Analysis
-
max time kernel
101s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2023 06:49
Behavioral task
behavioral1
Sample
5ab761679b1a058f846bb9e6758ae2e4.xls
Resource
win7-20231215-en
General
-
Target
5ab761679b1a058f846bb9e6758ae2e4.xls
-
Size
134KB
-
MD5
5ab761679b1a058f846bb9e6758ae2e4
-
SHA1
9e3fd094b07d7acd475088584199b6435d9ada43
-
SHA256
19aec9a3adc4f07ef1344a9e1acc76c7712dc9c6096b50a2f03fef0b32f1ae5d
-
SHA512
06602873063d0cbd77f267513b936bfaf176d7c540a2f871c0629596216f770c45167e4e74a8e2316ad71954b308f230e95116fb3421fb4d4a1c87a8b0099361
-
SSDEEP
1536:muuuuaPrYFE5JouDvyGLV7WVbrzQ7ITkk62lRgeOEg8JtXw2AM2M/McuS7JuM:WE56e1JWVbrzQ7ITkcwcJtXwC5ktM
Malware Config
Signatures
-
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 1792 1228 cmd.exe 29 Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3852 1228 cmd.exe 29 Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 1660 1228 cmd.exe 29 -
resource yara_rule behavioral2/files/0x00030000000227e5-104.dat office_xlm_macros -
Deletes itself 1 IoCs
pid Process 1228 EXCEL.EXE -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE -
NTFS ADS 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Temp\A1975E00\:Zone.Identifier:$DATA EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1228 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 14 IoCs
pid Process 1228 EXCEL.EXE 1228 EXCEL.EXE 1228 EXCEL.EXE 1228 EXCEL.EXE 1228 EXCEL.EXE 1228 EXCEL.EXE 1228 EXCEL.EXE 1228 EXCEL.EXE 1228 EXCEL.EXE 1228 EXCEL.EXE 1228 EXCEL.EXE 1228 EXCEL.EXE 1228 EXCEL.EXE 1228 EXCEL.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1228 wrote to memory of 1660 1228 EXCEL.EXE 97 PID 1228 wrote to memory of 1660 1228 EXCEL.EXE 97 PID 1228 wrote to memory of 3852 1228 EXCEL.EXE 96 PID 1228 wrote to memory of 3852 1228 EXCEL.EXE 96 PID 1228 wrote to memory of 1792 1228 EXCEL.EXE 94 PID 1228 wrote to memory of 1792 1228 EXCEL.EXE 94 PID 1660 wrote to memory of 3840 1660 cmd.exe 95 PID 1660 wrote to memory of 3840 1660 cmd.exe 95 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 3840 attrib.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\5ab761679b1a058f846bb9e6758ae2e4.xls"1⤵
- Deletes itself
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c RD /S /Q "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"2⤵
- Process spawned unexpected child process
PID:1792
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Del /F /Q "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"2⤵
- Process spawned unexpected child process
PID:3852
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c attrib -S -h "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1660
-
-
C:\Windows\system32\attrib.exeattrib -S -h "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"1⤵
- Views/modifies file attributes
PID:3840
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
154KB
MD508ad36d94a35379e2f10dd1354b909e3
SHA104819f20cf5dd133a20876a43d0000891d95de0e
SHA2569ae06b66d0ffc4fc37794735f783c3f4b6750705087153502a3c0566281ea0a9
SHA512511c00ff4a446b500b179b71bd48c1124254fe4abd564bce32fd4951faf729559925a13afab174c4ff98b0b8a02f314eeb84e32334f3a94b0916afda26cbf305