53a72f1f77a45e47084294a0103726076af1b4eef291b034639e1cfb99ed597d

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21-08-2024 10:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

53a72f1f77a45e47084294a0103726076af1b4eef291b034639e1cfb99ed597d.xls
Size

295KB
MD5

ec1d37555fb0c9c1b55e198f319efb15
SHA1

10e5e0c0a996ccdfd0ca4cbdd6f55c2c49d13dc6
SHA256

53a72f1f77a45e47084294a0103726076af1b4eef291b034639e1cfb99ed597d
SHA512

173ccb3ec44e96f2048ce7d93c0d7c2225b9b74d2e2a2c486b0c262d05a11c3a912cbc3995f6a72f01acbd9bc738cbc055303b8a678e7e3283d1195fb9532830
SSDEEP

3072:XMAJbziaeKJD49xYDJqAnHkE0AcPcWmmIZhojyXlSihEVC29p459aHunCHbcfEE:cqDsxYDJqAnHcTcW4PojyXzEP9r89

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3596	EXCEL.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
3596	EXCEL.EXE
3596	EXCEL.EXE
3596	EXCEL.EXE
3596	EXCEL.EXE
3596	EXCEL.EXE
3596	EXCEL.EXE
3596	EXCEL.EXE
3596	EXCEL.EXE
3596	EXCEL.EXE
3596	EXCEL.EXE
3596	EXCEL.EXE
3596	EXCEL.EXE

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\53a72f1f77a45e47084294a0103726076af1b4eef291b034639e1cfb99ed597d.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
2KB

MD5
220859f5ca31a3ee4f763e30d0929dc3

SHA1
bc8e46504717a42a36dbda2b81a3fa5bedbc4d1f

SHA256
9ffe4416de883cb8f4683cf8da788ae13e7c13a3d56a3c2fe678bb2864574c0c

SHA512
49fce7e5f4018522decce178c3d40a88eff5e599e6ac865acadfb456c6d457a67c841efc5e6c7d6a12e0da7aff3849deaa28d78bf041b864a8e6b323cf5aafe8

Download Submit
memory/3596-16-0x00007FFC6B450000-0x00007FFC6B460000-memory.dmp

Filesize
64KB

Download
memory/3596-4-0x00007FFCADBD0000-0x00007FFCADDC5000-memory.dmp

Filesize
2.0MB

Download
memory/3596-13-0x00007FFCADBD0000-0x00007FFCADDC5000-memory.dmp

Filesize
2.0MB

Download
memory/3596-5-0x00007FFCADBD0000-0x00007FFCADDC5000-memory.dmp

Filesize
2.0MB

Download
memory/3596-9-0x00007FFCADBD0000-0x00007FFCADDC5000-memory.dmp

Filesize
2.0MB

Download
memory/3596-7-0x00007FFCADBD0000-0x00007FFCADDC5000-memory.dmp

Filesize
2.0MB

Download
memory/3596-11-0x00007FFCADBD0000-0x00007FFCADDC5000-memory.dmp

Filesize
2.0MB

Download
memory/3596-6-0x00007FFC6DC50000-0x00007FFC6DC60000-memory.dmp

Filesize
64KB

Download
memory/3596-12-0x00007FFC6B450000-0x00007FFC6B460000-memory.dmp

Filesize
64KB

Download
memory/3596-14-0x00007FFCADBD0000-0x00007FFCADDC5000-memory.dmp

Filesize
2.0MB

Download
memory/3596-15-0x00007FFCADBD0000-0x00007FFCADDC5000-memory.dmp

Filesize
2.0MB

Download
memory/3596-0-0x00007FFC6DC50000-0x00007FFC6DC60000-memory.dmp

Filesize
64KB

Download
memory/3596-2-0x00007FFC6DC50000-0x00007FFC6DC60000-memory.dmp

Filesize
64KB

Download
memory/3596-3-0x00007FFC6DC50000-0x00007FFC6DC60000-memory.dmp

Filesize
64KB

Download
memory/3596-10-0x00007FFCADBD0000-0x00007FFCADDC5000-memory.dmp

Filesize
2.0MB

Download
memory/3596-8-0x00007FFC6DC50000-0x00007FFC6DC60000-memory.dmp

Filesize
64KB

Download
memory/3596-33-0x00007FFCADBD0000-0x00007FFCADDC5000-memory.dmp

Filesize
2.0MB

Download
memory/3596-35-0x00007FFCADBD0000-0x00007FFCADDC5000-memory.dmp

Filesize
2.0MB

Download
memory/3596-34-0x00007FFCADC6D000-0x00007FFCADC6E000-memory.dmp

Filesize
4KB

Download
memory/3596-1-0x00007FFCADC6D000-0x00007FFCADC6E000-memory.dmp

Filesize
4KB

Download
memory/3596-63-0x00007FFC6DC50000-0x00007FFC6DC60000-memory.dmp

Filesize
64KB

Download
memory/3596-62-0x00007FFC6DC50000-0x00007FFC6DC60000-memory.dmp

Filesize
64KB

Download
memory/3596-64-0x00007FFC6DC50000-0x00007FFC6DC60000-memory.dmp

Filesize
64KB

Download
memory/3596-65-0x00007FFC6DC50000-0x00007FFC6DC60000-memory.dmp

Filesize
64KB

Download
memory/3596-66-0x00007FFCADBD0000-0x00007FFCADDC5000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads