Analysis

  • max time kernel
    179s
  • max time network
    185s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-01-2023 19:21

General

  • Target

    3e645d26dc93bde0940f77f306482cb89846233d443f9618e2355b17c6e9cf9d.xls

  • Size

    36KB

  • MD5

    d27410ae8a23e37066d011c8ea75410c

  • SHA1

    4cdefca60b6c7e80813432b3c5d16f9dd50fc98e

  • SHA256

    3e645d26dc93bde0940f77f306482cb89846233d443f9618e2355b17c6e9cf9d

  • SHA512

    ad3dac3ec43087636c2ef6c2653f22e27a846790c1e3f894f93403b43bd5259c8b9033119056eed3c55a160f050d88852e7ddb00db856be83be803a689fcfef5

  • SSDEEP

    768:RPqNk3hbdlylKsgqopeJBWhZFGkE+cL2NdAJYgcuVKpu5JSMiGC4:Zok3hbdlylKsgqopeJBWhZFGkE+cL2NM

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\3e645d26dc93bde0940f77f306482cb89846233d443f9618e2355b17c6e9cf9d.xls"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:8
    • C:\Windows\explorer.exe
      explorer.exe C:\Users\Public\Documents\J1w8zTxs.vbs
      2⤵
      • Process spawned unexpected child process
      PID:3428
  • C:\Windows\explorer.exe
    C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4340
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\J1w8zTxs.vbs"
      2⤵
        PID:212

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    2
    T1082

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Public\Documents\J1w8zTxs.vbs
      Filesize

      584B

      MD5

      4527983d886564058aa2952114f1aa78

      SHA1

      1d515e9abbf48e74d872f4d65361465b6986d971

      SHA256

      6c11efc4b39250e47cfc37d778a4d310ff0568c48c4996401f84135e3130bbc3

      SHA512

      0172f4b725be797477faa622a790973ecc5528590f1e3007c8083c561ebc29e6a95d772f4cedf86fcc8b26bcabb093bf6e256a342e6ffa4e4622f2f409522006

    • memory/8-132-0x00007FF9EEA10000-0x00007FF9EEA20000-memory.dmp
      Filesize

      64KB

    • memory/8-133-0x00007FF9EEA10000-0x00007FF9EEA20000-memory.dmp
      Filesize

      64KB

    • memory/8-134-0x00007FF9EEA10000-0x00007FF9EEA20000-memory.dmp
      Filesize

      64KB

    • memory/8-135-0x00007FF9EEA10000-0x00007FF9EEA20000-memory.dmp
      Filesize

      64KB

    • memory/8-136-0x00007FF9EEA10000-0x00007FF9EEA20000-memory.dmp
      Filesize

      64KB

    • memory/8-137-0x00007FF9EC8D0000-0x00007FF9EC8E0000-memory.dmp
      Filesize

      64KB

    • memory/8-138-0x00007FF9EC8D0000-0x00007FF9EC8E0000-memory.dmp
      Filesize

      64KB

    • memory/212-141-0x0000000000000000-mapping.dmp
    • memory/3428-139-0x0000000000000000-mapping.dmp