Analysis
-
max time kernel
177s -
max time network
186s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
28-11-2022 12:56
General
-
Target
46d9563085f0ec2e84749d4e4a3dc1d918406451f094490494b7298cc43a2dde.xls
-
Size
106KB
-
MD5
1e63aede3179652c36618702c0e79b8b
-
SHA1
15bb4c957f1361f9112b33fdd7442e968fb9ea81
-
SHA256
46d9563085f0ec2e84749d4e4a3dc1d918406451f094490494b7298cc43a2dde
-
SHA512
f98ca1fab86271e101010af6d322a450db7b7232f991d8fff72a92abaa4830af8215112a555c18b12392b7fdaf57bd5ca3d7039bae0d92a3aa04f80c44cf476a
-
SSDEEP
1536:V0gQLSi+JNTbCyvvSR2Mrbz4jpLJx2uFzBeyKEb9iK:kSo2Mrbz4jpLygRK09iK
Score
10/10
Malware Config
Signatures
-
Process spawned unexpected child process 4 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies Internet Explorer settings 1 TTPs 4 IoCs
-
Modifies registry class 20 IoCs
-
NTFS ADS 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious use of SetWindowsHookEx 16 IoCs
-
Suspicious use of WriteProcessMemory 10 IoCs
-
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\46d9563085f0ec2e84749d4e4a3dc1d918406451f094490494b7298cc43a2dde.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c attrib -S -h "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\echo.XLS"2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\attrib.exeattrib -S -h "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\echo.XLS"3⤵
- Views/modifies file attributes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Del /F /Q "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\echo.XLS"2⤵
- Process spawned unexpected child process
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c RD /S /Q "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\echo.XLS"2⤵
- Process spawned unexpected child process
-
C:\Windows\explorer.exeexplorer tencent://message/?uin=6544867402⤵
- Process spawned unexpected child process
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/100-141-0x0000000000000000-mapping.dmp
-
memory/220-140-0x0000000000000000-mapping.dmp
-
memory/1664-132-0x00007FFDFA5B0000-0x00007FFDFA5C0000-memory.dmpFilesize
64KB
-
memory/1664-133-0x00007FFDFA5B0000-0x00007FFDFA5C0000-memory.dmpFilesize
64KB
-
memory/1664-134-0x00007FFDFA5B0000-0x00007FFDFA5C0000-memory.dmpFilesize
64KB
-
memory/1664-135-0x00007FFDFA5B0000-0x00007FFDFA5C0000-memory.dmpFilesize
64KB
-
memory/1664-136-0x00007FFDFA5B0000-0x00007FFDFA5C0000-memory.dmpFilesize
64KB
-
memory/1664-137-0x00007FFDF8030000-0x00007FFDF8040000-memory.dmpFilesize
64KB
-
memory/1664-138-0x00007FFDF8030000-0x00007FFDF8040000-memory.dmpFilesize
64KB
-
memory/3388-139-0x0000000000000000-mapping.dmp
-
memory/4356-142-0x0000000000000000-mapping.dmp
-
memory/4940-143-0x0000000000000000-mapping.dmp