Analysis

  • max time kernel
    148s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-12-2023 17:16

General

  • Target

    fd2c13d41aa7389178f19a6f7bf51883.xls

  • Size

    35KB

  • MD5

    fd2c13d41aa7389178f19a6f7bf51883

  • SHA1

    7c1781e8945cd67bf9f464357c03e36bfabdd5ad

  • SHA256

    7ceb282897290b35e2ef47f4fb389160d1529855537710904f46b4dc2c1f124c

  • SHA512

    4dc4347dbfc9d0456571ac381516f1ce22c616ecc172243645b1de9360229814a92fea9b37b6d1732ea8617b176b97937318da57389bde01eb15b6042cf9e793

  • SSDEEP

    768:LPqNk3hbdlylKsgqopeJBWhZFGkE+cL2NdAJlPI3dwohB3/cpOd:zok3hbdlylKsgqopeJBWhZFGkE+cL2ND

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\fd2c13d41aa7389178f19a6f7bf51883.xls"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2288
    • C:\Windows\explorer.exe
      explorer.exe C:\Users\Public\Documents\rcpN7.vbs
      2⤵
      • Process spawned unexpected child process
      PID:1948
  • C:\Windows\explorer.exe
    C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1544
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\rcpN7.vbs"
      2⤵
        PID:1664
    • C:\Windows\System32\sihclient.exe
      C:\Windows\System32\sihclient.exe /cv BhhTiw6gu0yGORLx8z9CmQ.0.2
      1⤵
        PID:1664

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Public\Documents\rcpN7.vbs

        Filesize

        577B

        MD5

        aa5326d5158ec1a0935c606acca158a6

        SHA1

        8a3e502b418b0926153aaeccfc605d7656d9df05

        SHA256

        e4f40ec7427db546411ed15b2d75a546cc0267b1b40f563ef8e672e7373eaa46

        SHA512

        2c88f31d61004c23d167ae7cd960322639363de3197df4ed7edf45e8ec68820d3127f74252203e0aed70221609b460e9b0b8903d7cb67d3965bf077224e0a0b9

      • memory/2288-22-0x00007FF837C10000-0x00007FF837E05000-memory.dmp

        Filesize

        2.0MB

      • memory/2288-13-0x00007FF837C10000-0x00007FF837E05000-memory.dmp

        Filesize

        2.0MB

      • memory/2288-19-0x00007FF837C10000-0x00007FF837E05000-memory.dmp

        Filesize

        2.0MB

      • memory/2288-12-0x00007FF837C10000-0x00007FF837E05000-memory.dmp

        Filesize

        2.0MB

      • memory/2288-23-0x00007FF837C10000-0x00007FF837E05000-memory.dmp

        Filesize

        2.0MB

      • memory/2288-15-0x00007FF837C10000-0x00007FF837E05000-memory.dmp

        Filesize

        2.0MB

      • memory/2288-14-0x00007FF7F5330000-0x00007FF7F5340000-memory.dmp

        Filesize

        64KB

      • memory/2288-16-0x00007FF837C10000-0x00007FF837E05000-memory.dmp

        Filesize

        2.0MB

      • memory/2288-17-0x00007FF837C10000-0x00007FF837E05000-memory.dmp

        Filesize

        2.0MB

      • memory/2288-20-0x00007FF837C10000-0x00007FF837E05000-memory.dmp

        Filesize

        2.0MB

      • memory/2288-21-0x00007FF837C10000-0x00007FF837E05000-memory.dmp

        Filesize

        2.0MB

      • memory/2288-5-0x00007FF837C10000-0x00007FF837E05000-memory.dmp

        Filesize

        2.0MB

      • memory/2288-10-0x00007FF837C10000-0x00007FF837E05000-memory.dmp

        Filesize

        2.0MB

      • memory/2288-8-0x00007FF7F5330000-0x00007FF7F5340000-memory.dmp

        Filesize

        64KB

      • memory/2288-18-0x00007FF837C10000-0x00007FF837E05000-memory.dmp

        Filesize

        2.0MB

      • memory/2288-11-0x00007FF837C10000-0x00007FF837E05000-memory.dmp

        Filesize

        2.0MB

      • memory/2288-9-0x00007FF837C10000-0x00007FF837E05000-memory.dmp

        Filesize

        2.0MB

      • memory/2288-7-0x00007FF837C10000-0x00007FF837E05000-memory.dmp

        Filesize

        2.0MB

      • memory/2288-4-0x00007FF7F7C90000-0x00007FF7F7CA0000-memory.dmp

        Filesize

        64KB

      • memory/2288-3-0x00007FF7F7C90000-0x00007FF7F7CA0000-memory.dmp

        Filesize

        64KB

      • memory/2288-2-0x00007FF7F7C90000-0x00007FF7F7CA0000-memory.dmp

        Filesize

        64KB

      • memory/2288-1-0x00007FF7F7C90000-0x00007FF7F7CA0000-memory.dmp

        Filesize

        64KB

      • memory/2288-0-0x00007FF7F7C90000-0x00007FF7F7CA0000-memory.dmp

        Filesize

        64KB

      • memory/2288-6-0x00007FF837C10000-0x00007FF837E05000-memory.dmp

        Filesize

        2.0MB

      • memory/2288-35-0x00007FF837C10000-0x00007FF837E05000-memory.dmp

        Filesize

        2.0MB