476a1d2785a6b3585728deb279fb0e6a17d87062a51de14b7a296aa6b67a8106

Analysis

max time kernel
152s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
16-10-2023 12:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Specifications/Coverall fabric for sea shore work area.xls
Size

126KB
MD5

7f75a12e8a7e17791cd6f025c252a95e
SHA1

35a884a775451ebb9dbde56b949d62b6a6580da2
SHA256

6b13a6db6b10368dc7056d51fb11ebcd5c9daf3d348e115434dcd7938a42bf26
SHA512

c955bea1d34621bfe539f17a43a1db33142fb869a2f8ce7643eb7e2625ee9c993dc3e4dcad4e5fbae4d9a38c94d7e9f982093abf938864a1f2ddfaa289ea7807
SSDEEP

3072:nIpTVkIpT9uIpTVKCZ+RwPONXoRjDhIcp0fDlaGGx+cL/WEgng2h7:IpTV/pT9xpTVbZ+RwPONXoRjDhIcp0fT

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1624	EXCEL.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1624	EXCEL.EXE
1624	EXCEL.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1624	EXCEL.EXE
1624	EXCEL.EXE
1624	EXCEL.EXE
1624	EXCEL.EXE
1624	EXCEL.EXE
1624	EXCEL.EXE
1624	EXCEL.EXE
1624	EXCEL.EXE
1624	EXCEL.EXE
1624	EXCEL.EXE
1624	EXCEL.EXE
1624	EXCEL.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1624 wrote to memory of 4696	1624	EXCEL.EXE	86
PID 1624 wrote to memory of 4696	1624	EXCEL.EXE	86

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Specifications\Coverall fabric for sea shore work area.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1624
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:4696

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:2196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\E890F937.emf

Filesize
11KB

MD5
247df3295cb4fcac02ef2b372e4b93c3

SHA1
dc6ad28629daacfa92c269dc8cd5ff8a3bda164f

SHA256
0e4ba38f4e41fffff1b9dc4b4a474c8923d568edc4971d3cbe84366f096acdd4

SHA512
6f110cef75a886070b2a3841d53b8d9d64f9e429fbaae7a34c751e2d461b6174739045e52bbc2767a1820e1c0500185e433d31c46115691f51bf274998ee0179

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\7H3JZN74\s_ir_tallm[2].htm

Filesize
253B

MD5
2d9f5a97c8f7b19a4d7ae669f21594c4

SHA1
1828dafdb80925d2b3923020f4194ccbf4a177de

SHA256
1d33b771331da970c4eee40076db878ea6a929f2097f4cf6ab18cb5882bcce16

SHA512
3a733e8219159648edf91b3585d328979a7b55883eb412ce5df1d572bc054454b295ebcbdeaec268753a70cd8f65e1bbd68f4832b8aa068dd6c9bc33f146a025

Download Submit
memory/1624-14-0x00007FFDD2C30000-0x00007FFDD2E25000-memory.dmp

Filesize
2.0MB

Download
memory/1624-97-0x00007FFDD2C30000-0x00007FFDD2E25000-memory.dmp

Filesize
2.0MB

Download
memory/1624-0-0x00007FFD92CB0000-0x00007FFD92CC0000-memory.dmp

Filesize
64KB

Download
memory/1624-4-0x00007FFDD2C30000-0x00007FFDD2E25000-memory.dmp

Filesize
2.0MB

Download
memory/1624-7-0x00007FFD92CB0000-0x00007FFD92CC0000-memory.dmp

Filesize
64KB

Download
memory/1624-6-0x00007FFD92CB0000-0x00007FFD92CC0000-memory.dmp

Filesize
64KB

Download
memory/1624-8-0x00007FFDD2C30000-0x00007FFDD2E25000-memory.dmp

Filesize
2.0MB

Download
memory/1624-9-0x00007FFDD2C30000-0x00007FFDD2E25000-memory.dmp

Filesize
2.0MB

Download
memory/1624-10-0x00007FFD908C0000-0x00007FFD908D0000-memory.dmp

Filesize
64KB

Download
memory/1624-16-0x00007FFDD2C30000-0x00007FFDD2E25000-memory.dmp

Filesize
2.0MB

Download
memory/1624-5-0x00007FFD92CB0000-0x00007FFD92CC0000-memory.dmp

Filesize
64KB

Download
memory/1624-3-0x00007FFD92CB0000-0x00007FFD92CC0000-memory.dmp

Filesize
64KB

Download
memory/1624-11-0x00007FFD908C0000-0x00007FFD908D0000-memory.dmp

Filesize
64KB

Download
memory/1624-2-0x00007FFDD2C30000-0x00007FFDD2E25000-memory.dmp

Filesize
2.0MB

Download
memory/1624-1-0x00007FFDD2C30000-0x00007FFDD2E25000-memory.dmp

Filesize
2.0MB

Download
memory/1624-90-0x00007FFD92CB0000-0x00007FFD92CC0000-memory.dmp

Filesize
64KB

Download
memory/1624-91-0x00007FFD92CB0000-0x00007FFD92CC0000-memory.dmp

Filesize
64KB

Download
memory/1624-92-0x00007FFD92CB0000-0x00007FFD92CC0000-memory.dmp

Filesize
64KB

Download
memory/1624-95-0x00007FFDD2C30000-0x00007FFDD2E25000-memory.dmp

Filesize
2.0MB

Download
memory/1624-94-0x00007FFD92CB0000-0x00007FFD92CC0000-memory.dmp

Filesize
64KB

Download
memory/1624-93-0x00007FFDD2C30000-0x00007FFDD2E25000-memory.dmp

Filesize
2.0MB

Download
memory/1624-96-0x00007FFDD2C30000-0x00007FFDD2E25000-memory.dmp

Filesize
2.0MB

Download
memory/1624-15-0x00007FFDD2C30000-0x00007FFDD2E25000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads