Analysis

  • max time kernel
    179s
  • max time network
    182s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-01-2023 19:22

General

  • Target

    0a4dc6cba72c076b488292563dd03c79da543f8ee513addc28c20ef2b5126db2.xls

  • Size

    36KB

  • MD5

    4ae80c556b4f62281fb3f0ff310e448b

  • SHA1

    6f5d94a330a0557beda1f377a6e96441c8da7eb9

  • SHA256

    0a4dc6cba72c076b488292563dd03c79da543f8ee513addc28c20ef2b5126db2

  • SHA512

    6bd33fdc9c9f9c3b97c7940136d17d8a03985b2be7e75c7f6480fbccebdae5b88b15d87830b835d68c593a555894754781827d435c7d4176451d7a7b625b5527

  • SSDEEP

    768:FPqNk3hbdlylKsgqopeJBWhZFGkE+cL2NdAJD0cBvA0HCQlS3XB1l/hjuN6:tok3hbdlylKsgqopeJBWhZFGkE+cL2Nd

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\0a4dc6cba72c076b488292563dd03c79da543f8ee513addc28c20ef2b5126db2.xls"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4856
    • C:\Windows\explorer.exe
      explorer.exe C:\Users\Public\Documents\KrF.vbs
      2⤵
      • Process spawned unexpected child process
      PID:3552
  • C:\Windows\explorer.exe
    C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1900
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\KrF.vbs"
      2⤵
        PID:1400

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    2
    T1082

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Public\Documents\KrF.vbs
      Filesize

      568B

      MD5

      71aed0a7138689b6febf9a7eac714b87

      SHA1

      5c90ba8aa50a69701ef1c2f19ae85287788db449

      SHA256

      c6c7abec2586a3091499988e20b331c6a4bc855c529a3e3535876c1f04d1a9b4

      SHA512

      bbf22f54eeb7c3704d316f54e3a7addaf8f5cd035deaa6752a6582554bd122a13338451fbc3323adf79a1cf920d27a28bdee778a7d24f4b49b15af1434c0f850

    • memory/1400-141-0x0000000000000000-mapping.dmp
    • memory/3552-139-0x0000000000000000-mapping.dmp
    • memory/4856-132-0x00007FFBF61B0000-0x00007FFBF61C0000-memory.dmp
      Filesize

      64KB

    • memory/4856-133-0x00007FFBF61B0000-0x00007FFBF61C0000-memory.dmp
      Filesize

      64KB

    • memory/4856-134-0x00007FFBF61B0000-0x00007FFBF61C0000-memory.dmp
      Filesize

      64KB

    • memory/4856-135-0x00007FFBF61B0000-0x00007FFBF61C0000-memory.dmp
      Filesize

      64KB

    • memory/4856-136-0x00007FFBF61B0000-0x00007FFBF61C0000-memory.dmp
      Filesize

      64KB

    • memory/4856-137-0x00007FFBF3960000-0x00007FFBF3970000-memory.dmp
      Filesize

      64KB

    • memory/4856-138-0x00007FFBF3960000-0x00007FFBF3970000-memory.dmp
      Filesize

      64KB