3b61757c276c9f823c8d49f5322338891335c6ea17649ba0b39e36237d5d399d

Analysis

max time kernel
131s
max time network
256s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-01-2025 11:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

malware-samples-master/mitre-attack/Emotet+Trickbot_comparison.xlsx
Size

14KB
MD5

248cd700a82449f4b0d107e6a934ae2b
SHA1

d1763d827d614ddd6f3ca046ec6d1cf880f4dc25
SHA256

6ff88255226a7f0de338e8383904a6fd8af5eb630c28ae6846b107de41fa22ef
SHA512

c5755cc015b3e6aa30ce1c87c05a7712fc7939f57d7d470025a50c8d280ad53d97701f34b85b8f9300652989720915ccac28a22925e73ea48455116f37c31746
SSDEEP

384:YlbZERmunyjfOOTXC6ACMYMx3pF5dBwDVfJZKTvazDpzQ:OdunyXXC6jzqTKVxZ7zDC

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	POWERPNT.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4036	EXCEL.EXE
3932	POWERPNT.EXE

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4036	EXCEL.EXE
4036	EXCEL.EXE
4036	EXCEL.EXE

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
4036	EXCEL.EXE
4036	EXCEL.EXE
4036	EXCEL.EXE
4036	EXCEL.EXE
4036	EXCEL.EXE
4036	EXCEL.EXE
4036	EXCEL.EXE
4036	EXCEL.EXE
4036	EXCEL.EXE
4036	EXCEL.EXE
4036	EXCEL.EXE
4036	EXCEL.EXE
3932	POWERPNT.EXE
3932	POWERPNT.EXE

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\malware-samples-master\mitre-attack\Emotet+Trickbot_comparison.xlsx"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4036

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /s "C:\Users\Admin\Desktop\ResolveDisconnect.pps" /ou ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\B39827ED-BC2F-41EB-8CD4-BB862BB674AF

Filesize
177KB

MD5
8678e6e6ba297f0870618d262a6193b5

SHA1
986100b8762a185c28a39ce25a81a18b2df8ff02

SHA256
cb4eed1356794ed167662cedabd7634440900e58ab00f3a594d2a95ce9756067

SHA512
ac2ad95db376005df8d438e35f726f7403279052d5c978de77cbfb4e735b9b2b8a56a9dbd22f43c7d9894750357f0294ad76a83efd1461290c80c8abe0b0cc26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
beb04f4eae8c5a7d246ea03003c2636c

SHA1
4d43f0339450121b741b4347e5b4713b2622b11a

SHA256
f0bc7b460f9bc44d2a4dfc83c418fac64f2d70e4475ece90557c8e792763d443

SHA512
b17390cb3e7222f6de3194a5bed5fd4d29edbe56811acc251dc4144aac9cf19074a28cd18cdaf8a4cb9f20e943968f04d57f55535ec0aa1e49aa7b1dc8517ff2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
308776a5b7a637efdfca76f5959328f3

SHA1
21f3b80672c462ddc1ceafc9620a04f479a69ac8

SHA256
27dc2a66322ebfdee42c9e2b74acb671e68717ba26310b36bd0a74dfd2dc1d73

SHA512
b2ca2a57e27214465972141404efd29aae75cd93f0a80269a9503b01282ac2915c437d1b33292710ec4107fdadce85c791e1c6bc465792353561b5104e40a206

Download Submit
memory/3932-85-0x00007FF8FCF70000-0x00007FF8FCF80000-memory.dmp

Filesize
64KB

Download
memory/3932-84-0x00007FF8FCF70000-0x00007FF8FCF80000-memory.dmp

Filesize
64KB

Download
memory/3932-59-0x00007FF8FCF70000-0x00007FF8FCF80000-memory.dmp

Filesize
64KB

Download
memory/3932-87-0x00007FF8FCF70000-0x00007FF8FCF80000-memory.dmp

Filesize
64KB

Download
memory/3932-86-0x00007FF8FCF70000-0x00007FF8FCF80000-memory.dmp

Filesize
64KB

Download
memory/3932-65-0x00007FF8FAD50000-0x00007FF8FAD60000-memory.dmp

Filesize
64KB

Download
memory/3932-64-0x00007FF8FAD50000-0x00007FF8FAD60000-memory.dmp

Filesize
64KB

Download
memory/3932-63-0x00007FF8FCF70000-0x00007FF8FCF80000-memory.dmp

Filesize
64KB

Download
memory/3932-62-0x00007FF8FCF70000-0x00007FF8FCF80000-memory.dmp

Filesize
64KB

Download
memory/3932-60-0x00007FF8FCF70000-0x00007FF8FCF80000-memory.dmp

Filesize
64KB

Download
memory/3932-61-0x00007FF8FCF70000-0x00007FF8FCF80000-memory.dmp

Filesize
64KB

Download
memory/4036-13-0x00007FF93CEF0000-0x00007FF93D0E5000-memory.dmp

Filesize
2.0MB

Download
memory/4036-57-0x00007FF8FCF70000-0x00007FF8FCF80000-memory.dmp

Filesize
64KB

Download
memory/4036-16-0x00007FF93CEF0000-0x00007FF93D0E5000-memory.dmp

Filesize
2.0MB

Download
memory/4036-17-0x00007FF93CEF0000-0x00007FF93D0E5000-memory.dmp

Filesize
2.0MB

Download
memory/4036-20-0x00007FF93CEF0000-0x00007FF93D0E5000-memory.dmp

Filesize
2.0MB

Download
memory/4036-21-0x00007FF93CEF0000-0x00007FF93D0E5000-memory.dmp

Filesize
2.0MB

Download
memory/4036-19-0x00007FF93CEF0000-0x00007FF93D0E5000-memory.dmp

Filesize
2.0MB

Download
memory/4036-18-0x00007FF93CEF0000-0x00007FF93D0E5000-memory.dmp

Filesize
2.0MB

Download
memory/4036-31-0x00007FF93CF8D000-0x00007FF93CF8E000-memory.dmp

Filesize
4KB

Download
memory/4036-32-0x00007FF93CEF0000-0x00007FF93D0E5000-memory.dmp

Filesize
2.0MB

Download
memory/4036-33-0x00007FF93CEF0000-0x00007FF93D0E5000-memory.dmp

Filesize
2.0MB

Download
memory/4036-55-0x00007FF8FCF70000-0x00007FF8FCF80000-memory.dmp

Filesize
64KB

Download
memory/4036-58-0x00007FF93CEF0000-0x00007FF93D0E5000-memory.dmp

Filesize
2.0MB

Download
memory/4036-54-0x00007FF8FCF70000-0x00007FF8FCF80000-memory.dmp

Filesize
64KB

Download
memory/4036-56-0x00007FF8FCF70000-0x00007FF8FCF80000-memory.dmp

Filesize
64KB

Download
memory/4036-15-0x00007FF8FAD50000-0x00007FF8FAD60000-memory.dmp

Filesize
64KB

Download
memory/4036-14-0x00007FF8FAD50000-0x00007FF8FAD60000-memory.dmp

Filesize
64KB

Download
memory/4036-10-0x00007FF93CEF0000-0x00007FF93D0E5000-memory.dmp

Filesize
2.0MB

Download
memory/4036-11-0x00007FF93CEF0000-0x00007FF93D0E5000-memory.dmp

Filesize
2.0MB

Download
memory/4036-0-0x00007FF93CF8D000-0x00007FF93CF8E000-memory.dmp

Filesize
4KB

Download
memory/4036-12-0x00007FF93CEF0000-0x00007FF93D0E5000-memory.dmp

Filesize
2.0MB

Download
memory/4036-7-0x00007FF8FCF70000-0x00007FF8FCF80000-memory.dmp

Filesize
64KB

Download
memory/4036-8-0x00007FF93CEF0000-0x00007FF93D0E5000-memory.dmp

Filesize
2.0MB

Download
memory/4036-9-0x00007FF93CEF0000-0x00007FF93D0E5000-memory.dmp

Filesize
2.0MB

Download
memory/4036-5-0x00007FF93CEF0000-0x00007FF93D0E5000-memory.dmp

Filesize
2.0MB

Download
memory/4036-6-0x00007FF93CEF0000-0x00007FF93D0E5000-memory.dmp

Filesize
2.0MB

Download
memory/4036-4-0x00007FF8FCF70000-0x00007FF8FCF80000-memory.dmp

Filesize
64KB

Download
memory/4036-2-0x00007FF8FCF70000-0x00007FF8FCF80000-memory.dmp

Filesize
64KB

Download
memory/4036-3-0x00007FF8FCF70000-0x00007FF8FCF80000-memory.dmp

Filesize
64KB

Download
memory/4036-1-0x00007FF8FCF70000-0x00007FF8FCF80000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads