fab850a4a5c67c038babb9892f805555ae07e95a922577085f56ff810eedf876

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2024 12:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

14E11B88.xls
Size

29KB
MD5

9fba7fbd5906be19a22a8df0baea3f8e
SHA1

6648d7997e3af6f190022dc7dbe4bb5781bc5905
SHA256

fab850a4a5c67c038babb9892f805555ae07e95a922577085f56ff810eedf876
SHA512

af9497508f6b887ddea0da603e63e876286e3a239aec57051de9f1812728a3e1f9492c10fab9c642c16be8fd358340fded723b8a066aba57b1f8f5c86a353be1
SSDEEP

384:uvSof29taGeqt57hWG7ASVHjHmZHiTWMXBw1HSdb:Vof23aGeqt57hWG79HbY62wb

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

4052 EXCEL.EXE

Suspicious use of SetWindowsHookEx 17 IoCs

Processes:

EXCEL.EXE

pid	process
4052	EXCEL.EXE
4052	EXCEL.EXE
4052	EXCEL.EXE
4052	EXCEL.EXE
4052	EXCEL.EXE
4052	EXCEL.EXE
4052	EXCEL.EXE
4052	EXCEL.EXE
4052	EXCEL.EXE
4052	EXCEL.EXE
4052	EXCEL.EXE
4052	EXCEL.EXE
4052	EXCEL.EXE
4052	EXCEL.EXE
4052	EXCEL.EXE
4052	EXCEL.EXE
4052	EXCEL.EXE

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\14E11B88.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\VB7E78.tmp

Filesize
907B

MD5
75b8ae072b04a350b1df39d1f2e2ece4

SHA1
364363a151a86f85f49b8cf272bf63c05355835c

SHA256
d85d7b346cc4912ab4092b269aaa9864d0e1aa67b52e0cfacf711df9d0427747

SHA512
f7ef701fe056954d9d4a08ed0a397a3326c5fe8ecb704a47c1631ff2a9235a9be2a4865f1fa8b433872e7631e0cd76a0739b3b6407c704741f5bd05705556ca0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\C3975E00

Filesize
8KB

MD5
46edc2d2b7f7076e6ae9caff9d6e85fa

SHA1
d79e3823e7486a12ce966d1d0892fa163815be21

SHA256
fa9dda78177a478ca036543774a854c7784425f77251f67734f9a9e7a2583442

SHA512
c86d0ce3e74ddb6a06bc1896c258adafe65ccf473b1d33a202f6568df8aa93acc0877f599724f0bc6cd5dc070329b970a13da1a258f317e663beeae65db36c76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\StartUp.xls

Filesize
8KB

MD5
819d6c4e01b80097040b52edaf097790

SHA1
3de533caac82c768308e157de6944b7c6d3a5ed3

SHA256
fe176bf9f8eb1f27ca36ac41e52e5a603766a30eb2385c612141b9c5e8857e00

SHA512
3ac6301daa5f3b8cf305ee6d6cc5f808c0355b9159631bace66ec9313de709d95920f3d0e2fdfc2faac9e4b0dc65111f381ceee82896930969b85299239c0075

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
326B

MD5
d54689b1c8beb699fd3d6ba5dcac4ea9

SHA1
3017799eff7727fd2b17a571085af429778607a3

SHA256
5fb189ea85d0d2458163b6e03fbeca16cee1f7ac8093fe28dd23c8dfa36860df

SHA512
d4bb4f2490de7f5cddfc71715dbec37b18b5d1d6f843a0f487149f36c03fbd1f87df9f50645227d398abb44708226fedad6d99693b4600fbc9653bcf9adc9fd8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
1KB

MD5
b146489d3a228e87e2d97a499df01f60

SHA1
ae2e56f15bf3d251e497cab10ffbff573e38141b

SHA256
42b0adcb75a1299a6554099b4969a9a0cc6f263dfbea76b601191403256a5c10

SHA512
2c1321db76d3e075a1f7ecc2223bf233c086fb74434484edce512105ddbf90cc6f2a3514f99b74888dc2256a678e98b22956fc89222db7c7e37b49beef226eb0

Download Submit
memory/4052-46-0x00007FF8EE890000-0x00007FF8EEA85000-memory.dmp

Filesize
2.0MB

Download
memory/4052-5-0x00007FF8EE890000-0x00007FF8EEA85000-memory.dmp

Filesize
2.0MB

Download
memory/4052-13-0x00007FF8EE890000-0x00007FF8EEA85000-memory.dmp

Filesize
2.0MB

Download
memory/4052-14-0x00007FF8EE890000-0x00007FF8EEA85000-memory.dmp

Filesize
2.0MB

Download
memory/4052-15-0x00007FF8AC480000-0x00007FF8AC490000-memory.dmp

Filesize
64KB

Download
memory/4052-12-0x00007FF8EE890000-0x00007FF8EEA85000-memory.dmp

Filesize
2.0MB

Download
memory/4052-11-0x00007FF8EE890000-0x00007FF8EEA85000-memory.dmp

Filesize
2.0MB

Download
memory/4052-16-0x00007FF8AC480000-0x00007FF8AC490000-memory.dmp

Filesize
64KB

Download
memory/4052-17-0x00007FF8EE890000-0x00007FF8EEA85000-memory.dmp

Filesize
2.0MB

Download
memory/4052-19-0x00007FF8EE890000-0x00007FF8EEA85000-memory.dmp

Filesize
2.0MB

Download
memory/4052-21-0x00007FF8EE890000-0x00007FF8EEA85000-memory.dmp

Filesize
2.0MB

Download
memory/4052-20-0x00007FF8EE890000-0x00007FF8EEA85000-memory.dmp

Filesize
2.0MB

Download
memory/4052-18-0x00007FF8EE890000-0x00007FF8EEA85000-memory.dmp

Filesize
2.0MB

Download
memory/4052-10-0x00007FF8EE890000-0x00007FF8EEA85000-memory.dmp

Filesize
2.0MB

Download
memory/4052-9-0x00007FF8EE890000-0x00007FF8EEA85000-memory.dmp

Filesize
2.0MB

Download
memory/4052-7-0x00007FF8AE910000-0x00007FF8AE920000-memory.dmp

Filesize
64KB

Download
memory/4052-6-0x00007FF8EE890000-0x00007FF8EEA85000-memory.dmp

Filesize
2.0MB

Download
memory/4052-3-0x00007FF8EE92D000-0x00007FF8EE92E000-memory.dmp

Filesize
4KB

Download
memory/4052-45-0x00007FF8EE890000-0x00007FF8EEA85000-memory.dmp

Filesize
2.0MB

Download
memory/4052-8-0x00007FF8EE890000-0x00007FF8EEA85000-memory.dmp

Filesize
2.0MB

Download
memory/4052-54-0x00007FF8EE890000-0x00007FF8EEA85000-memory.dmp

Filesize
2.0MB

Download
memory/4052-44-0x00007FF8EE890000-0x00007FF8EEA85000-memory.dmp

Filesize
2.0MB

Download
memory/4052-55-0x00007FF8EE890000-0x00007FF8EEA85000-memory.dmp

Filesize
2.0MB

Download
memory/4052-4-0x00007FF8AE910000-0x00007FF8AE920000-memory.dmp

Filesize
64KB

Download
memory/4052-0-0x00007FF8AE910000-0x00007FF8AE920000-memory.dmp

Filesize
64KB

Download
memory/4052-80-0x00007FF8EE890000-0x00007FF8EEA85000-memory.dmp

Filesize
2.0MB

Download
memory/4052-1-0x00007FF8AE910000-0x00007FF8AE920000-memory.dmp

Filesize
64KB

Download
memory/4052-105-0x00007FF8EE890000-0x00007FF8EEA85000-memory.dmp

Filesize
2.0MB

Download
memory/4052-107-0x00007FF8EE890000-0x00007FF8EEA85000-memory.dmp

Filesize
2.0MB

Download
memory/4052-106-0x00007FF8EE890000-0x00007FF8EEA85000-memory.dmp

Filesize
2.0MB

Download
memory/4052-104-0x00007FF8EE890000-0x00007FF8EEA85000-memory.dmp

Filesize
2.0MB

Download
memory/4052-109-0x00007FF8EE890000-0x00007FF8EEA85000-memory.dmp

Filesize
2.0MB

Download
memory/4052-108-0x00007FF8EE890000-0x00007FF8EEA85000-memory.dmp

Filesize
2.0MB

Download
memory/4052-110-0x00007FF8EE890000-0x00007FF8EEA85000-memory.dmp

Filesize
2.0MB

Download
memory/4052-114-0x00007FF8EE890000-0x00007FF8EEA85000-memory.dmp

Filesize
2.0MB

Download
memory/4052-2-0x00007FF8AE910000-0x00007FF8AE920000-memory.dmp

Filesize
64KB

Download
memory/4052-120-0x00007FF8EE890000-0x00007FF8EEA85000-memory.dmp

Filesize
2.0MB

Download
memory/4052-122-0x00007FF8EE890000-0x00007FF8EEA85000-memory.dmp

Filesize
2.0MB

Download
memory/4052-123-0x00007FF8EE890000-0x00007FF8EEA85000-memory.dmp

Filesize
2.0MB

Download