66c33502b2a5831d2f9a4b6ad370ed97ee2a511186495dee2c764d2d84f4f7fe

General

Target

66c33502b2a5831d2f9a4b6ad370ed97ee2a511186495dee2c764d2d84f4f7fe.xlsm
Size

1.6MB
MD5

cede7ce7ac89dbdc3f2261dbf810d111
SHA1

8ff874050eec8ef1e48ec0837f20657d134eb738
SHA256

66c33502b2a5831d2f9a4b6ad370ed97ee2a511186495dee2c764d2d84f4f7fe
SHA512

3ede215133988236f6e8ff9b8823c41ef71a478455cefaa07fcd65c78fca6c7765beffa81ba3e2b77a7a18945b4a2097e28cb14a6db5aba51e0d65dea344e0f2
SSDEEP

49152:svWYRPOLgz0exNCU3AqBAy5rzbHRMyRkz76DeNsamw1:2DzhxNdWy5r3HRo

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2948	EXCEL.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2948	EXCEL.EXE
2948	EXCEL.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2948	EXCEL.EXE
2948	EXCEL.EXE
2948	EXCEL.EXE
2948	EXCEL.EXE
2948	EXCEL.EXE
2948	EXCEL.EXE
2948	EXCEL.EXE
2948	EXCEL.EXE
2948	EXCEL.EXE
2948	EXCEL.EXE
2948	EXCEL.EXE
2948	EXCEL.EXE

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\66c33502b2a5831d2f9a4b6ad370ed97ee2a511186495dee2c764d2d84f4f7fe.xlsm"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\3F521AA4.emf

Filesize
1KB

MD5
3a02beffede27ef9761f20fc8fded3ea

SHA1
d07f0733e3bc8a81c67fc7af96ccfa5e93363f24

SHA256
97227050c3632fe5fe7d62d4b0965ea7c8439d2c5344e3c436d898cf1e4a2aef

SHA512
c979debf576a72023141c2de09998c625e76d445e19bd1dbbcf7afef4688782391d3dfe4a22e2c7bbf7c9a255eed212e00cf9832cf288c9106d9d3088a4315cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\87CCB255.emf

Filesize
1KB

MD5
30eef36fd0d74429580b6da23d42ea94

SHA1
59503369154ece6053024d00573692111016821f

SHA256
b57b29695ce93dc8d276a15d8485c853af476062baaffc8684d3f8c01fb28fd2

SHA512
47ca90afff193922ea485e03401058b4d18bb0c80e296585bd84b5a29ca656e81bc3ea85f2ed48f66b0ab4859f2ed9f5e0c37c4f43159b6e64cb44f9b7a0db04

Download Submit
memory/2948-14-0x00007FFC24810000-0x00007FFC24A05000-memory.dmp

Filesize
2.0MB

Download
memory/2948-106-0x00007FFC24810000-0x00007FFC24A05000-memory.dmp

Filesize
2.0MB

Download
memory/2948-6-0x00007FFC24810000-0x00007FFC24A05000-memory.dmp

Filesize
2.0MB

Download
memory/2948-5-0x00007FFBE4890000-0x00007FFBE48A0000-memory.dmp

Filesize
64KB

Download
memory/2948-8-0x00007FFC24810000-0x00007FFC24A05000-memory.dmp

Filesize
2.0MB

Download
memory/2948-9-0x00007FFC24810000-0x00007FFC24A05000-memory.dmp

Filesize
2.0MB

Download
memory/2948-7-0x00007FFBE4890000-0x00007FFBE48A0000-memory.dmp

Filesize
64KB

Download
memory/2948-3-0x00007FFBE4890000-0x00007FFBE48A0000-memory.dmp

Filesize
64KB

Download
memory/2948-10-0x00007FFC24810000-0x00007FFC24A05000-memory.dmp

Filesize
2.0MB

Download
memory/2948-11-0x00007FFC24810000-0x00007FFC24A05000-memory.dmp

Filesize
2.0MB

Download
memory/2948-12-0x00007FFBE2720000-0x00007FFBE2730000-memory.dmp

Filesize
64KB

Download
memory/2948-13-0x00007FFC24810000-0x00007FFC24A05000-memory.dmp

Filesize
2.0MB

Download
memory/2948-4-0x00007FFC24810000-0x00007FFC24A05000-memory.dmp

Filesize
2.0MB

Download
memory/2948-0-0x00007FFBE4890000-0x00007FFBE48A0000-memory.dmp

Filesize
64KB

Download
memory/2948-16-0x00007FFC24810000-0x00007FFC24A05000-memory.dmp

Filesize
2.0MB

Download
memory/2948-18-0x00007FFC24810000-0x00007FFC24A05000-memory.dmp

Filesize
2.0MB

Download
memory/2948-19-0x00007FFC24810000-0x00007FFC24A05000-memory.dmp

Filesize
2.0MB

Download
memory/2948-20-0x00007FFC24810000-0x00007FFC24A05000-memory.dmp

Filesize
2.0MB

Download
memory/2948-17-0x00007FFBE2720000-0x00007FFBE2730000-memory.dmp

Filesize
64KB

Download
memory/2948-93-0x0000025C78570000-0x0000025C78770000-memory.dmp

Filesize
2.0MB

Download
memory/2948-2-0x00007FFBE4890000-0x00007FFBE48A0000-memory.dmp

Filesize
64KB

Download
memory/2948-1-0x00007FFC24810000-0x00007FFC24A05000-memory.dmp

Filesize
2.0MB

Download
memory/2948-15-0x00007FFC24810000-0x00007FFC24A05000-memory.dmp

Filesize
2.0MB

Download
memory/2948-107-0x00007FFC24810000-0x00007FFC24A05000-memory.dmp

Filesize
2.0MB

Download
memory/2948-108-0x00007FFC24810000-0x00007FFC24A05000-memory.dmp

Filesize
2.0MB

Download
memory/2948-111-0x0000025C78570000-0x0000025C78770000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads