Analysis
-
max time kernel
47s -
max time network
36s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
20-05-2024 07:35
Behavioral task
behavioral1
Sample
e51de11ea907cd30d3e23b2fba41db97e5b8e6a09fac5598e558169addae508e.xls
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
e51de11ea907cd30d3e23b2fba41db97e5b8e6a09fac5598e558169addae508e.xls
Resource
win10v2004-20240426-en
General
-
Target
e51de11ea907cd30d3e23b2fba41db97e5b8e6a09fac5598e558169addae508e.xls
-
Size
172KB
-
MD5
683c756c5d4b84c12071a9848635aa30
-
SHA1
d4fd9fa1abbd12df8ed0951f8135c92f743f4c93
-
SHA256
e51de11ea907cd30d3e23b2fba41db97e5b8e6a09fac5598e558169addae508e
-
SHA512
ba39032e34eca9fc43d7996c6bc764681367634d263e3ef88f3eaa790323cf92b6305a4dc8176cbf0395d94d00fc40ef43dd7c3d8790641d38f3ce9f0e9a7fae
-
SSDEEP
3072:sBVUpjDqF+wRjh4C+7UisD9q4z8kmODkACo0yAZjVurXn4Zbn8AhN6VJR10hI4Ws:kVUpjDqF+wRjh4C+7UisD9q4z8kmODk/
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 4888 EXCEL.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
EXCEL.EXEpid process 4888 EXCEL.EXE 4888 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 15 IoCs
Processes:
EXCEL.EXEpid process 4888 EXCEL.EXE 4888 EXCEL.EXE 4888 EXCEL.EXE 4888 EXCEL.EXE 4888 EXCEL.EXE 4888 EXCEL.EXE 4888 EXCEL.EXE 4888 EXCEL.EXE 4888 EXCEL.EXE 4888 EXCEL.EXE 4888 EXCEL.EXE 4888 EXCEL.EXE 4888 EXCEL.EXE 4888 EXCEL.EXE 4888 EXCEL.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\e51de11ea907cd30d3e23b2fba41db97e5b8e6a09fac5598e558169addae508e.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4888
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
24KB
MD5adc2df70a22590ab2133fc2b56687380
SHA1469a5953a6a0b0e2b7cb3b0d69e6749a674bdde6
SHA25665e1f494cb72916c49cb6da0ac38bc1b220025989aafdd0a101e5710c5fd739d
SHA512f3306a4babdc9217257df25aafdccc0ae68402b664b3c8c830402c914d14ceec00f6e0bec2b09e7e42ec741bb11daeadd730b3f8c1e550a41e2607ca71729c2d
-
Filesize
274B
MD5af22f4e0ca2a614683c583811f0de94d
SHA11531eb42a4decb4b538f25e5737597aebc2d7892
SHA2565159f788713c2367370385b14113a4c54724c32d5e4d2da555d8581e35f134b6
SHA512aa6d83c63493d3382504c020bb8209c6319ad8e8dbac9236678928d540ca5ac70a57bb671761af48fb2adcc72d8ac1db1529a825efd149d54ea6f0bbf7efa38a