3ea40aed7aa116bb3f817be11a879793838323cf38319190e39729f5997c6bb6

Analysis

max time kernel
101s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/08/2024, 08:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

discovery_UDP&persistance_ssh(1).xls
Size

72KB
MD5

c9b8bf66f0fe8719bea195f39fa4e326
SHA1

1e9ab72fd9eaf1f77c9bccca6efbd35786fd548f
SHA256

3ea40aed7aa116bb3f817be11a879793838323cf38319190e39729f5997c6bb6
SHA512

bee483be35ad0e640e8d0b894a4a6e5d9ecf289b0c22800b022d4b993f2a239bf7ed68379068d518b57c471a0396415b361eb6427fc76813cb8ac2f7b22aea9d
SSDEEP

1536:750P2hrXiVKyVkgi/954kkGfnld+AbrKE47NsE8USnf3vH/YsKRi+LXWGlRvORBa:750P2hrXiVKyVkgi/954kkGfnld+Abro

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4928	EXCEL.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
4928	EXCEL.EXE
4928	EXCEL.EXE
4928	EXCEL.EXE
4928	EXCEL.EXE
4928	EXCEL.EXE
4928	EXCEL.EXE
4928	EXCEL.EXE
4928	EXCEL.EXE
4928	EXCEL.EXE
4928	EXCEL.EXE
4928	EXCEL.EXE
4928	EXCEL.EXE

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\discovery_UDP&persistance_ssh(1).xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
1KB

MD5
a583168695e7bfce52f3fd6170d4ab05

SHA1
cc5518615f7086b24f08e8bd127c9f001cec792b

SHA256
b0a919a990b442d8d0f441870aae56f336ef9f6b2b94d3a82a93246c17cac5ec

SHA512
527ab5f20f77f5c876a97a54308e408660c3d9abe0d2c364bf99e5965cc914c306894e0a7ac0feb5ce85d9787f4959f323bd8ef5585958f306fd4630c273f679

Download Submit
memory/4928-14-0x00007FF9632D0000-0x00007FF9634C5000-memory.dmp

Filesize
2.0MB

Download
memory/4928-6-0x00007FF9632D0000-0x00007FF9634C5000-memory.dmp

Filesize
2.0MB

Download
memory/4928-4-0x00007FF923350000-0x00007FF923360000-memory.dmp

Filesize
64KB

Download
memory/4928-3-0x00007FF923350000-0x00007FF923360000-memory.dmp

Filesize
64KB

Download
memory/4928-5-0x00007FF96336D000-0x00007FF96336E000-memory.dmp

Filesize
4KB

Download
memory/4928-9-0x00007FF9632D0000-0x00007FF9634C5000-memory.dmp

Filesize
2.0MB

Download
memory/4928-8-0x00007FF9632D0000-0x00007FF9634C5000-memory.dmp

Filesize
2.0MB

Download
memory/4928-15-0x00007FF9632D0000-0x00007FF9634C5000-memory.dmp

Filesize
2.0MB

Download
memory/4928-0-0x00007FF923350000-0x00007FF923360000-memory.dmp

Filesize
64KB

Download
memory/4928-10-0x00007FF920A20000-0x00007FF920A30000-memory.dmp

Filesize
64KB

Download
memory/4928-2-0x00007FF923350000-0x00007FF923360000-memory.dmp

Filesize
64KB

Download
memory/4928-11-0x00007FF9632D0000-0x00007FF9634C5000-memory.dmp

Filesize
2.0MB

Download
memory/4928-7-0x00007FF9632D0000-0x00007FF9634C5000-memory.dmp

Filesize
2.0MB

Download
memory/4928-13-0x00007FF9632D0000-0x00007FF9634C5000-memory.dmp

Filesize
2.0MB

Download
memory/4928-12-0x00007FF9632D0000-0x00007FF9634C5000-memory.dmp

Filesize
2.0MB

Download
memory/4928-17-0x00007FF920A20000-0x00007FF920A30000-memory.dmp

Filesize
64KB

Download
memory/4928-1-0x00007FF923350000-0x00007FF923360000-memory.dmp

Filesize
64KB

Download
memory/4928-28-0x00007FF9632D0000-0x00007FF9634C5000-memory.dmp

Filesize
2.0MB

Download
memory/4928-44-0x00007FF923350000-0x00007FF923360000-memory.dmp

Filesize
64KB

Download
memory/4928-45-0x00007FF923350000-0x00007FF923360000-memory.dmp

Filesize
64KB

Download
memory/4928-47-0x00007FF923350000-0x00007FF923360000-memory.dmp

Filesize
64KB

Download
memory/4928-46-0x00007FF923350000-0x00007FF923360000-memory.dmp

Filesize
64KB

Download
memory/4928-48-0x00007FF9632D0000-0x00007FF9634C5000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads