21100a7783a549a748c7f9e0a920982efa9e6d3f49d42f298d5bc92a095ee773

General

Target

6654 - Nutt - Grant - Internal Floors.xls
Size

266KB
MD5

fa3a9ddb602a352ee6cca70bbb4dbf4a
SHA1

e35bf4961ef3fc56f1f77514be9aced17acac529
SHA256

21100a7783a549a748c7f9e0a920982efa9e6d3f49d42f298d5bc92a095ee773
SHA512

02ba561e3f0dc4f849d9388e93024a9573017ffa15bd6361d40ab6ec683ac928183e8d58081caa4535ab4a1bdca06c3519df98823241e0cbf757932e8f0356cf
SSDEEP

6144:rxEtjPOtioVjDGUU1qfDlavx+lXI01T/q0orpdr2Gf5xx:5Ti0orpdrL

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1436	EXCEL.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1436	EXCEL.EXE
1436	EXCEL.EXE

Suspicious use of SetWindowsHookEx 20 IoCs

pid	Process
1436	EXCEL.EXE
1436	EXCEL.EXE
1436	EXCEL.EXE
1436	EXCEL.EXE
1436	EXCEL.EXE
1436	EXCEL.EXE
1436	EXCEL.EXE
1436	EXCEL.EXE
1436	EXCEL.EXE
1436	EXCEL.EXE
1436	EXCEL.EXE
1436	EXCEL.EXE
1436	EXCEL.EXE
3176	OpenWith.exe
3176	OpenWith.exe
3176	OpenWith.exe
3176	OpenWith.exe
3176	OpenWith.exe
1436	EXCEL.EXE
1436	EXCEL.EXE

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\6654 - Nutt - Grant - Internal Floors.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1436

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
1KB

MD5
373a862fb34c8a525bc71263c664659f

SHA1
8aa1e94e0ed35e333c0dc29da61b21fe3557b0a3

SHA256
283c667920abbf5885b242a09657c445a88db3a25e4fa3ec5a17d78f35d4f6cf

SHA512
a6d36588ecc07a88c23ac7c83d1f2c2ae06f1b4007ba6021a0594c0f35716758a4cb013437c9e503304df2171c9ef5b223a547b4695995843440179b35cc0fad

Download Submit
memory/1436-16-0x00007FFA63A30000-0x00007FFA63C25000-memory.dmp

Filesize
2.0MB

Download
memory/1436-56-0x00007FFA63A30000-0x00007FFA63C25000-memory.dmp

Filesize
2.0MB

Download
memory/1436-2-0x00007FFA23AB0000-0x00007FFA23AC0000-memory.dmp

Filesize
64KB

Download
memory/1436-6-0x00007FFA63A30000-0x00007FFA63C25000-memory.dmp

Filesize
2.0MB

Download
memory/1436-4-0x00007FFA23AB0000-0x00007FFA23AC0000-memory.dmp

Filesize
64KB

Download
memory/1436-5-0x00007FFA63A30000-0x00007FFA63C25000-memory.dmp

Filesize
2.0MB

Download
memory/1436-7-0x00007FFA23AB0000-0x00007FFA23AC0000-memory.dmp

Filesize
64KB

Download
memory/1436-10-0x00007FFA63A30000-0x00007FFA63C25000-memory.dmp

Filesize
2.0MB

Download
memory/1436-9-0x00007FFA63A30000-0x00007FFA63C25000-memory.dmp

Filesize
2.0MB

Download
memory/1436-11-0x00007FFA21420000-0x00007FFA21430000-memory.dmp

Filesize
64KB

Download
memory/1436-8-0x00007FFA63A30000-0x00007FFA63C25000-memory.dmp

Filesize
2.0MB

Download
memory/1436-17-0x00007FFA63A30000-0x00007FFA63C25000-memory.dmp

Filesize
2.0MB

Download
memory/1436-3-0x00007FFA23AB0000-0x00007FFA23AC0000-memory.dmp

Filesize
64KB

Download
memory/1436-14-0x00007FFA63A30000-0x00007FFA63C25000-memory.dmp

Filesize
2.0MB

Download
memory/1436-12-0x00007FFA63A30000-0x00007FFA63C25000-memory.dmp

Filesize
2.0MB

Download
memory/1436-13-0x00007FFA63A30000-0x00007FFA63C25000-memory.dmp

Filesize
2.0MB

Download
memory/1436-15-0x00007FFA21420000-0x00007FFA21430000-memory.dmp

Filesize
64KB

Download
memory/1436-46-0x00007FFA63A30000-0x00007FFA63C25000-memory.dmp

Filesize
2.0MB

Download
memory/1436-47-0x00007FFA63A30000-0x00007FFA63C25000-memory.dmp

Filesize
2.0MB

Download
memory/1436-48-0x00007FFA63A30000-0x00007FFA63C25000-memory.dmp

Filesize
2.0MB

Download
memory/1436-49-0x00007FFA63A30000-0x00007FFA63C25000-memory.dmp

Filesize
2.0MB

Download
memory/1436-50-0x00007FFA63ACD000-0x00007FFA63ACE000-memory.dmp

Filesize
4KB

Download
memory/1436-51-0x00007FFA63A30000-0x00007FFA63C25000-memory.dmp

Filesize
2.0MB

Download
memory/1436-52-0x00007FFA63A30000-0x00007FFA63C25000-memory.dmp

Filesize
2.0MB

Download
memory/1436-1-0x00007FFA63ACD000-0x00007FFA63ACE000-memory.dmp

Filesize
4KB

Download
memory/1436-57-0x00007FFA63A30000-0x00007FFA63C25000-memory.dmp

Filesize
2.0MB

Download
memory/1436-0-0x00007FFA23AB0000-0x00007FFA23AC0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads