Analysis
-
max time kernel
179s -
max time network
185s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
29-01-2023 19:21
Behavioral task
behavioral1
Sample
3e645d26dc93bde0940f77f306482cb89846233d443f9618e2355b17c6e9cf9d.xls
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
3e645d26dc93bde0940f77f306482cb89846233d443f9618e2355b17c6e9cf9d.xls
Resource
win10v2004-20220812-en
General
-
Target
3e645d26dc93bde0940f77f306482cb89846233d443f9618e2355b17c6e9cf9d.xls
-
Size
36KB
-
MD5
d27410ae8a23e37066d011c8ea75410c
-
SHA1
4cdefca60b6c7e80813432b3c5d16f9dd50fc98e
-
SHA256
3e645d26dc93bde0940f77f306482cb89846233d443f9618e2355b17c6e9cf9d
-
SHA512
ad3dac3ec43087636c2ef6c2653f22e27a846790c1e3f894f93403b43bd5259c8b9033119056eed3c55a160f050d88852e7ddb00db856be83be803a689fcfef5
-
SSDEEP
768:RPqNk3hbdlylKsgqopeJBWhZFGkE+cL2NdAJYgcuVKpu5JSMiGC4:Zok3hbdlylKsgqopeJBWhZFGkE+cL2NM
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
explorer.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3428 8 explorer.exe EXCEL.EXE -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Modifies registry class 1 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings explorer.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 8 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 14 IoCs
Processes:
EXCEL.EXEpid process 8 EXCEL.EXE 8 EXCEL.EXE 8 EXCEL.EXE 8 EXCEL.EXE 8 EXCEL.EXE 8 EXCEL.EXE 8 EXCEL.EXE 8 EXCEL.EXE 8 EXCEL.EXE 8 EXCEL.EXE 8 EXCEL.EXE 8 EXCEL.EXE 8 EXCEL.EXE 8 EXCEL.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
EXCEL.EXEexplorer.exedescription pid process target process PID 8 wrote to memory of 3428 8 EXCEL.EXE explorer.exe PID 8 wrote to memory of 3428 8 EXCEL.EXE explorer.exe PID 4340 wrote to memory of 212 4340 explorer.exe WScript.exe PID 4340 wrote to memory of 212 4340 explorer.exe WScript.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\3e645d26dc93bde0940f77f306482cb89846233d443f9618e2355b17c6e9cf9d.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\explorer.exeexplorer.exe C:\Users\Public\Documents\J1w8zTxs.vbs2⤵
- Process spawned unexpected child process
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\J1w8zTxs.vbs"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\Documents\J1w8zTxs.vbsFilesize
584B
MD54527983d886564058aa2952114f1aa78
SHA11d515e9abbf48e74d872f4d65361465b6986d971
SHA2566c11efc4b39250e47cfc37d778a4d310ff0568c48c4996401f84135e3130bbc3
SHA5120172f4b725be797477faa622a790973ecc5528590f1e3007c8083c561ebc29e6a95d772f4cedf86fcc8b26bcabb093bf6e256a342e6ffa4e4622f2f409522006
-
memory/8-132-0x00007FF9EEA10000-0x00007FF9EEA20000-memory.dmpFilesize
64KB
-
memory/8-133-0x00007FF9EEA10000-0x00007FF9EEA20000-memory.dmpFilesize
64KB
-
memory/8-134-0x00007FF9EEA10000-0x00007FF9EEA20000-memory.dmpFilesize
64KB
-
memory/8-135-0x00007FF9EEA10000-0x00007FF9EEA20000-memory.dmpFilesize
64KB
-
memory/8-136-0x00007FF9EEA10000-0x00007FF9EEA20000-memory.dmpFilesize
64KB
-
memory/8-137-0x00007FF9EC8D0000-0x00007FF9EC8E0000-memory.dmpFilesize
64KB
-
memory/8-138-0x00007FF9EC8D0000-0x00007FF9EC8E0000-memory.dmpFilesize
64KB
-
memory/212-141-0x0000000000000000-mapping.dmp
-
memory/3428-139-0x0000000000000000-mapping.dmp