00007FFBA9980000-memory.dmp

Filesize
64KB

Download
memory/3732-71-0x00007FFBA9970000-0x00007FFBA9980000-memory.dmp

Filesize
64KB

Download
memory/3732-72-0x00007FFBA9970000-0x00007FFBA9980000-memory.dmp

Filesize
64KB

Download
memory/3732-74-0x00007FFBE98F0000-0x00007FFBE9AE5000-memory.dmp

Filesize
2.0MB

Download
memory/3732-20-0x00007FFBE98F0000-0x00007FFBE9AE5000-memory.dmp

Filesize
2.0MB

Download
memory/3732-75-0x00007FFBE98F0000-0x00007FFBE9AE5000-memory.dmp

Filesize
2.0MB

Download
memory/3732-0-0x00007FFBA9970000-0x00007FFBA9980000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads