Analysis
-
max time kernel
148s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
16-04-2024 09:59
Static task
static1
Behavioral task
behavioral1
Sample
845fa3ee25607c5348ad6e357dc6a59679d641513806958a61a5b93c3d87a3e3.xls
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
845fa3ee25607c5348ad6e357dc6a59679d641513806958a61a5b93c3d87a3e3.xls
Resource
win10v2004-20240412-en
General
-
Target
845fa3ee25607c5348ad6e357dc6a59679d641513806958a61a5b93c3d87a3e3.xls
-
Size
59KB
-
MD5
4ea317cf8bb8a5bde8d2de9eabe4809e
-
SHA1
a4e4f6c0959ba14f920fe8223bc1ab44e9b8cb76
-
SHA256
845fa3ee25607c5348ad6e357dc6a59679d641513806958a61a5b93c3d87a3e3
-
SHA512
c7ba0c2866f6ede7cf7be6c73400f9b8bdb1d2c632ad438c0af88cb08674920e8012025610f4924d432121e00ee43a3c0dd381112d7326e6995bb534feaa048c
-
SSDEEP
1536:lrxEtjPOtioVjDGUU1qfDlaGGx5DQ2911rDT4O7UrgqIjQonJoI0N:lrxEtjPOtioVjDGUU1qfDlaGGx5DQ29k
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1812 EXCEL.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1812 EXCEL.EXE 1812 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 1812 EXCEL.EXE 1812 EXCEL.EXE 1812 EXCEL.EXE 1812 EXCEL.EXE 1812 EXCEL.EXE 1812 EXCEL.EXE 1812 EXCEL.EXE 1812 EXCEL.EXE 1812 EXCEL.EXE 1812 EXCEL.EXE 1812 EXCEL.EXE 1812 EXCEL.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\845fa3ee25607c5348ad6e357dc6a59679d641513806958a61a5b93c3d87a3e3.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1812