e623aac494af0e54ab670e708354c17f0b7fc4e9fe737c8fd19845b95a4ba9df

Analysis

max time kernel
100s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-09-2024 06:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e623aac494af0e54ab670e708354c17f0b7fc4e9fe737c8fd19845b95a4ba9dfN.exe
Size

1.5MB
MD5

49f50d28a6b74a5a0fecf64253ddfb70
SHA1

65bf79e843bb5706d5dc24f51dc3fc2ae37e26a9
SHA256

e623aac494af0e54ab670e708354c17f0b7fc4e9fe737c8fd19845b95a4ba9df
SHA512

47c8e56e1e6750d250efab901ab22bdf32e600593c4f340de48e73aefd9ca2c2de646830262cb6924574bb38c74341974365f612fe01b73dd7453b8b9f98297b
SSDEEP

1536:5ROJXGKhn2JoCvrj7RGEcjU30copKsu9VE7WZMl+LN4D/f4TEaY90rHc3YmFdaqg:YjVsTulb1Zkgcxq8PWxWi1fLr

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2328	EXCEL.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2328	EXCEL.EXE
2328	EXCEL.EXE
2328	EXCEL.EXE

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1920 wrote to memory of 2328	1920	e623aac494af0e54ab670e708354c17f0b7fc4e9fe737c8fd19845b95a4ba9dfN.exe	30
PID 1920 wrote to memory of 2328	1920	e623aac494af0e54ab670e708354c17f0b7fc4e9fe737c8fd19845b95a4ba9dfN.exe	30
PID 1920 wrote to memory of 2328	1920	e623aac494af0e54ab670e708354c17f0b7fc4e9fe737c8fd19845b95a4ba9dfN.exe	30
PID 1920 wrote to memory of 2328	1920	e623aac494af0e54ab670e708354c17f0b7fc4e9fe737c8fd19845b95a4ba9dfN.exe	30
PID 1920 wrote to memory of 2328	1920	e623aac494af0e54ab670e708354c17f0b7fc4e9fe737c8fd19845b95a4ba9dfN.exe	30
PID 1920 wrote to memory of 2328	1920	e623aac494af0e54ab670e708354c17f0b7fc4e9fe737c8fd19845b95a4ba9dfN.exe	30
PID 1920 wrote to memory of 2328	1920	e623aac494af0e54ab670e708354c17f0b7fc4e9fe737c8fd19845b95a4ba9dfN.exe	30
PID 1920 wrote to memory of 2328	1920	e623aac494af0e54ab670e708354c17f0b7fc4e9fe737c8fd19845b95a4ba9dfN.exe	30
PID 1920 wrote to memory of 2328	1920	e623aac494af0e54ab670e708354c17f0b7fc4e9fe737c8fd19845b95a4ba9dfN.exe	30

C:\Users\Admin\AppData\Local\Temp\e623aac494af0e54ab670e708354c17f0b7fc4e9fe737c8fd19845b95a4ba9dfN.exe
"C:\Users\Admin\AppData\Local\Temp\e623aac494af0e54ab670e708354c17f0b7fc4e9fe737c8fd19845b95a4ba9dfN.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1920
- C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde
  2⤵
  - System Location Discovery: System Language Discovery
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:2328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\e623aac494af0e54ab670e708354c17f0b7fc4e9fe737c8fd19845b95a4ba9dfN.xlsx

Filesize
1.5MB

MD5
ccb4948d1744b128f96307722b22de87

SHA1
7892ac6c28b3698dd98d26d6312f180b3bb1c233

SHA256
c0b078682b66f209767b1e1bdbb64e924498e93399ff3ee4892896abe05546f4

SHA512
7e01ff700fe7aba0f688b794b6ae769e2de5378690ed907d04074d31e72e7a4dacacca3093e56c945c01f60223084fc9e0c80feaab8a79ca62c0db0fdc2b3a1d

Download Submit
memory/1920-0-0x000007FEF5E13000-0x000007FEF5E14000-memory.dmp

Filesize
4KB

Download
memory/1920-1-0x0000000000D20000-0x0000000000EA6000-memory.dmp

Filesize
1.5MB

Download
memory/2328-5-0x0000000072ADD000-0x0000000072AE8000-memory.dmp

Filesize
44KB

Download
memory/2328-4-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2328-7-0x0000000072ADD000-0x0000000072AE8000-memory.dmp

Filesize
44KB

Download
memory/2328-9-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2328-10-0x0000000072ADD000-0x0000000072AE8000-memory.dmp

Filesize
44KB

Download