5f1ff93cf4eb1ec53402b5bb959a6fd1d4c94fed041606a39d7b334b699514ec

Analysis

max time kernel
144s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
01/02/2024, 02:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

85b455f61c679d481ff562b4454c78ac.xll
Size

689KB
MD5

85b455f61c679d481ff562b4454c78ac
SHA1

419cf72cb631dafbc2a8e219e9e2d2d571d34b7d
SHA256

5f1ff93cf4eb1ec53402b5bb959a6fd1d4c94fed041606a39d7b334b699514ec
SHA512

f6473932d881fed692d1a973943c68a4e092fbce0dc61dd1894648e5bd99fedff5040c9182b91716f714e4ccfcb873faf3aeb48dad507ff5cdea6975e548e8e8
SSDEEP

12288:HHGqRJHO4pMetgC8bzbBSregUIVgFK/UqWgqUAS:HZRJHvkJX1IcLg5V

Score

10^/10

Malware Config

Extracted

Language

xlm4.0

Source

Signatures

Loads dropped DLL 2 IoCs

pid	Process
3852	EXCEL.EXE
3852	EXCEL.EXE

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3852	EXCEL.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3852	EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3852	EXCEL.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3852	EXCEL.EXE
3852	EXCEL.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
3852	EXCEL.EXE
3852	EXCEL.EXE
3852	EXCEL.EXE
3852	EXCEL.EXE
3852	EXCEL.EXE
3852	EXCEL.EXE
3852	EXCEL.EXE
3852	EXCEL.EXE
3852	EXCEL.EXE
3852	EXCEL.EXE
3852	EXCEL.EXE
3852	EXCEL.EXE

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\85b455f61c679d481ff562b4454c78ac.xll"
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\85b455f61c679d481ff562b4454c78ac.xll

Filesize
689KB

MD5
85b455f61c679d481ff562b4454c78ac

SHA1
419cf72cb631dafbc2a8e219e9e2d2d571d34b7d

SHA256
5f1ff93cf4eb1ec53402b5bb959a6fd1d4c94fed041606a39d7b334b699514ec

SHA512
f6473932d881fed692d1a973943c68a4e092fbce0dc61dd1894648e5bd99fedff5040c9182b91716f714e4ccfcb873faf3aeb48dad507ff5cdea6975e548e8e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\sample.xlsx

Filesize
27KB

MD5
462dfb9040af4477048ace257a8f5242

SHA1
034d884e2207640f862f2b75c6f7f801a58cdc59

SHA256
057679178d5208fd2fa7e4f7acd124ac7ec3abd3855704150f0884d55dc0d855

SHA512
61e194a61308462e80b87ef2d0064a0deaf97f99126fda3b91097c6598458408ff7e393f70f80b2f0daac282b573584a2ed69f5bce80f5d98762dc1975938b7a

Download Submit
memory/3852-31-0x0000021459CA0000-0x0000021459CB0000-memory.dmp

Filesize
64KB

Download
memory/3852-35-0x0000021459CA0000-0x0000021459CB0000-memory.dmp

Filesize
64KB

Download
memory/3852-5-0x00007FFA76D10000-0x00007FFA76F05000-memory.dmp

Filesize
2.0MB

Download
memory/3852-2-0x00007FFA76D10000-0x00007FFA76F05000-memory.dmp

Filesize
2.0MB

Download
memory/3852-6-0x00007FFA36D90000-0x00007FFA36DA0000-memory.dmp

Filesize
64KB

Download
memory/3852-7-0x00007FFA76D10000-0x00007FFA76F05000-memory.dmp

Filesize
2.0MB

Download
memory/3852-8-0x00007FFA76D10000-0x00007FFA76F05000-memory.dmp

Filesize
2.0MB

Download
memory/3852-9-0x00007FFA76D10000-0x00007FFA76F05000-memory.dmp

Filesize
2.0MB

Download
memory/3852-10-0x00007FFA76D10000-0x00007FFA76F05000-memory.dmp

Filesize
2.0MB

Download
memory/3852-12-0x00007FFA76D10000-0x00007FFA76F05000-memory.dmp

Filesize
2.0MB

Download
memory/3852-11-0x00007FFA34D30000-0x00007FFA34D40000-memory.dmp

Filesize
64KB

Download
memory/3852-14-0x00007FFA76D10000-0x00007FFA76F05000-memory.dmp

Filesize
2.0MB

Download
memory/3852-13-0x00007FFA76D10000-0x00007FFA76F05000-memory.dmp

Filesize
2.0MB

Download
memory/3852-15-0x00007FFA34D30000-0x00007FFA34D40000-memory.dmp

Filesize
64KB

Download
memory/3852-18-0x000002143F390000-0x000002143F456000-memory.dmp

Filesize
792KB

Download
memory/3852-4-0x00007FFA36D90000-0x00007FFA36DA0000-memory.dmp

Filesize
64KB

Download
memory/3852-23-0x0000021441880000-0x000002144189C000-memory.dmp

Filesize
112KB

Download
memory/3852-1-0x00007FFA36D90000-0x00007FFA36DA0000-memory.dmp

Filesize
64KB

Download
memory/3852-27-0x0000021441870000-0x000002144187E000-memory.dmp

Filesize
56KB

Download
memory/3852-29-0x0000021459CA0000-0x0000021459CB0000-memory.dmp

Filesize
64KB

Download
memory/3852-3-0x00007FFA36D90000-0x00007FFA36DA0000-memory.dmp

Filesize
64KB

Download
memory/3852-0-0x00007FFA36D90000-0x00007FFA36DA0000-memory.dmp

Filesize
64KB

Download
memory/3852-24-0x0000021459B50000-0x0000021459B8C000-memory.dmp

Filesize
240KB

Download
memory/3852-30-0x0000021459CA0000-0x0000021459CB0000-memory.dmp

Filesize
64KB

Download
memory/3852-28-0x0000021459CA0000-0x0000021459CB0000-memory.dmp

Filesize
64KB

Download
memory/3852-26-0x0000021459CA0000-0x0000021459CB0000-memory.dmp

Filesize
64KB

Download
memory/3852-25-0x00007FFA4E010000-0x00007FFA4EAD1000-memory.dmp

Filesize
10.8MB

Download
memory/3852-62-0x00007FFA76D10000-0x00007FFA76F05000-memory.dmp

Filesize
2.0MB

Download
memory/3852-63-0x00007FFA76D10000-0x00007FFA76F05000-memory.dmp

Filesize
2.0MB

Download
memory/3852-64-0x00007FFA76D10000-0x00007FFA76F05000-memory.dmp

Filesize
2.0MB

Download
memory/3852-65-0x00007FFA4E010000-0x00007FFA4EAD1000-memory.dmp

Filesize
10.8MB

Download
memory/3852-66-0x0000021459CA0000-0x0000021459CB0000-memory.dmp

Filesize
64KB

Download
memory/3852-67-0x0000021459CA0000-0x0000021459CB0000-memory.dmp

Filesize
64KB

Download
memory/3852-68-0x0000021459CA0000-0x0000021459CB0000-memory.dmp

Filesize
64KB

Download
memory/3852-69-0x0000021459CA0000-0x0000021459CB0000-memory.dmp

Filesize
64KB

Download
memory/3852-70-0x0000021459CA0000-0x0000021459CB0000-memory.dmp

Filesize
64KB

Download
memory/3852-71-0x0000021459CA0000-0x0000021459CB0000-memory.dmp

Filesize
64KB

Download
memory/3852-88-0x00007FFA36D90000-0x00007FFA36DA0000-memory.dmp

Filesize
64KB

Download
memory/3852-89-0x00007FFA36D90000-0x00007FFA36DA0000-memory.dmp

Filesize
64KB

Download
memory/3852-90-0x00007FFA36D90000-0x00007FFA36DA0000-memory.dmp

Filesize
64KB

Download
memory/3852-91-0x00007FFA36D90000-0x00007FFA36DA0000-memory.dmp

Filesize
64KB

Download
memory/3852-92-0x00007FFA76D10000-0x00007FFA76F05000-memory.dmp

Filesize
2.0MB

Download
memory/3852-93-0x00007FFA4E010000-0x00007FFA4EAD1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads