c09392d00682077f99bfa4cbf5ddbd0b66d411355c9460b311f7abff31cd5aa7

Analysis

max time kernel
422s
max time network
436s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
29-10-2024 22:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Sorillus/jre1.8.0_361/bin/api-ms-win-core-console-l1-2-0.dll
Size

11KB
MD5

7676560d0e9bc1ee9502d2f920d2892f
SHA1

4a7a7a99900e41ff8a359ca85949acd828ddb068
SHA256

00942431c2d3193061c7f4dc340e8446bfdbf792a7489f60349299dff689c2f9
SHA512

f1e8db9ad44cd1aa991b9ed0e000c58978eb60b3b7d9908b6eb78e8146e9e12590b0014fc4a97bc490ffe378c0bf59a6e02109bfd8a01c3b6d0d653a5b612d15
SSDEEP

192:iTWYhWyWWFYg7VWQ4uWq6Cu87ZqnajgnLSyu:sWYhWi1XHllk2yu

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

212 EXCEL.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXE

pid	process
212	EXCEL.EXE
212	EXCEL.EXE
212	EXCEL.EXE
212	EXCEL.EXE
212	EXCEL.EXE
212	EXCEL.EXE
212	EXCEL.EXE
212	EXCEL.EXE
212	EXCEL.EXE
212	EXCEL.EXE
212	EXCEL.EXE
212	EXCEL.EXE

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Sorillus\jre1.8.0_361\bin\api-ms-win-core-console-l1-2-0.dll,#1
1⤵
PID:2876

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\UnpublishConnect.xlsx"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
333B

MD5
24f1dbeaa32b62d5e92469740693d1bd

SHA1
702571dbd099b9c4025b3d47ebf6d7b834151be1

SHA256
2056e370a006d5a0822e5f725405d97e5edd644967f0e2f342a1fb208735da15

SHA512
c84d35a9c090e50e5be4e555314583cb2d8f748b1793d6627282bcca01dcf04eaf4a2afc5f15a310c09d95c57a76b199f6a72e06acc3590d5b05b8e473b7b261

Download Submit
memory/212-8-0x00007FFA57950000-0x00007FFA57B45000-memory.dmp

Filesize
2.0MB

Download
memory/212-57-0x00007FFA57950000-0x00007FFA57B45000-memory.dmp

Filesize
2.0MB

Download
memory/212-11-0x00007FFA15970000-0x00007FFA15980000-memory.dmp

Filesize
64KB

Download
memory/212-2-0x00007FFA179D0000-0x00007FFA179E0000-memory.dmp

Filesize
64KB

Download
memory/212-4-0x00007FFA179D0000-0x00007FFA179E0000-memory.dmp

Filesize
64KB

Download
memory/212-0-0x00007FFA579ED000-0x00007FFA579EE000-memory.dmp

Filesize
4KB

Download
memory/212-9-0x00007FFA57950000-0x00007FFA57B45000-memory.dmp

Filesize
2.0MB

Download
memory/212-10-0x00007FFA57950000-0x00007FFA57B45000-memory.dmp

Filesize
2.0MB

Download
memory/212-7-0x00007FFA57950000-0x00007FFA57B45000-memory.dmp

Filesize
2.0MB

Download
memory/212-13-0x00007FFA57950000-0x00007FFA57B45000-memory.dmp

Filesize
2.0MB

Download
memory/212-5-0x00007FFA179D0000-0x00007FFA179E0000-memory.dmp

Filesize
64KB

Download
memory/212-1-0x00007FFA179D0000-0x00007FFA179E0000-memory.dmp

Filesize
64KB

Download
memory/212-6-0x00007FFA57950000-0x00007FFA57B45000-memory.dmp

Filesize
2.0MB

Download
memory/212-15-0x00007FFA57950000-0x00007FFA57B45000-memory.dmp

Filesize
2.0MB

Download
memory/212-16-0x00007FFA57950000-0x00007FFA57B45000-memory.dmp

Filesize
2.0MB

Download
memory/212-17-0x00007FFA15970000-0x00007FFA15980000-memory.dmp

Filesize
64KB

Download
memory/212-14-0x00007FFA57950000-0x00007FFA57B45000-memory.dmp

Filesize
2.0MB

Download
memory/212-3-0x00007FFA179D0000-0x00007FFA179E0000-memory.dmp

Filesize
64KB

Download
memory/212-54-0x00007FFA179D0000-0x00007FFA179E0000-memory.dmp

Filesize
64KB

Download
memory/212-53-0x00007FFA179D0000-0x00007FFA179E0000-memory.dmp

Filesize
64KB

Download
memory/212-55-0x00007FFA179D0000-0x00007FFA179E0000-memory.dmp

Filesize
64KB

Download
memory/212-56-0x00007FFA179D0000-0x00007FFA179E0000-memory.dmp

Filesize
64KB

Download
memory/212-12-0x00007FFA57950000-0x00007FFA57B45000-memory.dmp

Filesize
2.0MB

Download