Analysis
-
max time kernel
46s -
max time network
35s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
20-05-2024 07:30
Behavioral task
behavioral1
Sample
9ff9b3c921dd5f71d4d603d8fb3e90f36dae5b43b9eee1b4302c21c57e84f410.xls
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
9ff9b3c921dd5f71d4d603d8fb3e90f36dae5b43b9eee1b4302c21c57e84f410.xls
Resource
win10v2004-20240426-en
General
-
Target
9ff9b3c921dd5f71d4d603d8fb3e90f36dae5b43b9eee1b4302c21c57e84f410.xls
-
Size
172KB
-
MD5
55070d18dcfaf2dacebd232e6e5ed106
-
SHA1
dfb59c3b2e2f0097cf81a4f97a5c088c1e8684fa
-
SHA256
9ff9b3c921dd5f71d4d603d8fb3e90f36dae5b43b9eee1b4302c21c57e84f410
-
SHA512
bb6e504efabc9018bdfdee0778cde61ec2c5303d73f699e259bf7dd9e08aa3bcf3cea4626a65f2ce627fdb225b4808ef978259d3eec16379c80b903f27aa9e22
-
SSDEEP
3072:wBVUpjDqF+wRjh4C+7UisD9q4z8kmODkACo0yAZjVurXn4Zbn8AhN6VJR10hI4Ws:QVUpjDqF+wRjh4C+7UisD9q4z8kmODk/
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 700 EXCEL.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
EXCEL.EXEpid process 700 EXCEL.EXE 700 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 15 IoCs
Processes:
EXCEL.EXEpid process 700 EXCEL.EXE 700 EXCEL.EXE 700 EXCEL.EXE 700 EXCEL.EXE 700 EXCEL.EXE 700 EXCEL.EXE 700 EXCEL.EXE 700 EXCEL.EXE 700 EXCEL.EXE 700 EXCEL.EXE 700 EXCEL.EXE 700 EXCEL.EXE 700 EXCEL.EXE 700 EXCEL.EXE 700 EXCEL.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\9ff9b3c921dd5f71d4d603d8fb3e90f36dae5b43b9eee1b4302c21c57e84f410.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:700
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
24KB
MD57c2cc1d9e7cab44d63c9d5829f819709
SHA126807e4df8f34bdb158de59c1f12c9ec18267a60
SHA25632c7d00180cb1a1824ba303bf3b1ded10fa963bcdb2d15f3cfe35ba109c60a54
SHA5125c9f69eb2d4068ff3b236b0db173ce2654776897af5eb9d348ae87c6e70a19dbd1bf523874a6d438ab125c5380190fb4ff9b64a377c549c3b7eea27d2eab8260
-
Filesize
274B
MD5af22f4e0ca2a614683c583811f0de94d
SHA11531eb42a4decb4b538f25e5737597aebc2d7892
SHA2565159f788713c2367370385b14113a4c54724c32d5e4d2da555d8581e35f134b6
SHA512aa6d83c63493d3382504c020bb8209c6319ad8e8dbac9236678928d540ca5ac70a57bb671761af48fb2adcc72d8ac1db1529a825efd149d54ea6f0bbf7efa38a