Analysis
-
max time kernel
47s -
max time network
43s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
27/03/2025, 21:48
Behavioral task
behavioral1
Sample
e8243015e8488a791da6436403e11dd196c4e6ab67dea372bc8bcfd5aa8b1382.xls
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e8243015e8488a791da6436403e11dd196c4e6ab67dea372bc8bcfd5aa8b1382.xls
Resource
win10v2004-20250314-en
General
-
Target
e8243015e8488a791da6436403e11dd196c4e6ab67dea372bc8bcfd5aa8b1382.xls
-
Size
1.5MB
-
MD5
20e9fa1e9a501fe1054036ddf88b6014
-
SHA1
321cc7ad90ef1785b7e45fb969a364e1ab359124
-
SHA256
e8243015e8488a791da6436403e11dd196c4e6ab67dea372bc8bcfd5aa8b1382
-
SHA512
b71d005d49f15a5ec58dffe10d4c46bbbd8acf023d42b45ffce1ef9f613d437c71520b3d9619ac60a7937397f67ef8fc7b5f4aab7a7a8530c8c7fc3557df7abc
-
SSDEEP
24576:H+/Ll5GV+fXx++A9/gP/np/r7htYo9dxTEVxDuY61em1PxGa7Uh/YmeeD:e/Ll5mQYU1Q
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 5500 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 5500 EXCEL.EXE 5500 EXCEL.EXE 5500 EXCEL.EXE 5500 EXCEL.EXE 5500 EXCEL.EXE 5500 EXCEL.EXE 5500 EXCEL.EXE 5500 EXCEL.EXE 5500 EXCEL.EXE 5500 EXCEL.EXE 5500 EXCEL.EXE 5500 EXCEL.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 5500 wrote to memory of 4608 5500 EXCEL.EXE 90 PID 5500 wrote to memory of 4608 5500 EXCEL.EXE 90
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\e8243015e8488a791da6436403e11dd196c4e6ab67dea372bc8bcfd5aa8b1382.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5500 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:4608
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:4868
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
Filesize1KB
MD5ead13789a7f7c5bb264cb9bf80fca612
SHA1545ff32de00f83f7dcdddeb3fb817bf788ea4a0a
SHA256ee22bd40b81862048499bcdb5ee8be6e21bf94f0166bcfce477430fb1fa2b101
SHA512661cbb3601d729beed5983d2d882693a1bf267ea0df2d21424dc7e1e27a8dd5b223910a3520e2f014452939cb5ee9ac7a9473b2a55f75ed65ef35e38b54f9190