Analysis
-
max time kernel
147s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
27-02-2024 09:59
Behavioral task
behavioral1
Sample
a8dec65c1ec78b935c3f81d04fd95f7b.xls
Resource
win7-20240221-en
General
-
Target
a8dec65c1ec78b935c3f81d04fd95f7b.xls
-
Size
149KB
-
MD5
a8dec65c1ec78b935c3f81d04fd95f7b
-
SHA1
e3da190108096a2731af84638da23cea90b99c6f
-
SHA256
3a600f7bdc5f5166c9c20268c83ddd56eb867c17eb290764ada2b6d46e8affa6
-
SHA512
cc853f1000269715b15e6282ac3b55a462d90bf73ce2e31981cd0c701286b98b079b22bc6c29620684bdb4d672b631cbca87a3ebc54b410303464102b105139d
-
SSDEEP
3072:uzg0rbx4/LiXkxGUBrpgD8IYPFmw2jcc0lbxOrmjhJsXwT7:UgV1ugIY1
Malware Config
Signatures
-
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.execmd.execmd.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 740 2728 cmd.exe EXCEL.EXE Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 224 2728 cmd.exe EXCEL.EXE Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 324 2728 cmd.exe EXCEL.EXE -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\a8dec65c1ec78b935c3f81d04fd95f7b.xls office_xlm_macros -
Deletes itself 1 IoCs
Processes:
EXCEL.EXEpid process 2728 EXCEL.EXE -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
NTFS ADS 1 IoCs
Processes:
EXCEL.EXEdescription ioc process File created C:\Users\Admin\AppData\Local\Temp\71A75E00\:Zone.Identifier:$DATA EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 2728 EXCEL.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
EXCEL.EXEpid process 2728 EXCEL.EXE 2728 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 14 IoCs
Processes:
EXCEL.EXEpid process 2728 EXCEL.EXE 2728 EXCEL.EXE 2728 EXCEL.EXE 2728 EXCEL.EXE 2728 EXCEL.EXE 2728 EXCEL.EXE 2728 EXCEL.EXE 2728 EXCEL.EXE 2728 EXCEL.EXE 2728 EXCEL.EXE 2728 EXCEL.EXE 2728 EXCEL.EXE 2728 EXCEL.EXE 2728 EXCEL.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
EXCEL.EXEcmd.exedescription pid process target process PID 2728 wrote to memory of 324 2728 EXCEL.EXE cmd.exe PID 2728 wrote to memory of 324 2728 EXCEL.EXE cmd.exe PID 2728 wrote to memory of 224 2728 EXCEL.EXE cmd.exe PID 2728 wrote to memory of 224 2728 EXCEL.EXE cmd.exe PID 2728 wrote to memory of 740 2728 EXCEL.EXE cmd.exe PID 2728 wrote to memory of 740 2728 EXCEL.EXE cmd.exe PID 324 wrote to memory of 1864 324 cmd.exe attrib.exe PID 324 wrote to memory of 1864 324 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\a8dec65c1ec78b935c3f81d04fd95f7b.xls"1⤵
- Deletes itself
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c RD /S /Q "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"2⤵
- Process spawned unexpected child process
PID:740 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Del /F /Q "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"2⤵
- Process spawned unexpected child process
PID:224 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c attrib -S -h "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:324 -
C:\Windows\system32\attrib.exeattrib -S -h "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"3⤵
- Views/modifies file attributes
PID:1864
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
172KB
MD5846dde7a2292d7bb944665d63e83aab5
SHA139d30de5f6a1a4553111e099b876dc2a354d6a86
SHA2563b5d83b724a25ae3af84473c50815a93bde017ce0c2b867dbe95572208ba5057
SHA512b81d325d31c0be4d30f7637e67a3f523e867dcca31f582b55f6fc5fac231eee309f490935346400c72c9e5ef9e070c16abb6fc79a23000f1a5c14f87bf9d265a