Analysis
-
max time kernel
179s -
max time network
182s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
29-01-2023 19:22
Behavioral task
behavioral1
Sample
0a4dc6cba72c076b488292563dd03c79da543f8ee513addc28c20ef2b5126db2.xls
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
0a4dc6cba72c076b488292563dd03c79da543f8ee513addc28c20ef2b5126db2.xls
Resource
win10v2004-20220812-en
General
-
Target
0a4dc6cba72c076b488292563dd03c79da543f8ee513addc28c20ef2b5126db2.xls
-
Size
36KB
-
MD5
4ae80c556b4f62281fb3f0ff310e448b
-
SHA1
6f5d94a330a0557beda1f377a6e96441c8da7eb9
-
SHA256
0a4dc6cba72c076b488292563dd03c79da543f8ee513addc28c20ef2b5126db2
-
SHA512
6bd33fdc9c9f9c3b97c7940136d17d8a03985b2be7e75c7f6480fbccebdae5b88b15d87830b835d68c593a555894754781827d435c7d4176451d7a7b625b5527
-
SSDEEP
768:FPqNk3hbdlylKsgqopeJBWhZFGkE+cL2NdAJD0cBvA0HCQlS3XB1l/hjuN6:tok3hbdlylKsgqopeJBWhZFGkE+cL2Nd
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
explorer.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3552 4856 explorer.exe EXCEL.EXE -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Modifies registry class 1 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings explorer.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 4856 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 14 IoCs
Processes:
EXCEL.EXEpid process 4856 EXCEL.EXE 4856 EXCEL.EXE 4856 EXCEL.EXE 4856 EXCEL.EXE 4856 EXCEL.EXE 4856 EXCEL.EXE 4856 EXCEL.EXE 4856 EXCEL.EXE 4856 EXCEL.EXE 4856 EXCEL.EXE 4856 EXCEL.EXE 4856 EXCEL.EXE 4856 EXCEL.EXE 4856 EXCEL.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
EXCEL.EXEexplorer.exedescription pid process target process PID 4856 wrote to memory of 3552 4856 EXCEL.EXE explorer.exe PID 4856 wrote to memory of 3552 4856 EXCEL.EXE explorer.exe PID 1900 wrote to memory of 1400 1900 explorer.exe WScript.exe PID 1900 wrote to memory of 1400 1900 explorer.exe WScript.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\0a4dc6cba72c076b488292563dd03c79da543f8ee513addc28c20ef2b5126db2.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\explorer.exeexplorer.exe C:\Users\Public\Documents\KrF.vbs2⤵
- Process spawned unexpected child process
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\KrF.vbs"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\Documents\KrF.vbsFilesize
568B
MD571aed0a7138689b6febf9a7eac714b87
SHA15c90ba8aa50a69701ef1c2f19ae85287788db449
SHA256c6c7abec2586a3091499988e20b331c6a4bc855c529a3e3535876c1f04d1a9b4
SHA512bbf22f54eeb7c3704d316f54e3a7addaf8f5cd035deaa6752a6582554bd122a13338451fbc3323adf79a1cf920d27a28bdee778a7d24f4b49b15af1434c0f850
-
memory/1400-141-0x0000000000000000-mapping.dmp
-
memory/3552-139-0x0000000000000000-mapping.dmp
-
memory/4856-132-0x00007FFBF61B0000-0x00007FFBF61C0000-memory.dmpFilesize
64KB
-
memory/4856-133-0x00007FFBF61B0000-0x00007FFBF61C0000-memory.dmpFilesize
64KB
-
memory/4856-134-0x00007FFBF61B0000-0x00007FFBF61C0000-memory.dmpFilesize
64KB
-
memory/4856-135-0x00007FFBF61B0000-0x00007FFBF61C0000-memory.dmpFilesize
64KB
-
memory/4856-136-0x00007FFBF61B0000-0x00007FFBF61C0000-memory.dmpFilesize
64KB
-
memory/4856-137-0x00007FFBF3960000-0x00007FFBF3970000-memory.dmpFilesize
64KB
-
memory/4856-138-0x00007FFBF3960000-0x00007FFBF3970000-memory.dmpFilesize
64KB