Analysis

  • max time kernel
    153s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-11-2022 13:57

General

  • Target

    7a5007785ba11a0fd7bf907798601308ba34f451e5b3580780090ac4b75925f1.xls

  • Size

    36KB

  • MD5

    645e818659757ba49a67bcb5f4d441a9

  • SHA1

    08eb6b50926bd827b6b11bace5cb29c47fd4f5be

  • SHA256

    7a5007785ba11a0fd7bf907798601308ba34f451e5b3580780090ac4b75925f1

  • SHA512

    0edc583274b45e4fa66964cf33917e79158314b8ffd537127d87e64290b67b81a3a10e00bc0c389c70234d25eef255911010bda99bd0fc656ecf86362dd63176

  • SSDEEP

    768:JPqNk3hbdlylKsgqopeJBWhZFGkE+cL2NdAJapYsnMhiQcka7:Bok3hbdlylKsgqopeJBWhZFGkE+cL2ND

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\7a5007785ba11a0fd7bf907798601308ba34f451e5b3580780090ac4b75925f1.xls"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1008
    • C:\Windows\explorer.exe
      explorer.exe C:\Users\Public\Documents\cHhg0.vbs
      2⤵
      • Process spawned unexpected child process
      PID:2408
  • C:\Windows\explorer.exe
    C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:364
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\cHhg0.vbs"
      2⤵
        PID:4772

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    2
    T1082

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Public\Documents\cHhg0.vbs
      Filesize

      567B

      MD5

      7e7cca5c61b60fd418099fa120bb8314

      SHA1

      661a06a8c4043c26e46e517167208100e0560c06

      SHA256

      8cb42d4106bdcb4c19a51ddd0a3d7d0b657a23cd0a46b496ba2428bfe0dbbdea

      SHA512

      d3629596926661a705ad8b7f871b607944afe3d953e9a3d0b032dc9bdba499fa4dde58b299032111b2dc9b1d2e3b494bf44bdca047118a31a1890c15f6b2fe7e

    • memory/1008-132-0x00007FFDAD570000-0x00007FFDAD580000-memory.dmp
      Filesize

      64KB

    • memory/1008-133-0x00007FFDAD570000-0x00007FFDAD580000-memory.dmp
      Filesize

      64KB

    • memory/1008-134-0x00007FFDAD570000-0x00007FFDAD580000-memory.dmp
      Filesize

      64KB

    • memory/1008-135-0x00007FFDAD570000-0x00007FFDAD580000-memory.dmp
      Filesize

      64KB

    • memory/1008-136-0x00007FFDAD570000-0x00007FFDAD580000-memory.dmp
      Filesize

      64KB

    • memory/1008-137-0x00007FFDAAC10000-0x00007FFDAAC20000-memory.dmp
      Filesize

      64KB

    • memory/1008-138-0x00007FFDAAC10000-0x00007FFDAAC20000-memory.dmp
      Filesize

      64KB

    • memory/2408-139-0x0000000000000000-mapping.dmp
    • memory/4772-141-0x0000000000000000-mapping.dmp