e01e704a21eae5ffc45806b7543daf3714908dbb223bde6c794125b876704c4f

General

Target

Install_01210.exe
Size

29.0MB
MD5

6880da84ed207bb9bbd8494d77fe0544
SHA1

5fcefe8147134094104f7911f66ff07d93b4ac19
SHA256

73c3d0ee7cb8d159b021e612fc3011165a7331f4b4f88f238d5c452e27c3862b
SHA512

6eb73feabdbae89750904b6ed62895750f8f6790ed873b24c71d9a04d576c5efad51fc5b44c6400495fed058abf4710d3307066f206418e66b4594a23bf2bd0a
SSDEEP

786432:bDXmuedKvJTsJmpbJofQZTib6fzfHwSN2MbSZNjt3KWAv61:nt76fQZ86fTHwSN2MbSZXKW91

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4932	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4200	Install_01210.exe
4200	Install_01210.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4200	Install_01210.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4200	Install_01210.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
4932	EXCEL.EXE
4932	EXCEL.EXE
4932	EXCEL.EXE
4932	EXCEL.EXE
4932	EXCEL.EXE
4932	EXCEL.EXE
4932	EXCEL.EXE
4932	EXCEL.EXE
4932	EXCEL.EXE
4932	EXCEL.EXE
4932	EXCEL.EXE
4932	EXCEL.EXE
4932	EXCEL.EXE

C:\Users\Admin\AppData\Local\Temp\Install_01210.exe
"C:\Users\Admin\AppData\Local\Temp\Install_01210.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4200

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1844

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /n "C:\Users\Admin\Downloads\SaveBackup.xlt"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
253B

MD5
22bd3e4697c4ade9c5323ab31d0da0f5

SHA1
f9a3fc196d30f531b6d80727cad538eabbd71c67

SHA256
aee61f4f5be94e6b0eaacb02dd7ca2c4f567fa7f38839af94a393da1e97c8977

SHA512
e0ace53386a5c9d2cb6c157138e018f136b5fe5b936b1fad437571b98856e286fddca62293a99b8a1eb7b910dc0f5a6ff7c9f82f7a149e10bad334d8550a57d4

Download Submit
memory/4932-98-0x00007FFF7B220000-0x00007FFF7B429000-memory.dmp

Filesize
2.0MB

Download
memory/4932-121-0x00007FFF7B220000-0x00007FFF7B429000-memory.dmp

Filesize
2.0MB

Download
memory/4932-87-0x00007FFF7B220000-0x00007FFF7B429000-memory.dmp

Filesize
2.0MB

Download
memory/4932-88-0x00007FFF3B2B0000-0x00007FFF3B2C0000-memory.dmp

Filesize
64KB

Download
memory/4932-90-0x00007FFF3B2B0000-0x00007FFF3B2C0000-memory.dmp

Filesize
64KB

Download
memory/4932-91-0x00007FFF7B220000-0x00007FFF7B429000-memory.dmp

Filesize
2.0MB

Download
memory/4932-89-0x00007FFF7B220000-0x00007FFF7B429000-memory.dmp

Filesize
2.0MB

Download
memory/4932-93-0x00007FFF7B220000-0x00007FFF7B429000-memory.dmp

Filesize
2.0MB

Download
memory/4932-92-0x00007FFF3B2B0000-0x00007FFF3B2C0000-memory.dmp

Filesize
64KB

Download
memory/4932-94-0x00007FFF7B220000-0x00007FFF7B429000-memory.dmp

Filesize
2.0MB

Download
memory/4932-95-0x00007FFF7B220000-0x00007FFF7B429000-memory.dmp

Filesize
2.0MB

Download
memory/4932-99-0x00007FFF38880000-0x00007FFF38890000-memory.dmp

Filesize
64KB

Download
memory/4932-85-0x00007FFF7B220000-0x00007FFF7B429000-memory.dmp

Filesize
2.0MB

Download
memory/4932-97-0x00007FFF7B220000-0x00007FFF7B429000-memory.dmp

Filesize
2.0MB

Download
memory/4932-96-0x00007FFF38880000-0x00007FFF38890000-memory.dmp

Filesize
64KB

Download
memory/4932-100-0x00007FFF7B220000-0x00007FFF7B429000-memory.dmp

Filesize
2.0MB

Download
memory/4932-101-0x00007FFF7B220000-0x00007FFF7B429000-memory.dmp

Filesize
2.0MB

Download
memory/4932-102-0x00007FFF7B220000-0x00007FFF7B429000-memory.dmp

Filesize
2.0MB

Download
memory/4932-103-0x00007FFF7B220000-0x00007FFF7B429000-memory.dmp

Filesize
2.0MB

Download
memory/4932-104-0x00007FFF7B220000-0x00007FFF7B429000-memory.dmp

Filesize
2.0MB

Download
memory/4932-105-0x00007FFF7B220000-0x00007FFF7B429000-memory.dmp

Filesize
2.0MB

Download
memory/4932-106-0x00007FFF79680000-0x00007FFF7973D000-memory.dmp

Filesize
756KB

Download
memory/4932-107-0x00007FFF7B220000-0x00007FFF7B429000-memory.dmp

Filesize
2.0MB

Download
memory/4932-84-0x00007FFF3B2B0000-0x00007FFF3B2C0000-memory.dmp

Filesize
64KB

Download
memory/4932-86-0x00007FFF3B2B0000-0x00007FFF3B2C0000-memory.dmp

Filesize
64KB

Download
memory/4932-122-0x00007FFF7B220000-0x00007FFF7B429000-memory.dmp

Filesize
2.0MB

Download
memory/4932-123-0x00007FFF7B220000-0x00007FFF7B429000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads