Resubmissions
28/02/2024, 14:09
240228-rgcsesdd86 128/02/2024, 14:08
240228-rfmagadd74 128/02/2024, 14:06
240228-retm6add9w 1Analysis
-
max time kernel
97s -
max time network
110s -
platform
windows10-1703_x64 -
resource
win10-20240221-it -
resource tags
arch:x64arch:x86image:win10-20240221-itlocale:it-itos:windows10-1703-x64systemwindows -
submitted
28/02/2024, 14:09
Static task
static1
Behavioral task
behavioral1
Sample
a9d81db31f2e267c8e04e1045246e9aaa13ea4f0267c5eb4e80ac2dbc6831838.xls
Resource
win10-20240221-it
General
-
Target
a9d81db31f2e267c8e04e1045246e9aaa13ea4f0267c5eb4e80ac2dbc6831838.xls
-
Size
90KB
-
MD5
9a95aa0c43875fc92d98796992121ae6
-
SHA1
2b8b3d6e105e2e8a40f35834a179457518911f86
-
SHA256
a9d81db31f2e267c8e04e1045246e9aaa13ea4f0267c5eb4e80ac2dbc6831838
-
SHA512
0eb454752c318b2c8275533a1cbbbdf7b7de8f13015524f41894a8fab39fddf5d4282c08ae64615a200f6aa4bf263f18877caaed0a7aacf5b290fbe4b4642a30
-
SSDEEP
1536:VsQlYkEIbSkKBEqEXPgsRZmbaoFhZhR0cixIHm02PSJHN4C1bvBm0AlxjkLFSyXO:VhlYkEIuPm3fNRZmbaoFhZhR0cixIHm/
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4344 EXCEL.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 4344 EXCEL.EXE 4344 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 4344 EXCEL.EXE 4344 EXCEL.EXE 4344 EXCEL.EXE 4344 EXCEL.EXE 4344 EXCEL.EXE 4344 EXCEL.EXE 4344 EXCEL.EXE 4344 EXCEL.EXE 4344 EXCEL.EXE 4344 EXCEL.EXE 4344 EXCEL.EXE 4344 EXCEL.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\a9d81db31f2e267c8e04e1045246e9aaa13ea4f0267c5eb4e80ac2dbc6831838.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4344