19cd8f798e2e008e2e34816bee574bc376bcaa260c4f6e2cc17ec24d88c3b39c

Resubmissions

21/11/2024, 09:54

241121-lxg47a1hjl 1

21/11/2024, 09:41

241121-ln3pja1gmq 3

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21/11/2024, 09:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

質問事項_20241119.xlsx
Size

46KB
MD5

b8b6866de956126b4a4e0c68a423a1b0
SHA1

d0e438bcfb27b469aabbb4bc55971e7eabbfe3df
SHA256

19cd8f798e2e008e2e34816bee574bc376bcaa260c4f6e2cc17ec24d88c3b39c
SHA512

3389dd5bb0fe8a675eee9a531b45b121d2a37a180ec8c598a2ecc126acbe4f6b3351eccabba01a0ddea6248844ea409946819f10415e10b1edf0342d361836f8
SSDEEP

768:oktZf/HwMhZhj7C6srKUcfDL1oloob1QJeD9esrgG+we82mPWbc1:JP3QMnpC6oWqZbCJeD9tUGwI

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\SOFTWARE\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\AuthTypes\msosso\ServiceDiscovery	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\SOFTWARE\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\AuthTypes\msossp\Licensing	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\AuthTypes\oauth2\Certification\RequiresRedirect = "0"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\AuthTypes\oauth2\Licensing\RequiresRedirect = "0"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\SOFTWARE\Microsoft\MSIPC	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\AuthTypes\msospn\Certification\RequiresRedirect = "0"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\AuthTypes\msospn\ServiceDiscovery\RequiresRedirect = "0"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\AuthTypes\oauth2\ServiceDiscovery\RequiresRedirect = "0"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\AuthTypes\x509\Licensing\Vdir = "_wmcs/licensing"	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\MSIPC\MSIPP-MK = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000013f787289f1be14e87be8dc204ff715d0000000004000000200000001066000000010000200000001410d6524d975800872a7193a7a80a4524beaaf00dadfebd4c9645de8e2fa619000000000e8000000002000020000000a95dbe6a9446051eee1f1c4d35cedb61cd4bf22c80d099ee577009ebff001d22a004000077c0a27695d55d13a106476e2955dd155d177a3b4a810ce9679738b5cf424d86d4bbee888e91b13c5a638f5e7a8b76c5230214fd7041f9a1cd4215141c150a9b9db5511724ace497f6977a0fdab146462b3c560116176fbee981cbd416550397ebe243099990dc65877e04c9f3c5d70aa3b7a1e37b28af76205dae6eb8d2f1141f50714a810cef751654a795500fac5bf698184be1a58a1b31274f85c9b1bdf2cc557de22fa4c8b9bec0aea23b8537e2315f9a5f8735e3d3a7a36b0b389238973b1e9448b45bf111fa95e6d75cbb62aee3df5423bbd4c5db22526a4165e75e4df6c50d555ba92a3b97a967d2bab73d4c8f2946a6bf30c8c09b73aa154aad99aa84bef9b5470f3c26c63a1df41f484a65354ce343aad58f6114abaf15a3a446844f0531f5f5914247e4d51a791149a8690ebd7858629a88e116e1b1c287e92481fe5280e492077fa6da3cfc46b4b50757c292aecb661150df90cd70c10b7ff1decaa5b6cf5a073f628f2a9305a1dc7e73421ac13acf6c755f8ea0b9c74229754833d52c1a99750185e0668b5b10290834e87440158c9de0c2f7cce97f949d733f7b4c6f7d1db02e6acd7d3e0f35b4b4acdd597f99cdbb52090c02173115f066b9d8c605c74eb3e61bfa4c311911a675f78afdd990b6d3611b9e8933c7601753def9206e75d2f6082d296f13638e780e9a5eb82d5bca0fb37fb33d85efb55c143e6fd5f30d262f841d51c3bc1da04dfd43bd427a0901133c073fa23c0848ba159903b657b5c408cae5c99ff673c67bf95e9a5f53e450c9d5a07731dc85c3301d9739ab34c0b273e0be474e9952d82f3f86904d6f6f173ebae64107bc4aad9efdedc4ac1a2b191f009fc11892c52eeec2e2b63db2200f1a6375c630f0b44e188899e87a10f0c9c92bf0dd6e1214cab17823f68fc13cfb47340e0a19e4ec531d9a98f3c5373027a1b79564e589aa06615cb0ecc22ed1ace4ddab69829f47ae10cf62750bb1b37fe1858d02fbf39d64cecc96513dc824464af4c966ca7191a5b9d4cbe7de72c3e8550535a1ee535d27c896c486f810c941f17f7488c806c417be7d9616efc83b19007e50c8150015e5609ff4091c4f0790d268c913cf8b2b3e3b33cb693f6e36ba2616a118f36aa6c8daa1276089be69a67076ca0f6dcfa2bdb04a7348a6db349aab344d5093958ff3357b967c396cd94fd07d3428fd2725c154c19a2ba1b6ebbf411357e9f5d9359c5a4315395487c52685188c04393947c5bede212847fabda537be60118fa94aadbcdac97ab34fbce5404ad586bfe7761258bb607313705934619cbf9974cc159e66bd1ba9895b7e8ac010d4b4c76b83d7f5f1aa7c9bc8e864698883854e9acaaa77cc78f0a9d01411618f00cd049eaabb4a2fe04ad52e5c48e453be3254948c2c2bb854c1b1ef7dba7c2734183a4adf939834c902a97fb052c2c13f2eb675aeec1251b9c541eb558e243007cce15fa457b0a8b86d1f1e005e8f1ba72dde088386fe942e34a2f895335f3a51c003623da88d1d7994f240649bcdbb5851c7c009cc8037b28cdba5010aec35c1bef42b1708519dddf00302cdc4e117c0feff15af843e6d5a8d310a5d604322d3a306e23b9fda3831cabff1de26816ecd31911628c40f48ad05127dd6891d9e6136463346caa29155400000002ec4dbddbcd0be8578c275ac728f4217656d22cc1c6f99c9968e50f594954be40cc023161e7bf695fb269396d84a0cc78449c33ce7b0089beac049ed3ffff77d	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\AuthTypes\msospn\ServiceDiscovery\Vdir = "_wmcs/servicediscovery"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\AuthTypes\msosso\ServiceDiscovery\RequiresBrowser = "0"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\AuthTypes\x509\ServiceDiscovery\Vdir = "_wmcs/servicediscovery"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\SOFTWARE\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\AuthTypes\msosso\Certification	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\AuthTypes\msosso\Licensing\RequiresBrowser = "0"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\SOFTWARE\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\AuthTypes\msossp	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\AuthTypes\msossp\ServiceDiscovery\RequiresBrowser = "0"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\Version = "1.0.0.0"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\AuthTypes\msospn\Certification\RequiresBrowser = "0"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\AuthTypes\msospn\Licensing\Vdir = "_wmcs/licensing"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\SOFTWARE\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\AuthTypes\x509	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\AuthTypes\x509\Certification\RequiresBrowser = "0"	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\MSIPC\MSIPP-SK = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000013f787289f1be14e87be8dc204ff715d0000000004000000200000001066000000010000200000006a2df159a6fd36aad727bf8bc166f90696fc3a74c398c082d8763fec96ba50a5000000000e8000000002000020000000390f3ea79cf35ca848f8d8a3165c58a63df5068e5db5903d3196a9a6634c711c90000000c4e08b1bd0d7fffbe5381dae9961c6ea45f83b4cc7cbdf493afc7e5d574def5ee91ce0543452adbaf59646b7d4e887c2212712938238260606ea5aa2ca1a1d4d2c050185056de1bc78f31f1ca630d1f1de2b35b399da92eab79ea767add3762aea17eb026e2071bab3991d1d5be8e6df6f6f0a01c284eb9a41791d771fddceba22c9e0752f95308d1a145046e5e1e90c40000000f202354fbf8d3175a8eae40669b8bebc97e80a790d44af477e73a039bb982ef8af3bd3e3bef3a74ea602d11a41f972a9dd7f16aed3449b096c2a37ae29808ed6	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\ServiceDiscoveryUriChecked = "1"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\AuthTypes\msossp\Certification\RequiresRedirect = "1"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\AuthTypes\oauth2\Licensing\RequiresBrowser = "0"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\AuthTypes\x509\ServiceDiscovery\RequiresRedirect = "0"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\AuthTypes\msosso\ServiceDiscovery\Vdir = "_wmcs/servicediscovery"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\AuthTypes\msossp\Licensing\Vdir = "_wmcs/licensing"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\AuthTypes\msossp\Licensing\RequiresBrowser = "0"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\SOFTWARE\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\AuthTypes\oauth2\Certification	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\SOFTWARE\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\AuthTypes\x509\Licensing	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\AuthTypes\msospn\Certification\Vdir = "_wmcs/certification"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\AuthTypes\msospn\Licensing\RequiresRedirect = "0"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\AuthTypes\msossp\Licensing\RequiresRedirect = "0"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\AuthTypes\msossp\Certification\RequiresBrowser = "0"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\SOFTWARE\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\AuthTypes\oauth2\ServiceDiscovery	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\AuthTypes\oauth2\ServiceDiscovery\RequiresBrowser = "0"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\IssuanceLicV2Enabled = "1"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\AuthTypes\msospn\Licensing\RequiresBrowser = "0"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\SOFTWARE\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\AuthTypes\msosso\Licensing	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\AuthTypes\x509\ServiceDiscovery\RequiresBrowser = "0"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\SOFTWARE\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\AuthTypes\msosso\Licensing\Vdir = "_wmcs/licensing"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\AuthTypes\msossp\ServiceDiscovery\Vdir = "_wmcs/servicediscovery"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\AuthTypes\oauth2\Licensing\Vdir = "_wmcs/licensing"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\ServerType = "1"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\SOFTWARE\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\AuthTypes\msosso	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\AuthTypes\msosso\Certification\RequiresRedirect = "0"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\SOFTWARE\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\AuthTypes\msossp\ServiceDiscovery	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\SOFTWARE\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\AuthTypes\oauth2	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\AuthTypes\oauth2\Certification\Vdir = "_wmcs/oauth2/certification"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\SOFTWARE\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\AuthTypes\msosso\Certification\RequiresBrowser = "0"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\AuthTypes\msosso\ServiceDiscovery\RequiresRedirect = "0"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\AuthTypes\oauth2\Certification\RequiresBrowser = "0"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\AuthTypes\x509\Certification\Vdir = "_wmcs/certificationexternal"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\SOFTWARE\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\AuthTypes\msospn	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\SOFTWARE\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\AuthTypes\msospn\Licensing	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\SOFTWARE\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\AuthTypes\msospn\ServiceDiscovery	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\SOFTWARE\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\AuthTypes\msospn\Certification	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\AuthTypes\msossp\ServiceDiscovery\RequiresRedirect = "0"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\AuthTypes\x509\Licensing\RequiresBrowser = "0"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\SOFTWARE\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\AuthTypes\x509\Certification	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4304	EXCEL.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4304	EXCEL.EXE
4304	EXCEL.EXE

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
4304	EXCEL.EXE
4304	EXCEL.EXE
4304	EXCEL.EXE
4304	EXCEL.EXE
4304	EXCEL.EXE
4304	EXCEL.EXE
4304	EXCEL.EXE
4304	EXCEL.EXE
4304	EXCEL.EXE
4304	EXCEL.EXE
4304	EXCEL.EXE

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\質問事項_20241119.xlsx"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\MSIPC\CERT-Machine.drm

Filesize
25KB

MD5
7308b3726566fa0aa36a088a06330f4c

SHA1
f31da995c058631b34f3250931e2a61dc4bec97a

SHA256
544e91c93c1eab807e5cf7a3c564b90d4594324500b32700ba84136a8e38a15e

SHA512
feac76fa4d2b0702bdc94e5606b1c67ce8e434df5a80cec10838042353b6f3fd99718954dc102e5557242f949478405bce445f7304dd5fb6dbc9ae1a53a4b0d9

Download Submit
memory/4304-16-0x00007FFD8D330000-0x00007FFD8D525000-memory.dmp

Filesize
2.0MB

Download
memory/4304-4-0x00007FFD4D3B0000-0x00007FFD4D3C0000-memory.dmp

Filesize
64KB

Download
memory/4304-3-0x00007FFD4D3B0000-0x00007FFD4D3C0000-memory.dmp

Filesize
64KB

Download
memory/4304-2-0x00007FFD4D3B0000-0x00007FFD4D3C0000-memory.dmp

Filesize
64KB

Download
memory/4304-5-0x00007FFD8D330000-0x00007FFD8D525000-memory.dmp

Filesize
2.0MB

Download
memory/4304-6-0x00007FFD8D330000-0x00007FFD8D525000-memory.dmp

Filesize
2.0MB

Download
memory/4304-7-0x00007FFD4D3B0000-0x00007FFD4D3C0000-memory.dmp

Filesize
64KB

Download
memory/4304-14-0x00007FFD8D330000-0x00007FFD8D525000-memory.dmp

Filesize
2.0MB

Download
memory/4304-0-0x00007FFD4D3B0000-0x00007FFD4D3C0000-memory.dmp

Filesize
64KB

Download
memory/4304-17-0x00007FFD4AB00000-0x00007FFD4AB10000-memory.dmp

Filesize
64KB

Download
memory/4304-13-0x00007FFD8D330000-0x00007FFD8D525000-memory.dmp

Filesize
2.0MB

Download
memory/4304-18-0x00007FFD4AB00000-0x00007FFD4AB10000-memory.dmp

Filesize
64KB

Download
memory/4304-15-0x00007FFD8D330000-0x00007FFD8D525000-memory.dmp

Filesize
2.0MB

Download
memory/4304-12-0x00007FFD8D330000-0x00007FFD8D525000-memory.dmp

Filesize
2.0MB

Download
memory/4304-11-0x00007FFD8D330000-0x00007FFD8D525000-memory.dmp

Filesize
2.0MB

Download
memory/4304-10-0x00007FFD8D330000-0x00007FFD8D525000-memory.dmp

Filesize
2.0MB

Download
memory/4304-9-0x00007FFD8D330000-0x00007FFD8D525000-memory.dmp

Filesize
2.0MB

Download
memory/4304-8-0x00007FFD8D330000-0x00007FFD8D525000-memory.dmp

Filesize
2.0MB

Download
memory/4304-1-0x00007FFD8D3CD000-0x00007FFD8D3CE000-memory.dmp

Filesize
4KB

Download
memory/4304-56-0x00007FFD8D330000-0x00007FFD8D525000-memory.dmp

Filesize
2.0MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads