Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    27-02-2024 05:55

General

  • Target

    a86310371a18d3cdbe1e452145557480.xlsb

  • Size

    162KB

  • MD5

    a86310371a18d3cdbe1e452145557480

  • SHA1

    2b8c6d9943bf07fe8dd2cdcdff187cc0f582aef2

  • SHA256

    b2146ce57cfa6785eb1c9a405abc48e844c15a5431b85c653f2bda57e03f7449

  • SHA512

    b7658b1961ac44232d3927065f0285601880f545e22cdaeefd9b0ac54cd4507a44954c31fc5cf8635f536668b7603dbd7f418ffc011f8b33fc8f83d10133b83a

  • SSDEEP

    3072:oUCvK98aP+ZfxEhAH+lW1Z/z+OVQaw4+rJDEU/H7DcYtEeGTE:ozc8amNquH+0zQFHr5/bDc8j

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 2 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 4 IoCs
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 40 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\a86310371a18d3cdbe1e452145557480.xlsb
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2872
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic process call create 'mshta C:\ProgramData\sPHMyyWtA.sct'
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of AdjustPrivilegeToken
      PID:2728
  • C:\Windows\system32\mshta.exe
    mshta C:\ProgramData\sPHMyyWtA.sct
    1⤵
    • Process spawned unexpected child process
    • Blocklisted process makes network request
    PID:2552

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\sPHMyyWtA.sct

    Filesize

    26KB

    MD5

    e29011f852581bf02c7b9583fd0641e4

    SHA1

    fb12e02d0edf3797cfb86ce0be4641c86ddce1f6

    SHA256

    cc6a4522f2a3319e3ee4e7fd535ea79f615a52b0878e611da7354d9ecaed28a7

    SHA512

    e168432848061d6496bf6825c9d1acfb38face418b53b5fbcacfb7df61a34d17d8943430c4ebc0f137332c16a866a803099af49a347590339eeaf5a557e975d8

  • memory/2872-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

  • memory/2872-1-0x000000007292D000-0x0000000072938000-memory.dmp

    Filesize

    44KB

  • memory/2872-9-0x000000007292D000-0x0000000072938000-memory.dmp

    Filesize

    44KB

  • memory/2872-12-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

  • memory/2872-13-0x000000007292D000-0x0000000072938000-memory.dmp

    Filesize

    44KB