Analysis
-
max time kernel
148s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2023 17:16
Behavioral task
behavioral1
Sample
fd2c13d41aa7389178f19a6f7bf51883.xls
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
fd2c13d41aa7389178f19a6f7bf51883.xls
Resource
win10v2004-20231215-en
General
-
Target
fd2c13d41aa7389178f19a6f7bf51883.xls
-
Size
35KB
-
MD5
fd2c13d41aa7389178f19a6f7bf51883
-
SHA1
7c1781e8945cd67bf9f464357c03e36bfabdd5ad
-
SHA256
7ceb282897290b35e2ef47f4fb389160d1529855537710904f46b4dc2c1f124c
-
SHA512
4dc4347dbfc9d0456571ac381516f1ce22c616ecc172243645b1de9360229814a92fea9b37b6d1732ea8617b176b97937318da57389bde01eb15b6042cf9e793
-
SSDEEP
768:LPqNk3hbdlylKsgqopeJBWhZFGkE+cL2NdAJlPI3dwohB3/cpOd:zok3hbdlylKsgqopeJBWhZFGkE+cL2ND
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 1948 2288 explorer.exe 16 -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings explorer.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2288 EXCEL.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2288 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2288 EXCEL.EXE 2288 EXCEL.EXE 2288 EXCEL.EXE 2288 EXCEL.EXE 2288 EXCEL.EXE 2288 EXCEL.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2288 wrote to memory of 1948 2288 EXCEL.EXE 57 PID 2288 wrote to memory of 1948 2288 EXCEL.EXE 57 PID 1544 wrote to memory of 1664 1544 explorer.exe 104 PID 1544 wrote to memory of 1664 1544 explorer.exe 104
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\fd2c13d41aa7389178f19a6f7bf51883.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\explorer.exeexplorer.exe C:\Users\Public\Documents\rcpN7.vbs2⤵
- Process spawned unexpected child process
PID:1948
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\rcpN7.vbs"2⤵PID:1664
-
-
C:\Windows\System32\sihclient.exeC:\Windows\System32\sihclient.exe /cv BhhTiw6gu0yGORLx8z9CmQ.0.21⤵PID:1664
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
577B
MD5aa5326d5158ec1a0935c606acca158a6
SHA18a3e502b418b0926153aaeccfc605d7656d9df05
SHA256e4f40ec7427db546411ed15b2d75a546cc0267b1b40f563ef8e672e7373eaa46
SHA5122c88f31d61004c23d167ae7cd960322639363de3197df4ed7edf45e8ec68820d3127f74252203e0aed70221609b460e9b0b8903d7cb67d3965bf077224e0a0b9