5c34c14865f4a98f6cc623710e445f479175aeafafcb55614b139fb61cff9de7

General

Target

44e65a641fb970031c5efed324676b5018803e0a768608d3e186152102615795.xlsx
Size

2.1MB
MD5

c9ad9506bcccfaa987ff9fc11b91698d
SHA1

e788183a2a021f74a21f609e514bb63c4ef2fe49
SHA256

44e65a641fb970031c5efed324676b5018803e0a768608d3e186152102615795
SHA512

509c7c387810399b4a35371b1ae77733184299ee631f13b70e1582a9bed32c8eebaea79beb8ce7bf07ac8d3fcd7d09fd460a461266e073d6d2e6acc5e3bc68b2
SSDEEP

49152:hEK5fuBxYw1iHM+eP4yFIIFd52Mp21N5xb/CVBqCwj7IjLQc1U4l:SK5f6xYSl+VMy8G5ZC6CCIQc1/l

Score

1^/10

Malware Config

Signatures

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1764 EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

taskmgr.exe

pid	process
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

taskmgr.exe

description	pid	process
Token: SeDebugPrivilege	4880	taskmgr.exe
Token: SeSystemProfilePrivilege	4880	taskmgr.exe
Token: SeCreateGlobalPrivilege	4880	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

taskmgr.exe

pid	process
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exe

pid	process
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXE

pid	process
1764	EXCEL.EXE
1764	EXCEL.EXE
1764	EXCEL.EXE
1764	EXCEL.EXE
1764	EXCEL.EXE
1764	EXCEL.EXE
1764	EXCEL.EXE
1764	EXCEL.EXE
1764	EXCEL.EXE
1764	EXCEL.EXE
1764	EXCEL.EXE
1764	EXCEL.EXE

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\44e65a641fb970031c5efed324676b5018803e0a768608d3e186152102615795.xlsx"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1764

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4880

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

4

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
Filesize
1KB

MD5
b95f1f0f7f41f90fe98defb7ae6b89bc

SHA1
36f1049ed63e0cdf9fc46644b8ef1e204d77304c

SHA256
9b5d35ee806b7ed0b2d857900ad47d72b17fa6fba702fef6e7595430cb0b857b

SHA512
47854e06e94d55293611cca6b0efa62ffb7a2008389afd945112d900fb08a65cc01a9d24f5adeada1f85fdcb61b4bc77dd58d18e2cfd739fbe51424ae1e6b7f4

Download Submit
memory/1764-20-0x00007FFB37200000-0x00007FFB37210000-memory.dmp

Filesize
64KB

Download
memory/1764-12-0x00007FFB79A50000-0x00007FFB79C45000-memory.dmp

Filesize
2.0MB

Download
memory/1764-3-0x00007FFB39AD0000-0x00007FFB39AE0000-memory.dmp

Filesize
64KB

Download
memory/1764-5-0x00007FFB79AED000-0x00007FFB79AEE000-memory.dmp

Filesize
4KB

Download
memory/1764-4-0x00007FFB39AD0000-0x00007FFB39AE0000-memory.dmp

Filesize
64KB

Download
memory/1764-9-0x00007FFB79A50000-0x00007FFB79C45000-memory.dmp

Filesize
2.0MB

Download
memory/1764-18-0x00007FFB79A50000-0x00007FFB79C45000-memory.dmp

Filesize
2.0MB

Download
memory/1764-10-0x00007FFB79A50000-0x00007FFB79C45000-memory.dmp

Filesize
2.0MB

Download
memory/1764-8-0x00007FFB79A50000-0x00007FFB79C45000-memory.dmp

Filesize
2.0MB

Download
memory/1764-7-0x00007FFB79A50000-0x00007FFB79C45000-memory.dmp

Filesize
2.0MB

Download
memory/1764-6-0x00007FFB79A50000-0x00007FFB79C45000-memory.dmp

Filesize
2.0MB

Download
memory/1764-0-0x00007FFB39AD0000-0x00007FFB39AE0000-memory.dmp

Filesize
64KB

Download
memory/1764-15-0x00007FFB79A50000-0x00007FFB79C45000-memory.dmp

Filesize
2.0MB

Download
memory/1764-17-0x00007FFB79A50000-0x00007FFB79C45000-memory.dmp

Filesize
2.0MB

Download
memory/1764-19-0x00007FFB79A50000-0x00007FFB79C45000-memory.dmp

Filesize
2.0MB

Download
memory/1764-2-0x00007FFB39AD0000-0x00007FFB39AE0000-memory.dmp

Filesize
64KB

Download
memory/1764-11-0x00007FFB79A50000-0x00007FFB79C45000-memory.dmp

Filesize
2.0MB

Download
memory/1764-16-0x00007FFB79A50000-0x00007FFB79C45000-memory.dmp

Filesize
2.0MB

Download
memory/1764-14-0x00007FFB37200000-0x00007FFB37210000-memory.dmp

Filesize
64KB

Download
memory/1764-13-0x00007FFB79A50000-0x00007FFB79C45000-memory.dmp

Filesize
2.0MB

Download
memory/1764-1-0x00007FFB39AD0000-0x00007FFB39AE0000-memory.dmp

Filesize
64KB

Download
memory/1764-37-0x00007FFB79A50000-0x00007FFB79C45000-memory.dmp

Filesize
2.0MB

Download
memory/4880-51-0x0000024CEE000000-0x0000024CEE001000-memory.dmp

Filesize
4KB

Download
memory/4880-43-0x0000024CEE000000-0x0000024CEE001000-memory.dmp

Filesize
4KB

Download
memory/4880-44-0x0000024CEE000000-0x0000024CEE001000-memory.dmp

Filesize
4KB

Download
memory/4880-49-0x0000024CEE000000-0x0000024CEE001000-memory.dmp

Filesize
4KB

Download
memory/4880-54-0x0000024CEE000000-0x0000024CEE001000-memory.dmp

Filesize
4KB

Download
memory/4880-53-0x0000024CEE000000-0x0000024CEE001000-memory.dmp

Filesize
4KB

Download
memory/4880-52-0x0000024CEE000000-0x0000024CEE001000-memory.dmp

Filesize
4KB

Download
memory/4880-42-0x0000024CEE000000-0x0000024CEE001000-memory.dmp

Filesize
4KB

Download
memory/4880-50-0x0000024CEE000000-0x0000024CEE001000-memory.dmp

Filesize
4KB

Download
memory/4880-48-0x0000024CEE000000-0x0000024CEE001000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads