Overview

overview

10

Static

static

1

302814Q.xlam

windows7-x64

10

302814Q.xlam

windows10-2004-x64

1

Analysis

  • max time kernel
    142s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-03-2024 07:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    302814Q.xlam

  • Size

    684KB

  • MD5

    dd1745650a50384acb3e3d18f640f6ae

  • SHA1

    aa7c92503314baf176c6972fb0e9eb69eeac8ce7

  • SHA256

    777ffc7e8f61be4b407f8acf15f6338d6a299c8fa89284c62528b0c00d443ae1

  • SHA512

    d4a6e8f1e861a236898fcb41c15e7013263f7acb7e22f9f15c00661d4c4a91712c004c3dbe955bd9d98a9558a6818d6c2659af750ef28e42be43ed832d09dc01

  • SSDEEP

    12288:ninWwmPuLCPZs6cygqu3EYgH0eDpTjyLEu3oJDyIaj5LiuR:irCPkyzYgH0iwAu4J1uR

Score
1/10

Malware Config

Signatures

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\302814Q.xlam"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:3400
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4240 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:3972

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    3
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/3400-0-0x00007FF881A90000-0x00007FF881AA0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3400-2-0x00007FF8C1A10000-0x00007FF8C1C05000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/3400-3-0x00007FF881A90000-0x00007FF881AA0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3400-1-0x00007FF881A90000-0x00007FF881AA0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3400-4-0x00007FF8C1A10000-0x00007FF8C1C05000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/3400-5-0x00007FF881A90000-0x00007FF881AA0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3400-6-0x00007FF8C1A10000-0x00007FF8C1C05000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/3400-7-0x00007FF881A90000-0x00007FF881AA0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3400-8-0x00007FF8C1A10000-0x00007FF8C1C05000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/3400-9-0x00007FF8C1A10000-0x00007FF8C1C05000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/3400-10-0x00007FF8C1A10000-0x00007FF8C1C05000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/3400-11-0x00007FF8C1A10000-0x00007FF8C1C05000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/3400-12-0x00007FF8C1A10000-0x00007FF8C1C05000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/3400-13-0x00007FF8C1A10000-0x00007FF8C1C05000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/3400-14-0x00007FF8C1A10000-0x00007FF8C1C05000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/3400-15-0x00007FF8C1A10000-0x00007FF8C1C05000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/3400-17-0x00007FF8C1A10000-0x00007FF8C1C05000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/3400-16-0x00007FF8C1A10000-0x00007FF8C1C05000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/3400-18-0x00007FF87F9A0000-0x00007FF87F9B0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3400-20-0x00007FF87F9A0000-0x00007FF87F9B0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3400-29-0x00007FF8C1A10000-0x00007FF8C1C05000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/3400-30-0x00007FF8C1A10000-0x00007FF8C1C05000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/3400-31-0x00007FF8C1A10000-0x00007FF8C1C05000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/3400-32-0x00007FF8C1A10000-0x00007FF8C1C05000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/3400-33-0x00007FF8C1A10000-0x00007FF8C1C05000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/3400-34-0x00007FF8C1A10000-0x00007FF8C1C05000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/3400-35-0x00007FF8C1A10000-0x00007FF8C1C05000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/3400-36-0x00007FF8C1A10000-0x00007FF8C1C05000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/3400-37-0x00007FF8C1A10000-0x00007FF8C1C05000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/3400-38-0x00007FF8C1A10000-0x00007FF8C1C05000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/3400-39-0x00007FF8C1A10000-0x00007FF8C1C05000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/3400-40-0x00007FF8C1A10000-0x00007FF8C1C05000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/3400-41-0x00007FF8C1A10000-0x00007FF8C1C05000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/3400-42-0x00007FF8C1A10000-0x00007FF8C1C05000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/3400-43-0x00007FF8C1A10000-0x00007FF8C1C05000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/3400-44-0x00007FF8C1A10000-0x00007FF8C1C05000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/3400-45-0x00007FF8C1A10000-0x00007FF8C1C05000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/3400-63-0x00007FF881A90000-0x00007FF881AA0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3400-64-0x00007FF881A90000-0x00007FF881AA0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3400-65-0x00007FF881A90000-0x00007FF881AA0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3400-67-0x00007FF8C1A10000-0x00007FF8C1C05000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/3400-66-0x00007FF881A90000-0x00007FF881AA0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3400-68-0x00007FF8C1A10000-0x00007FF8C1C05000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/3400-69-0x00007FF8C1A10000-0x00007FF8C1C05000-memory.dmp
      Filesize

      2.0MB

      Download