Analysis
-
max time kernel
143s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231130-en -
resource tags
arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system -
submitted
11-12-2023 15:24
Static task
static1
Behavioral task
behavioral1
Sample
PO-0075930-1.xls
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
PO-0075930-1.xls
Resource
win10v2004-20231130-en
General
-
Target
PO-0075930-1.xls
-
Size
1.1MB
-
MD5
c677f23b98f41ace3e30b3451a29e865
-
SHA1
c04789e8a9edea9ad9b8694bbc471460ce3d2e8f
-
SHA256
46cc5500d9579887c1d2694b124d18f2915c0e372bd725aa57a4eb610e02a75a
-
SHA512
fc2bb50269d62a5d31b82dbbbfbdef9164bbdd14f4406e82ba3238e338a9c306ca1aede8c8e81e0bfb23bd861c2a965ce1e926712d9919bb7f09d36ce0a223b1
-
SSDEEP
24576:Bw6/4ZyEAXZS8sw6/mZyGAXZSZiGwwcqZUovtJfTJqdLQ33powDXH:66/qKEE6/wEE+CjvjdMLQ33pokX
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 4456 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 4456 EXCEL.EXE 4456 EXCEL.EXE 4456 EXCEL.EXE 4456 EXCEL.EXE 4456 EXCEL.EXE 4456 EXCEL.EXE 4456 EXCEL.EXE 4456 EXCEL.EXE 4456 EXCEL.EXE 4456 EXCEL.EXE 4456 EXCEL.EXE 4456 EXCEL.EXE -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\PO-0075930-1.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4456
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
526KB
MD5a3051cfbb9630c7051a258fdd425031c
SHA17603f77dfff7673c05a1ee7ee54390ac7475307f
SHA256d98dada00f1a9329257a33f2a9ec603bc7884812f4b65e7c8dec100c0ca393fe
SHA512110bca7c1962c151177c7102311540990f9d9f03952e4a8380b872e0179a9761766ea66a06b3e0dba630133949a5506d3401ddce9b5631910f9c3efa914768d3
-
Filesize
850KB
MD537b5450c81d44461252aae45196d9c91
SHA1a22e7632eecd512c140f6bf9467a65d33d9c355d
SHA2562eaddab89328c00aca0b19842125d6f112eb4daaa3b9638c4e8c25d4ccf613c6
SHA51250c85dcaa551ffb875e994fa24b1bec6fa77a2e3b36372f3bb8369d3f49652e8595f64d5b2d582872f4804897781adefa8e01d45b7427dab7a71d92f2f0ce20a