245303a91378f8739407e2b274e91c77313ad43d837bf1448f2d84e61338ecb7

Analysis

max time kernel
133s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2024 01:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

中国南方电网有限责任公司总部2012年一级物资集中招标35千伏及以上交流项�.xls
Size

8KB
MD5

c3b2ec97cbfac33d0f966c8d504f6a81
SHA1

96186ea73e4554e674e7cf1f74fa8810fcde7a2a
SHA256

b3dd6e6b72ae0cee51e1f25349b8a4e805fcbe468f017724d0b67d0ffae49e80
SHA512

931ad2edaaad7e796ab60b9f6b614f34b9d9c484db565dfcb53903f2200d8dac070cfdbe583a43830f24e918eac2aa11fd71c41556d296130e8ac652670586d9
SSDEEP

96:/o68k43AgdLSUX2dIEH8R+IiMUNb9ZcNgYYLCPYycrNEcpw8wZ2a79xdyHIq:/o68k43AgdLSUX0MiMR2PLL1f

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

4188 EXCEL.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXE

pid	process
4188	EXCEL.EXE
4188	EXCEL.EXE
4188	EXCEL.EXE
4188	EXCEL.EXE
4188	EXCEL.EXE
4188	EXCEL.EXE
4188	EXCEL.EXE
4188	EXCEL.EXE
4188	EXCEL.EXE
4188	EXCEL.EXE
4188	EXCEL.EXE
4188	EXCEL.EXE

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\中国南方电网有限责任公司总部2012年一级物资集中招标35千伏及以上交流项�.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
1KB

MD5
eb0b3b0927e4bf5e01a23184b258d14a

SHA1
06cf24b61778b6bc5f7a080b1db5f0e23e856b18

SHA256
943bcffd1c7f9ccd6a54f998cf580cc9f2ee2b9488898b6ba76454e30f4b4ca1

SHA512
558010baa56a69c27c91a79b83781568f766fa6d3e85120ba312b1c3b96a28e537223614d3e58fcc57e00540f20488efd4b9604f67a31b0c8bc3a27518ca5b27

Download Submit
memory/4188-14-0x00007FFAA89F0000-0x00007FFAA8BE5000-memory.dmp

Filesize
2.0MB

Download
memory/4188-31-0x00007FFAA89F0000-0x00007FFAA8BE5000-memory.dmp

Filesize
2.0MB

Download
memory/4188-2-0x00007FFA68A70000-0x00007FFA68A80000-memory.dmp

Filesize
64KB

Download
memory/4188-4-0x00007FFA68A70000-0x00007FFA68A80000-memory.dmp

Filesize
64KB

Download
memory/4188-8-0x00007FFAA89F0000-0x00007FFAA8BE5000-memory.dmp

Filesize
2.0MB

Download
memory/4188-7-0x00007FFAA89F0000-0x00007FFAA8BE5000-memory.dmp

Filesize
2.0MB

Download
memory/4188-6-0x00007FFA68A70000-0x00007FFA68A80000-memory.dmp

Filesize
64KB

Download
memory/4188-5-0x00007FFAA89F0000-0x00007FFAA8BE5000-memory.dmp

Filesize
2.0MB

Download
memory/4188-11-0x00007FFAA89F0000-0x00007FFAA8BE5000-memory.dmp

Filesize
2.0MB

Download
memory/4188-13-0x00007FFAA89F0000-0x00007FFAA8BE5000-memory.dmp

Filesize
2.0MB

Download
memory/4188-1-0x00007FFAA8A8D000-0x00007FFAA8A8E000-memory.dmp

Filesize
4KB

Download
memory/4188-3-0x00007FFA68A70000-0x00007FFA68A80000-memory.dmp

Filesize
64KB

Download
memory/4188-17-0x00007FFAA89F0000-0x00007FFAA8BE5000-memory.dmp

Filesize
2.0MB

Download
memory/4188-16-0x00007FFAA89F0000-0x00007FFAA8BE5000-memory.dmp

Filesize
2.0MB

Download
memory/4188-15-0x00007FFA668B0000-0x00007FFA668C0000-memory.dmp

Filesize
64KB

Download
memory/4188-12-0x00007FFA668B0000-0x00007FFA668C0000-memory.dmp

Filesize
64KB

Download
memory/4188-19-0x00007FFAA89F0000-0x00007FFAA8BE5000-memory.dmp

Filesize
2.0MB

Download
memory/4188-18-0x00007FFAA89F0000-0x00007FFAA8BE5000-memory.dmp

Filesize
2.0MB

Download
memory/4188-9-0x00007FFAA89F0000-0x00007FFAA8BE5000-memory.dmp

Filesize
2.0MB

Download
memory/4188-29-0x00007FFAA89F0000-0x00007FFAA8BE5000-memory.dmp

Filesize
2.0MB

Download
memory/4188-30-0x00007FFAA8A8D000-0x00007FFAA8A8E000-memory.dmp

Filesize
4KB

Download
memory/4188-0-0x00007FFA68A70000-0x00007FFA68A80000-memory.dmp

Filesize
64KB

Download
memory/4188-35-0x00007FFAA89F0000-0x00007FFAA8BE5000-memory.dmp

Filesize
2.0MB

Download
memory/4188-10-0x00007FFAA89F0000-0x00007FFAA8BE5000-memory.dmp

Filesize
2.0MB

Download