Analysis
-
max time kernel
46s -
max time network
37s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
20-05-2024 07:42
Behavioral task
behavioral1
Sample
a2cf800b3532cce678d656a8d6cea459b1f84061be369ceccb5eb0203a9e3afa.xls
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
a2cf800b3532cce678d656a8d6cea459b1f84061be369ceccb5eb0203a9e3afa.xls
Resource
win10v2004-20240426-en
General
-
Target
a2cf800b3532cce678d656a8d6cea459b1f84061be369ceccb5eb0203a9e3afa.xls
-
Size
3.4MB
-
MD5
aac6f517f5aca801683caa4a3af0af9b
-
SHA1
0a1e2a756a493e185e2639b19642b6e345413f46
-
SHA256
a2cf800b3532cce678d656a8d6cea459b1f84061be369ceccb5eb0203a9e3afa
-
SHA512
9849defc0c17d26bf65f5ca52ff5d07844c42f5f5b59ed40e43d85698325f0f427c40c6250521241933fea4161952aa1ef58a185a88102a06e2594cf7f7f5284
-
SSDEEP
12288:a0xgywn5cIMoC7GuY5KcijjnUuv2bE7swZ5qxZte2KFIERunQaKFJpFBjjkbWEJn:a0GywnGIrC8cZJoZs2K2E1a+7/3g2b
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 4364 EXCEL.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
EXCEL.EXEpid process 4364 EXCEL.EXE 4364 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 4364 EXCEL.EXE 4364 EXCEL.EXE 4364 EXCEL.EXE 4364 EXCEL.EXE 4364 EXCEL.EXE 4364 EXCEL.EXE 4364 EXCEL.EXE 4364 EXCEL.EXE 4364 EXCEL.EXE 4364 EXCEL.EXE 4364 EXCEL.EXE 4364 EXCEL.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\a2cf800b3532cce678d656a8d6cea459b1f84061be369ceccb5eb0203a9e3afa.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4364
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5ec468029fceb91f2f3e737b67fc6e722
SHA1867a4c67b8901d917883a00feabdbeeecc10a6f5
SHA2560afa85382fb833cc4a8fe9157b69c41266440a8e5eeda7f62ee186382ff66929
SHA512aa41a63d9d061dbe862d19b4d47cabf07c475ac704a1b4337139e2d381208c2e29f718a092e046be7088154b0e58681c8cc8bd0d255601f07a00c246460c05e3
-
Filesize
4KB
MD593cebe7af61fb4fe512c43b281b2fb4e
SHA1a50bc0f50b804f26d2a8020f755965425082a624
SHA256395db4696c5c287979bc9e0cc3fafeb2ecc20e93f5e8479f01b7ba8d618a2705
SHA512bb67c287ff2ca7811604c7ebdcdc78c56276ba73b5728afe2c256b6c46c54bc021d0d58355cb25c3796641bb338732f5bd7e4dcfb75b1221882e3364ab988527