b39a66d47b101cc7ba2ea46641323eff4b5977d91ffa797e47d6a1d12f1c42c2

Analysis

max time kernel
47s
max time network
40s
platform
windows10-2004_x64
resource
win10v2004-20250313-en
resource tags

arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
submitted
27/03/2025, 21:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b39a66d47b101cc7ba2ea46641323eff4b5977d91ffa797e47d6a1d12f1c42c2.xls
Size

1.5MB
MD5

0927044be2a506018a9ae8c14356ca08
SHA1

774590b3ea66135d2e19f9e973e185a69f8f008e
SHA256

b39a66d47b101cc7ba2ea46641323eff4b5977d91ffa797e47d6a1d12f1c42c2
SHA512

302135b319cab7ec17582c9071d8eed3d6088f4e89c209cea1b337f499b4dba6e014f6b556bf5eac64814fe666c54b5aa92cf902cc1575a927bffe3e4f36cea9
SSDEEP

24576:78wPiXeV+fXR++idpgv/v5/r7DtYM9tnTEVxDCY6femXHxG+RUD/YsWeD:gwPiX4kYOf8

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
5276	EXCEL.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
5276	EXCEL.EXE
5276	EXCEL.EXE

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
5276	EXCEL.EXE
5276	EXCEL.EXE
5276	EXCEL.EXE
5276	EXCEL.EXE
5276	EXCEL.EXE
5276	EXCEL.EXE
5276	EXCEL.EXE
5276	EXCEL.EXE
5276	EXCEL.EXE
5276	EXCEL.EXE
5276	EXCEL.EXE
5276	EXCEL.EXE
5276	EXCEL.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 5276 wrote to memory of 4652	5276	EXCEL.EXE	89
PID 5276 wrote to memory of 4652	5276	EXCEL.EXE	89

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\b39a66d47b101cc7ba2ea46641323eff4b5977d91ffa797e47d6a1d12f1c42c2.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5276
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:4652

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:4520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
1KB

MD5
f4bd4b9f88e980337919fe5acb6e9998

SHA1
3f393f8cb7f81cf3dab5c67dfd7a54f254270ce2

SHA256
d0b36cc3e9911021927226a469f886113062008f15b6f2783114434c3106d274

SHA512
20dce84ef084777c2677aef5cc872d062f441733db10dff7b5a57e59f8d0a8107a1152a8223b76651c725ab75eb4ffc9fa1323acad28d284c2284d52f6fd30f4

Download Submit
memory/5276-16-0x00007FF7FAE20000-0x00007FF7FAE30000-memory.dmp

Filesize
64KB

Download
memory/5276-20-0x00007FF83D070000-0x00007FF83D265000-memory.dmp

Filesize
2.0MB

Download
memory/5276-9-0x00007FF83D070000-0x00007FF83D265000-memory.dmp

Filesize
2.0MB

Download
memory/5276-13-0x00007FF83D070000-0x00007FF83D265000-memory.dmp

Filesize
2.0MB

Download
memory/5276-14-0x00007FF83D070000-0x00007FF83D265000-memory.dmp

Filesize
2.0MB

Download
memory/5276-12-0x00007FF83D070000-0x00007FF83D265000-memory.dmp

Filesize
2.0MB

Download
memory/5276-15-0x00007FF7FAE20000-0x00007FF7FAE30000-memory.dmp

Filesize
64KB

Download
memory/5276-11-0x00007FF83D070000-0x00007FF83D265000-memory.dmp

Filesize
2.0MB

Download
memory/5276-10-0x00007FF83D070000-0x00007FF83D265000-memory.dmp

Filesize
2.0MB

Download
memory/5276-18-0x00007FF83D070000-0x00007FF83D265000-memory.dmp

Filesize
2.0MB

Download
memory/5276-8-0x00007FF83D070000-0x00007FF83D265000-memory.dmp

Filesize
2.0MB

Download
memory/5276-19-0x00007FF83D070000-0x00007FF83D265000-memory.dmp

Filesize
2.0MB

Download
memory/5276-4-0x00007FF83D10D000-0x00007FF83D10E000-memory.dmp

Filesize
4KB

Download
memory/5276-17-0x00007FF83D070000-0x00007FF83D265000-memory.dmp

Filesize
2.0MB

Download
memory/5276-7-0x00007FF83D070000-0x00007FF83D265000-memory.dmp

Filesize
2.0MB

Download
memory/5276-6-0x00007FF83D070000-0x00007FF83D265000-memory.dmp

Filesize
2.0MB

Download
memory/5276-2-0x00007FF7FD0F0000-0x00007FF7FD100000-memory.dmp

Filesize
64KB

Download
memory/5276-3-0x00007FF7FD0F0000-0x00007FF7FD100000-memory.dmp

Filesize
64KB

Download
memory/5276-1-0x00007FF7FD0F0000-0x00007FF7FD100000-memory.dmp

Filesize
64KB

Download
memory/5276-0-0x00007FF7FD0F0000-0x00007FF7FD100000-memory.dmp

Filesize
64KB

Download
memory/5276-38-0x00007FF83D070000-0x00007FF83D265000-memory.dmp

Filesize
2.0MB

Download
memory/5276-5-0x00007FF7FD0F0000-0x00007FF7FD100000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads