19cd8f798e2e008e2e34816bee574bc376bcaa260c4f6e2cc17ec24d88c3b39c

Resubmissions

21/11/2024, 09:54

241121-lxg47a1hjl 1

21/11/2024, 09:41

241121-ln3pja1gmq 3

Analysis

max time kernel
96s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21/11/2024, 09:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

質問事項_20241119.xlsx
Size

46KB
MD5

b8b6866de956126b4a4e0c68a423a1b0
SHA1

d0e438bcfb27b469aabbb4bc55971e7eabbfe3df
SHA256

19cd8f798e2e008e2e34816bee574bc376bcaa260c4f6e2cc17ec24d88c3b39c
SHA512

3389dd5bb0fe8a675eee9a531b45b121d2a37a180ec8c598a2ecc126acbe4f6b3351eccabba01a0ddea6248844ea409946819f10415e10b1edf0342d361836f8
SSDEEP

768:oktZf/HwMhZhj7C6srKUcfDL1oloob1QJeD9esrgG+we82mPWbc1:JP3QMnpC6oWqZbCJeD9tUGwI

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\AuthTypes\msosso\Licensing\RequiresRedirect = "0"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\AuthTypes\msosso\ServiceDiscovery\RequiresRedirect = "0"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\AuthTypes\msossp\ServiceDiscovery\Vdir = "_wmcs/servicediscovery"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\SOFTWARE\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\AuthTypes\oauth2	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\SOFTWARE\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\AuthTypes\msosso	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\AuthTypes\oauth2\Certification\RequiresBrowser = "0"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\SOFTWARE\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\AuthTypes\oauth2\Licensing	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\SOFTWARE\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\AuthTypes\oauth2\Certification	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\SOFTWARE\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\AuthTypes\oauth2\ServiceDiscovery	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\SOFTWARE\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\AuthTypes\x509\Certification	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\AuthTypes\x509\Certification\QueryString = "?Whr=urn:microsoftrmsonline:x509"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\IssuanceLicV2Enabled = "1"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\Version = "1.0.0.0"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\AuthTypes\msosso\Certification\RequiresBrowser = "0"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\AuthTypes\msosso\ServiceDiscovery\RequiresBrowser = "0"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\AuthTypes\x509\ServiceDiscovery\Vdir = "_wmcs/servicediscovery"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\SOFTWARE\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\AuthTypes\msospn\ServiceDiscovery\Vdir = "_wmcs/servicediscovery"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\AuthTypes\msosso\ServiceDiscovery\Vdir = "_wmcs/servicediscovery"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\SOFTWARE\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\AuthTypes\msossp\ServiceDiscovery	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\AuthTypes\msospn\Licensing\RequiresRedirect = "0"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\AuthTypes\msospn\Certification\RequiresRedirect = "0"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\AuthTypes\msosso\Certification\RequiresRedirect = "0"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\SOFTWARE\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\AuthTypes\msossp	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\AuthTypes\msossp\ServiceDiscovery\RequiresRedirect = "0"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\SOFTWARE\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\AuthTypes\msosso\Certification\Vdir = "_wmcs/certification"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\SOFTWARE\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\AuthTypes\msosso\ServiceDiscovery	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\AuthTypes\x509\Certification\RequiresBrowser = "0"	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\MSIPC\MSIPP-MK = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000042e7dba96731da408b68fe0ed5b0a2460000000004000000200000001066000000010000200000009335b635226a7354158ef8804b66ec4938b596037c4efe0c45df44411c646844000000000e8000000002000020000000d1ae295d876fe103f9a3fbabc10be4bf9826c476c57606656a7add17a853ecb1a0040000d2eacab9a8ecb1e6ba43e26b20a38b03915b56bb4368bdbcc3a06ddbe57e58cbeb522426072d3014f4855d5bcb3a47824f60c6c78e3f618c0ec85e6ea3185817c8eb4aec44688525db84986628ac2e9988ac914be9fac216bf2556983dcbb37eabf7c0979bc0a4f6c7c07bce75874b4a415d2a270afce59417bcd11fd38a191fa40db5c376c300733cdb5ce8d3a07485cb3e08a1fe8398256781d238f2dde04654e15263a207d50f736bf6398cf8d4547996be7a2562ea2f8636014287455ee2b47fc5c475e5f61745ece412a96a392d6349bf17070a35d5ecc9b4fbf62f5b914d3b1c7aec9c2cbb5843cda0b82f8c573a666c1160194e66ba0bcab5787a0f2201e49cba0a87a68894018bd02639ea0fa060268b0df04fc6518d8b4f962be8b285dcd4b288bca3752912ac532cb5c05dfc4b46d5d7c7c9470081d059c0e3a015d6cfcb5f1c69139ec5af5a0930d28907ebdf6dbb2b265b52410f389c6aa543966b470bfe15c070419f6eb528f6f19eceaf57927e55b122a734f5363709c94eb6e4d4e368f0b2719889a1b14ef8527fe1a58f2e770d14b180bc9c37aee2e1bb1b452ef04cc81975e3b445a2791f927328f866d9a39ee0e0dc92a2dfdd7484bd766302b37abf61fb151c967c08611b6ee793ebd4e302f3251a4df6ebe7e073e84bd80884efc703347a8f0031538dd3542740ac10d3d029e166bc0481eac156bed3248517d9192c52d6df2fc79a511865df8203e22f6615c999ac299f8dae0f8e57b5b083ec3e8b9cf73c6c4d600c5473f6534350d9c3f91d7053bf61ef5c2a504cd139387adcb33d71596a8151e66e2f36926059ea2eb2c53f4a142a2cd1b253b3f72c0fe239aab3126700dc5ae896f961b4579a2caeb8c91ae58f2672aa2e308fe749524b548bde1a7eeb7505f27b5a5a08b6bd6768ef05e603abdd98e48600c48e5cc2349a10b7aa0e1d134888a59818364735025c628fe94b4b4ba14e6a9ab5ddca7e101c8baf44ead7231a712c908e2870131ed64c58800f51e038bbef2d303ea83015854f6e359a15ccbb11555e0cd00bb55395812e49b4ee85dd78a4f10bf6c2b34390b98cbf2ef70d9826120665d9afe7ec06a16cec6fefc69d3889bbb84a2c0526c8c753854af82a26b2ce74bc06442c92ce23a3fe3964e0ca413352613cdc225272a2286e5acb987d008a286720b80365ef263d5b1bbfa6ef25ef74fe840fed839a57d333acc7b8e08a398ab15426d52b9b5df7d2cbd0d442ea48ae5c88fffb286b15c0f70799c6fe7c8458d9b99e6f4b25c2e3742d6f142ebd96f4bb4bd17988502bc8af0be5b0b9be508b583ecd23b08e2bc87e6057ea330395802b04c78e435450e315ae68b3981c01d35f8c0ec9452ddb7c1e318c4380e6add6613008c01bb38593e837808f39c8f3fc2e4a10bb3fed3f78af953ab22e043f85460e201b6b61a24537bb56bd10a58cac5c9c352bdce676ea6c1501aef14e58a684e9e2c84fc0401920b55af25d668c1e019be8e7148f5c53bb17cbd11e9b264bfdef850cfe4771d925f7c7954c905d042a0952ae574b6f6ef21c5e7964c109403a01b6d19fd8636eb6bc212bba0611587d51ee7a01b49282939c2f37433e4d167558fa470efc84e90f59fab4eedaff9e6e53a3bc661ea4ef9a9cd494c62119325340000000fae0bbcdba28875483e4e79c733da83c6f8aabcffe691715684ff18d32bcead35e6987a46d43641e236abcbfe5efe942da273023743675588bd55325be590572	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\AuthTypes\msospn\Licensing\Vdir = "_wmcs/licensing"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\AuthTypes\msossp\Certification\Vdir = "_wmcs/certificationexternal"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\AuthTypes\msossp\Certification\RequiresRedirect = "1"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\AuthTypes\oauth2\Licensing\Vdir = "_wmcs/licensing"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\AuthTypes\x509\Certification\RequiresRedirect = "1"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\AuthTypes\x509\Licensing\Vdir = "_wmcs/licensing"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\AuthTypes\x509\Licensing\RequiresRedirect = "0"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\AuthTypes\msospn\ServiceDiscovery\RequiresBrowser = "0"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\AuthTypes\msossp\Certification\QueryString = "?Whr=urn:HostedRmsOnlineService:Certification"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\AuthTypes\msossp\ServiceDiscovery\RequiresBrowser = "0"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\SOFTWARE\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\AuthTypes\x509	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\AuthTypes\x509\ServiceDiscovery\RequiresRedirect = "0"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\SOFTWARE\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\AuthTypes\msospn\Licensing	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\AuthTypes\msossp\Licensing\RequiresBrowser = "0"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\AuthTypes\oauth2\ServiceDiscovery\RequiresRedirect = "0"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\SOFTWARE\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\AuthTypes\x509\Licensing	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\AuthTypes\msosso\Licensing\RequiresBrowser = "0"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\AuthTypes\oauth2\Certification\RequiresRedirect = "0"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\AuthTypes\oauth2\Licensing\RequiresBrowser = "0"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\ServiceDiscoveryUriChecked = "1"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\AuthTypes\msospn\ServiceDiscovery\RequiresRedirect = "0"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\SOFTWARE\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\AuthTypes\msosso\Licensing	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\AuthTypes\msosso\Licensing\Vdir = "_wmcs/licensing"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\AuthTypes\x509\Licensing\RequiresBrowser = "0"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\SOFTWARE\Microsoft\MSIPC	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\ServiceDiscoveryUri = "https://454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com/_wmcs/servicediscovery"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\AuthTypes\msospn\Certification\Vdir = "_wmcs/certification"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\AuthTypes\x509\Certification\Vdir = "_wmcs/certificationexternal"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\SOFTWARE\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\AuthTypes\msossp\Licensing	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\AuthTypes\msossp\Licensing\RequiresRedirect = "0"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\AuthTypes\oauth2\Licensing\RequiresRedirect = "0"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\ServerType = "1"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\SOFTWARE\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\AuthTypes\msospn\Certification	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\MSIPC\454177d2-88c6-4894-9d18-ee09d83f28dc.rms.ap.aadrm.com\ServerInfo\AuthTypes\msospn\Licensing\RequiresBrowser = "0"	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1156	EXCEL.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1156	EXCEL.EXE
1156	EXCEL.EXE

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
1156	EXCEL.EXE
1156	EXCEL.EXE
1156	EXCEL.EXE
1156	EXCEL.EXE
1156	EXCEL.EXE
1156	EXCEL.EXE
1156	EXCEL.EXE
1156	EXCEL.EXE
1156	EXCEL.EXE
1156	EXCEL.EXE
1156	EXCEL.EXE

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\質問事項_20241119.xlsx"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\MSIPC\CERT-Machine.drm

Filesize
25KB

MD5
565b22031ac4b012a5269754fda1afa0

SHA1
852c1f5ecbea5761eb8630b8fc171e655d1ebdfe

SHA256
5952f18decfe3edc6e67f2c35abab94911b4b844ace35deb51d50db1d7ef31b9

SHA512
9a4df59650fc04fe53074c8dfd661be69f26ce68aa1ca4b9f955604b48cc8bc649d6e73bb60723d5df4a6c4a941ebcad0c42ee83583eb0ce60ae9a374f6bf65f

Download Submit
memory/1156-7-0x00007FFD0D5F0000-0x00007FFD0D600000-memory.dmp

Filesize
64KB

Download
memory/1156-14-0x00007FFD4D570000-0x00007FFD4D765000-memory.dmp

Filesize
2.0MB

Download
memory/1156-2-0x00007FFD0D5F0000-0x00007FFD0D600000-memory.dmp

Filesize
64KB

Download
memory/1156-6-0x00007FFD4D570000-0x00007FFD4D765000-memory.dmp

Filesize
2.0MB

Download
memory/1156-8-0x00007FFD4D570000-0x00007FFD4D765000-memory.dmp

Filesize
2.0MB

Download
memory/1156-9-0x00007FFD4D570000-0x00007FFD4D765000-memory.dmp

Filesize
2.0MB

Download
memory/1156-11-0x00007FFD4D570000-0x00007FFD4D765000-memory.dmp

Filesize
2.0MB

Download
memory/1156-12-0x00007FFD0AEA0000-0x00007FFD0AEB0000-memory.dmp

Filesize
64KB

Download
memory/1156-10-0x00007FFD4D570000-0x00007FFD4D765000-memory.dmp

Filesize
2.0MB

Download
memory/1156-19-0x00007FFD4D570000-0x00007FFD4D765000-memory.dmp

Filesize
2.0MB

Download
memory/1156-3-0x00007FFD0D5F0000-0x00007FFD0D600000-memory.dmp

Filesize
64KB

Download
memory/1156-13-0x00007FFD0AEA0000-0x00007FFD0AEB0000-memory.dmp

Filesize
64KB

Download
memory/1156-0-0x00007FFD0D5F0000-0x00007FFD0D600000-memory.dmp

Filesize
64KB

Download
memory/1156-20-0x00007FFD4D570000-0x00007FFD4D765000-memory.dmp

Filesize
2.0MB

Download
memory/1156-18-0x00007FFD4D570000-0x00007FFD4D765000-memory.dmp

Filesize
2.0MB

Download
memory/1156-17-0x00007FFD4D570000-0x00007FFD4D765000-memory.dmp

Filesize
2.0MB

Download
memory/1156-16-0x00007FFD4D570000-0x00007FFD4D765000-memory.dmp

Filesize
2.0MB

Download
memory/1156-15-0x00007FFD4D570000-0x00007FFD4D765000-memory.dmp

Filesize
2.0MB

Download
memory/1156-5-0x00007FFD4D570000-0x00007FFD4D765000-memory.dmp

Filesize
2.0MB

Download
memory/1156-4-0x00007FFD0D5F0000-0x00007FFD0D600000-memory.dmp

Filesize
64KB

Download
memory/1156-1-0x00007FFD4D60D000-0x00007FFD4D60E000-memory.dmp

Filesize
4KB

Download
memory/1156-58-0x00007FFD4D570000-0x00007FFD4D765000-memory.dmp

Filesize
2.0MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads