Analysis
-
max time kernel
133s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
03/12/2024, 08:44
Static task
static1
Behavioral task
behavioral1
Sample
RFQ202451281.xls
Resource
win10v2004-20241007-en
General
-
Target
RFQ202451281.xls
-
Size
1.0MB
-
MD5
d178550ccbceb07c4175b26df95b854c
-
SHA1
b9963b21b99610f15d223f4428d8efeccb50cdf9
-
SHA256
f0df25ea720e6dcd761d2050d552b180dd8b70d29b43e0099c65ffba997a34a4
-
SHA512
cc34d5d93c52e2cd845530ff8fc381d4d76f8619590795453c73ed8486104ed87379387f38173d7efb2448c6d3952a2fbe32331bf74e8bca3f636d185fe1360f
-
SSDEEP
12288:P9AJvwvY1JPEM2QAwEUs6geRrZqxEeFtPokfDA9M8fJp1EJ7CLXvgI6w9A:OJvwADPh2W/dSEG7P0EmLt
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 5060 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 5060 EXCEL.EXE 5060 EXCEL.EXE 5060 EXCEL.EXE 5060 EXCEL.EXE 5060 EXCEL.EXE 5060 EXCEL.EXE 5060 EXCEL.EXE 5060 EXCEL.EXE 5060 EXCEL.EXE 5060 EXCEL.EXE 5060 EXCEL.EXE 5060 EXCEL.EXE -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\RFQ202451281.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5060
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
Filesize1KB
MD567be45b69d37d658f35532fc4f28a78b
SHA1fc71eca5af11452fad197301b4edf3d5bcaa70fb
SHA256c552bfbb512b16456be9cdb813bf302286683b0b41fa7b91aa9270242531015b
SHA51275bcb5649a88bf37115e29abe765723e2eb79c616c624bcb8a0125ea0b60d9fbc5cd9a3891f3047a34999f7ff8540a339aa94f08a3005df86c3a23d9124096f4