1843eb89b27741ab35c0b278a42b1698414bc512b4ccbbdb32d5f9d71e28424a

General

Target

7f676793d8d7c9646d434f5ad2d97790a0beb2c8c4adf19b5a7f1c75edd8f983.xlam
Size

730KB
MD5

156a8325da6a12b655e2c56c0ac7f7e5
SHA1

844d20d5d99b3aa8623fe30980047ca7efbccbcb
SHA256

7f676793d8d7c9646d434f5ad2d97790a0beb2c8c4adf19b5a7f1c75edd8f983
SHA512

594699fdb8dad0472ebb32558c4d66a10788809b49e40c1756f9f34628d2dcbbbaa7f4fb4ca5e2b46825adfd1ff75fc004947f03c5d5d1661f6aed75c40cb8b4
SSDEEP

12288:HpU+OVpm7Cja3ZIjgyHOW67lJ1JcLYXqwIDOYV5RnrOdxE38j:JU+bELgyHU1JyYa7R5lKw38j

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3016	EXCEL.EXE

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
3016	EXCEL.EXE
3016	EXCEL.EXE
3016	EXCEL.EXE
3016	EXCEL.EXE
3016	EXCEL.EXE
3016	EXCEL.EXE
3016	EXCEL.EXE
3016	EXCEL.EXE

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\7f676793d8d7c9646d434f5ad2d97790a0beb2c8c4adf19b5a7f1c75edd8f983.xlam"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
3KB

MD5
e599961bb8dcfab868e337f37236f30d

SHA1
977473fc325ca4710a5193944a89f9eaf7964e43

SHA256
26d58b9d1ea692d2385541d2802c97bd839294b473096ef0ab767b438e6f2937

SHA512
75107a5dfe8cdd3936e0755f188a4f6c80d866ce407383d49ec339dd98be762cb750e9c4a3088c078c3b21186367cd1144c3a88b9554120c23b09ae721955194

Download Submit
memory/3016-17-0x00007FFD0AF30000-0x00007FFD0B125000-memory.dmp

Filesize
2.0MB

Download
memory/3016-61-0x00007FFCCAFB0000-0x00007FFCCAFC0000-memory.dmp

Filesize
64KB

Download
memory/3016-5-0x00007FFCCAFB0000-0x00007FFCCAFC0000-memory.dmp

Filesize
64KB

Download
memory/3016-2-0x00007FFCCAFB0000-0x00007FFCCAFC0000-memory.dmp

Filesize
64KB

Download
memory/3016-1-0x00007FFD0AFCD000-0x00007FFD0AFCE000-memory.dmp

Filesize
4KB

Download
memory/3016-6-0x00007FFD0AF30000-0x00007FFD0B125000-memory.dmp

Filesize
2.0MB

Download
memory/3016-20-0x00007FFD0AF30000-0x00007FFD0B125000-memory.dmp

Filesize
2.0MB

Download
memory/3016-9-0x00007FFD0AF30000-0x00007FFD0B125000-memory.dmp

Filesize
2.0MB

Download
memory/3016-11-0x00007FFD0AF30000-0x00007FFD0B125000-memory.dmp

Filesize
2.0MB

Download
memory/3016-14-0x00007FFCC8650000-0x00007FFCC8660000-memory.dmp

Filesize
64KB

Download
memory/3016-13-0x00007FFD0AF30000-0x00007FFD0B125000-memory.dmp

Filesize
2.0MB

Download
memory/3016-12-0x00007FFD0AF30000-0x00007FFD0B125000-memory.dmp

Filesize
2.0MB

Download
memory/3016-8-0x00007FFD0AF30000-0x00007FFD0B125000-memory.dmp

Filesize
2.0MB

Download
memory/3016-7-0x00007FFD0AF30000-0x00007FFD0B125000-memory.dmp

Filesize
2.0MB

Download
memory/3016-64-0x00007FFD0AF30000-0x00007FFD0B125000-memory.dmp

Filesize
2.0MB

Download
memory/3016-0-0x00007FFCCAFB0000-0x00007FFCCAFC0000-memory.dmp

Filesize
64KB

Download
memory/3016-10-0x00007FFD0AF30000-0x00007FFD0B125000-memory.dmp

Filesize
2.0MB

Download
memory/3016-22-0x00007FFD0AF30000-0x00007FFD0B125000-memory.dmp

Filesize
2.0MB

Download
memory/3016-23-0x00007FFD0AF30000-0x00007FFD0B125000-memory.dmp

Filesize
2.0MB

Download
memory/3016-21-0x00007FFD0AF30000-0x00007FFD0B125000-memory.dmp

Filesize
2.0MB

Download
memory/3016-19-0x00007FFD0AF30000-0x00007FFD0B125000-memory.dmp

Filesize
2.0MB

Download
memory/3016-18-0x00007FFD0AF30000-0x00007FFD0B125000-memory.dmp

Filesize
2.0MB

Download
memory/3016-15-0x00007FFCC8650000-0x00007FFCC8660000-memory.dmp

Filesize
64KB

Download
memory/3016-33-0x00007FFD0AF30000-0x00007FFD0B125000-memory.dmp

Filesize
2.0MB

Download
memory/3016-34-0x00007FFD0AFCD000-0x00007FFD0AFCE000-memory.dmp

Filesize
4KB

Download
memory/3016-35-0x00007FFD0AF30000-0x00007FFD0B125000-memory.dmp

Filesize
2.0MB

Download
memory/3016-4-0x00007FFCCAFB0000-0x00007FFCCAFC0000-memory.dmp

Filesize
64KB

Download
memory/3016-62-0x00007FFCCAFB0000-0x00007FFCCAFC0000-memory.dmp

Filesize
64KB

Download
memory/3016-63-0x00007FFCCAFB0000-0x00007FFCCAFC0000-memory.dmp

Filesize
64KB

Download
memory/3016-3-0x00007FFCCAFB0000-0x00007FFCCAFC0000-memory.dmp

Filesize
64KB

Download
memory/3016-60-0x00007FFCCAFB0000-0x00007FFCCAFC0000-memory.dmp

Filesize
64KB

Download
memory/3016-16-0x00007FFD0AF30000-0x00007FFD0B125000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads