Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
27-02-2024 05:55
Behavioral task
behavioral1
Sample
a86310371a18d3cdbe1e452145557480.xlsb
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a86310371a18d3cdbe1e452145557480.xlsb
Resource
win10v2004-20240226-en
General
-
Target
a86310371a18d3cdbe1e452145557480.xlsb
-
Size
162KB
-
MD5
a86310371a18d3cdbe1e452145557480
-
SHA1
2b8c6d9943bf07fe8dd2cdcdff187cc0f582aef2
-
SHA256
b2146ce57cfa6785eb1c9a405abc48e844c15a5431b85c653f2bda57e03f7449
-
SHA512
b7658b1961ac44232d3927065f0285601880f545e22cdaeefd9b0ac54cd4507a44954c31fc5cf8635f536668b7603dbd7f418ffc011f8b33fc8f83d10133b83a
-
SSDEEP
3072:oUCvK98aP+ZfxEhAH+lW1Z/z+OVQaw4+rJDEU/H7DcYtEeGTE:ozc8amNquH+0zQFHr5/bDc8j
Malware Config
Signatures
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
wmic.exemshta.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3124 3196 wmic.exe EXCEL.EXE Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2000 4024 mshta.exe -
Blocklisted process makes network request 4 IoCs
Processes:
mshta.exeflow pid process 21 2000 mshta.exe 23 2000 mshta.exe 27 2000 mshta.exe 29 2000 mshta.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 3196 EXCEL.EXE -
Suspicious use of AdjustPrivilegeToken 42 IoCs
Processes:
wmic.exedescription pid process Token: SeIncreaseQuotaPrivilege 3124 wmic.exe Token: SeSecurityPrivilege 3124 wmic.exe Token: SeTakeOwnershipPrivilege 3124 wmic.exe Token: SeLoadDriverPrivilege 3124 wmic.exe Token: SeSystemProfilePrivilege 3124 wmic.exe Token: SeSystemtimePrivilege 3124 wmic.exe Token: SeProfSingleProcessPrivilege 3124 wmic.exe Token: SeIncBasePriorityPrivilege 3124 wmic.exe Token: SeCreatePagefilePrivilege 3124 wmic.exe Token: SeBackupPrivilege 3124 wmic.exe Token: SeRestorePrivilege 3124 wmic.exe Token: SeShutdownPrivilege 3124 wmic.exe Token: SeDebugPrivilege 3124 wmic.exe Token: SeSystemEnvironmentPrivilege 3124 wmic.exe Token: SeRemoteShutdownPrivilege 3124 wmic.exe Token: SeUndockPrivilege 3124 wmic.exe Token: SeManageVolumePrivilege 3124 wmic.exe Token: 33 3124 wmic.exe Token: 34 3124 wmic.exe Token: 35 3124 wmic.exe Token: 36 3124 wmic.exe Token: SeIncreaseQuotaPrivilege 3124 wmic.exe Token: SeSecurityPrivilege 3124 wmic.exe Token: SeTakeOwnershipPrivilege 3124 wmic.exe Token: SeLoadDriverPrivilege 3124 wmic.exe Token: SeSystemProfilePrivilege 3124 wmic.exe Token: SeSystemtimePrivilege 3124 wmic.exe Token: SeProfSingleProcessPrivilege 3124 wmic.exe Token: SeIncBasePriorityPrivilege 3124 wmic.exe Token: SeCreatePagefilePrivilege 3124 wmic.exe Token: SeBackupPrivilege 3124 wmic.exe Token: SeRestorePrivilege 3124 wmic.exe Token: SeShutdownPrivilege 3124 wmic.exe Token: SeDebugPrivilege 3124 wmic.exe Token: SeSystemEnvironmentPrivilege 3124 wmic.exe Token: SeRemoteShutdownPrivilege 3124 wmic.exe Token: SeUndockPrivilege 3124 wmic.exe Token: SeManageVolumePrivilege 3124 wmic.exe Token: 33 3124 wmic.exe Token: 34 3124 wmic.exe Token: 35 3124 wmic.exe Token: 36 3124 wmic.exe -
Suspicious use of SetWindowsHookEx 16 IoCs
Processes:
EXCEL.EXEpid process 3196 EXCEL.EXE 3196 EXCEL.EXE 3196 EXCEL.EXE 3196 EXCEL.EXE 3196 EXCEL.EXE 3196 EXCEL.EXE 3196 EXCEL.EXE 3196 EXCEL.EXE 3196 EXCEL.EXE 3196 EXCEL.EXE 3196 EXCEL.EXE 3196 EXCEL.EXE 3196 EXCEL.EXE 3196 EXCEL.EXE 3196 EXCEL.EXE 3196 EXCEL.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
EXCEL.EXEdescription pid process target process PID 3196 wrote to memory of 3124 3196 EXCEL.EXE wmic.exe PID 3196 wrote to memory of 3124 3196 EXCEL.EXE wmic.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\a86310371a18d3cdbe1e452145557480.xlsb"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3196 -
C:\Windows\System32\Wbem\wmic.exewmic process call create 'mshta C:\ProgramData\sPHMyyWtA.sct'2⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
PID:3124
-
C:\Windows\system32\mshta.exemshta C:\ProgramData\sPHMyyWtA.sct1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
PID:2000
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
26KB
MD5e29011f852581bf02c7b9583fd0641e4
SHA1fb12e02d0edf3797cfb86ce0be4641c86ddce1f6
SHA256cc6a4522f2a3319e3ee4e7fd535ea79f615a52b0878e611da7354d9ecaed28a7
SHA512e168432848061d6496bf6825c9d1acfb38face418b53b5fbcacfb7df61a34d17d8943430c4ebc0f137332c16a866a803099af49a347590339eeaf5a557e975d8