Resubmissions
24-11-2022 06:51
221124-hmxkcaab5t 8Analysis
-
max time kernel
152s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2022 06:51
Behavioral task
behavioral1
Sample
2339fed4b750289c8d96ab383cf5e2518d869cac5c6f0137727698cd6ef1d516.xls
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
2339fed4b750289c8d96ab383cf5e2518d869cac5c6f0137727698cd6ef1d516.xls
Resource
win10v2004-20221111-en
General
-
Target
2339fed4b750289c8d96ab383cf5e2518d869cac5c6f0137727698cd6ef1d516.xls
-
Size
2.9MB
-
MD5
fac06f63a30fcef45c3e7763442ed2ac
-
SHA1
c968479775090d6e6a0e8c4f64f4abedd30d1031
-
SHA256
2339fed4b750289c8d96ab383cf5e2518d869cac5c6f0137727698cd6ef1d516
-
SHA512
cdc47aad19c03254aadc67df1486622029d2f7bae1b5ad717b966bdac193668b82edaf8bb09acc05b37d4299455ba90dc17f9ea937e139e701b4b5f0cea1a442
-
SSDEEP
49152:U9pINpEYW5CFdwR3t1bqIMFDBj2XGjP/q+QxMO8w4Cfu2gwkOl0AyA:UzPIdwRPXy28/q+QxMOj3u2pkA0AX
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 3352 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
EXCEL.EXEpid process 3352 EXCEL.EXE 3352 EXCEL.EXE 3352 EXCEL.EXE 3352 EXCEL.EXE 3352 EXCEL.EXE 3352 EXCEL.EXE 3352 EXCEL.EXE 3352 EXCEL.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
cmd.exedescription pid process target process PID 3952 wrote to memory of 996 3952 cmd.exe cscript.exe PID 3952 wrote to memory of 996 3952 cmd.exe cscript.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\2339fed4b750289c8d96ab383cf5e2518d869cac5c6f0137727698cd6ef1d516.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3352
-
C:\Windows\SYSTEM32\cmd.exeC:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Public\Pictures\pbs.bat"1⤵PID:4016
-
C:\Windows\SYSTEM32\cmd.exeC:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Public\Music\pbs.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:3952 -
C:\Windows\system32\cscript.execscript //nologo "C:\Users\Admin\AppData\Local\Temp\_.vbs"2⤵PID:996
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\_.vbsFilesize
394B
MD560b24b37aa7903b56417dd58bbebe79d
SHA1f9903905822f5137daaf9b4c4e4ee77c7fa30d0c
SHA2561eed3b5fb6950cfa605fd9e9842327b1fe1d123cb8a34d84bc1b778501288e4f
SHA5128c350e94eeae83044a3ff38c0e5602c6869f968e8f46815d96ad22b53b13b5e12a2a0e5de163f537d7d13f67f2c5897f0fb71c0c1c4b89ab313d5ad246cf7c4f
-
C:\Users\Public\Music\comd.zipFilesize
6KB
MD5bc70155ae15384745ed54c75e64a742c
SHA1fd395c0a97a2d9bbf2b81e340bde3d9ec343b1da
SHA256bccd012a10654274fc9e8fe29ba1326c97ccbea4c5567799edc1444d94ad265d
SHA5123c554df9dd621d4b0252bd257532fe1850683618d0e41cd3ca495c21cc6315905b20a548d328782c2f36065b6591a7458c447af478345217ef79b97979167f69
-
C:\Users\Public\Music\pbs.batFilesize
806B
MD509c4c9515e23983c547900f8485b42aa
SHA11554e3394cde60e8098698d07b1adf4855c93f11
SHA256d04eb5c19554dc86d2b717bf09b2f3eac545923165426df6630ad4b3e9788f73
SHA5129b101eba85a4eb73b669b7fb6d8ff61d9ea9587df82257889f4dcd60556b2b01534a56eaa48e1a51eb82584419deebba2e036101100d5d41d8d352e76233a644
-
memory/996-140-0x0000000000000000-mapping.dmp
-
memory/3352-132-0x00007FFBACEB0000-0x00007FFBACEC0000-memory.dmpFilesize
64KB
-
memory/3352-133-0x00007FFBACEB0000-0x00007FFBACEC0000-memory.dmpFilesize
64KB
-
memory/3352-134-0x00007FFBACEB0000-0x00007FFBACEC0000-memory.dmpFilesize
64KB
-
memory/3352-135-0x00007FFBACEB0000-0x00007FFBACEC0000-memory.dmpFilesize
64KB
-
memory/3352-136-0x00007FFBACEB0000-0x00007FFBACEC0000-memory.dmpFilesize
64KB
-
memory/3352-137-0x00007FFBAA790000-0x00007FFBAA7A0000-memory.dmpFilesize
64KB
-
memory/3352-138-0x00007FFBAA790000-0x00007FFBAA7A0000-memory.dmpFilesize
64KB