Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
27-02-2024 09:54
Behavioral task
behavioral1
Sample
a8dc4d27425b6112f42ec1ddcc48eb06.xls
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a8dc4d27425b6112f42ec1ddcc48eb06.xls
Resource
win10v2004-20240226-en
General
-
Target
a8dc4d27425b6112f42ec1ddcc48eb06.xls
-
Size
36KB
-
MD5
a8dc4d27425b6112f42ec1ddcc48eb06
-
SHA1
90c4f621dbbb9a693876013bce7bce09019f4623
-
SHA256
89d9dcfaf2a84a0c07ae64c0c6cc6654bddfdfed0a1f2db63004d7373308b8af
-
SHA512
1c1e0761752d644bb658e001b64883a90c7c883733157a79d4fefe28108dfbd47ca52a51caf97b4818d380cc1bba70535ecf3232eaa92dcc683fc13ce0cd8514
-
SSDEEP
768:MPqNk3hbdlylKsgqopeJBWhZFGkE+cL2NdAJ1bQMA6y44I2zJRqcX:Yok3hbdlylKsgqopeJBWhZFGkE+cL2NR
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
explorer.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3472 2572 explorer.exe EXCEL.EXE -
Blocklisted process makes network request 2 IoCs
Processes:
WScript.exeflow pid process 17 2220 WScript.exe 22 2220 WScript.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Modifies registry class 1 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings explorer.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 2572 EXCEL.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
EXCEL.EXEpid process 2572 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
EXCEL.EXEpid process 2572 EXCEL.EXE 2572 EXCEL.EXE 2572 EXCEL.EXE 2572 EXCEL.EXE 2572 EXCEL.EXE 2572 EXCEL.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
EXCEL.EXEexplorer.exedescription pid process target process PID 2572 wrote to memory of 3472 2572 EXCEL.EXE explorer.exe PID 2572 wrote to memory of 3472 2572 EXCEL.EXE explorer.exe PID 2052 wrote to memory of 2220 2052 explorer.exe WScript.exe PID 2052 wrote to memory of 2220 2052 explorer.exe WScript.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\a8dc4d27425b6112f42ec1ddcc48eb06.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\explorer.exeexplorer.exe C:\Users\Public\Documents\zOg.vbs2⤵
- Process spawned unexpected child process
PID:3472
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\zOg.vbs"2⤵
- Blocklisted process makes network request
PID:2220
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
584B
MD5ab451593f281bbff9052e6006a4ae9e1
SHA154bdbb5d886ac489d8fc42dc6077737aedf4d437
SHA2566faad2b8a7703d833488ef272f4744419f4934e632c43c0c9781d369ce5a94f3
SHA5124a80384e7b3fd2ae5fb281eceea7a2d0bcaceaa094933dcfc9defc2c46073670d89672d43507088952e0325b6be6aeaa5d14171d759b0903ce2de5e978f867fe