11a5d3add86410357163004a54f22335583b895a390e7eaf567e423ac7ccfeff

Analysis

max time kernel
133s
max time network
113s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-10-2024 01:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

11a5d3add86410357163004a54f22335583b895a390e7eaf567e423ac7ccfeff.xlam
Size

829KB
MD5

8ab8d813d3ca68c8effdb8abbf4a4f86
SHA1

f26fa096a70eec2a9900e363f63a1e6cafe5e8d4
SHA256

11a5d3add86410357163004a54f22335583b895a390e7eaf567e423ac7ccfeff
SHA512

cc5afb9559e049d62133d89c488d12b81c8338bf29177def06f890310ae75ae2964a21d07e3cf6bcbbdc103cfdf102f1ce35111ead80f9c8d247c8b8b663f0a5
SSDEEP

24576:7Y6dnGcLIS97usf6ZHqRPK21eOWWiB5Etu/3PP4qZaP2/:7YEvLISHkqjEhWVt2PwqZaP2/

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4128	EXCEL.EXE

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
4128	EXCEL.EXE
4128	EXCEL.EXE
4128	EXCEL.EXE
4128	EXCEL.EXE
4128	EXCEL.EXE
4128	EXCEL.EXE
4128	EXCEL.EXE
4128	EXCEL.EXE

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\11a5d3add86410357163004a54f22335583b895a390e7eaf567e423ac7ccfeff.xlam"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
1KB

MD5
4fb2801ec2d0bff91426c6506cb22560

SHA1
6edb795c0fb6a65405948de5e62fdff7dacbdd12

SHA256
9033df0a3973004e65c55944ff29d6de0b9d7e21bc7c6dd23be797c19a37ce73

SHA512
12b99d898767ca76090aaab5330414093187c947ff663422dc508252306b51a11a7222e5a85813cc98eb4b4cadc510abebbcebe40a28cd70685916dff616340c

Download Submit
memory/4128-12-0x00007FF90B350000-0x00007FF90B360000-memory.dmp

Filesize
64KB

Download
memory/4128-28-0x00007FF94D9F0000-0x00007FF94DBE5000-memory.dmp

Filesize
2.0MB

Download
memory/4128-2-0x00007FF90DA70000-0x00007FF90DA80000-memory.dmp

Filesize
64KB

Download
memory/4128-5-0x00007FF90DA70000-0x00007FF90DA80000-memory.dmp

Filesize
64KB

Download
memory/4128-1-0x00007FF94DA8D000-0x00007FF94DA8E000-memory.dmp

Filesize
4KB

Download
memory/4128-7-0x00007FF94D9F0000-0x00007FF94DBE5000-memory.dmp

Filesize
2.0MB

Download
memory/4128-6-0x00007FF94D9F0000-0x00007FF94DBE5000-memory.dmp

Filesize
2.0MB

Download
memory/4128-8-0x00007FF94D9F0000-0x00007FF94DBE5000-memory.dmp

Filesize
2.0MB

Download
memory/4128-9-0x00007FF94D9F0000-0x00007FF94DBE5000-memory.dmp

Filesize
2.0MB

Download
memory/4128-11-0x00007FF94D9F0000-0x00007FF94DBE5000-memory.dmp

Filesize
2.0MB

Download
memory/4128-3-0x00007FF90DA70000-0x00007FF90DA80000-memory.dmp

Filesize
64KB

Download
memory/4128-4-0x00007FF90DA70000-0x00007FF90DA80000-memory.dmp

Filesize
64KB

Download
memory/4128-15-0x00007FF90B350000-0x00007FF90B360000-memory.dmp

Filesize
64KB

Download
memory/4128-14-0x00007FF94D9F0000-0x00007FF94DBE5000-memory.dmp

Filesize
2.0MB

Download
memory/4128-13-0x00007FF94D9F0000-0x00007FF94DBE5000-memory.dmp

Filesize
2.0MB

Download
memory/4128-17-0x00007FF94D9F0000-0x00007FF94DBE5000-memory.dmp

Filesize
2.0MB

Download
memory/4128-18-0x00007FF94D9F0000-0x00007FF94DBE5000-memory.dmp

Filesize
2.0MB

Download
memory/4128-19-0x00007FF94D9F0000-0x00007FF94DBE5000-memory.dmp

Filesize
2.0MB

Download
memory/4128-16-0x00007FF94D9F0000-0x00007FF94DBE5000-memory.dmp

Filesize
2.0MB

Download
memory/4128-26-0x00007FF94D9F0000-0x00007FF94DBE5000-memory.dmp

Filesize
2.0MB

Download
memory/4128-27-0x00007FF94DA8D000-0x00007FF94DA8E000-memory.dmp

Filesize
4KB

Download
memory/4128-0-0x00007FF90DA70000-0x00007FF90DA80000-memory.dmp

Filesize
64KB

Download
memory/4128-29-0x00007FF94D9F0000-0x00007FF94DBE5000-memory.dmp

Filesize
2.0MB

Download
memory/4128-10-0x00007FF94D9F0000-0x00007FF94DBE5000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads