Analysis
-
max time kernel
148s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
28-02-2024 13:35
Behavioral task
behavioral1
Sample
ac01655c93b0e07eadfa2c8dc5d436bb.xlsm
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
ac01655c93b0e07eadfa2c8dc5d436bb.xlsm
Resource
win10v2004-20240226-en
General
-
Target
ac01655c93b0e07eadfa2c8dc5d436bb.xlsm
-
Size
249KB
-
MD5
ac01655c93b0e07eadfa2c8dc5d436bb
-
SHA1
3da449447291121191cd82199118702a2f944f7a
-
SHA256
2f359226395840e8367df9f593430bf94358172b4ec832a493bbc66c93f74095
-
SHA512
f6512538e704ef69819d748443478cb45b5c8f24647cd59755fef1bab01e3916dfc621857221b98f1db139a2b591e1e30d9162357e61374185aab534937ff73a
-
SSDEEP
6144:SetZbAPPimNA/kjoitkOes4Otx/EkqB+JbAK:HtZbAPDNAcMyTtab4kK
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
MSHTA.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 1816 3292 MSHTA.exe EXCEL.EXE -
Blocklisted process makes network request 6 IoCs
Processes:
MSHTA.exeflow pid process 34 1816 MSHTA.exe 35 1816 MSHTA.exe 37 1816 MSHTA.exe 40 1816 MSHTA.exe 44 1816 MSHTA.exe 47 1816 MSHTA.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 3292 EXCEL.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
EXCEL.EXEpid process 3292 EXCEL.EXE 3292 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 16 IoCs
Processes:
EXCEL.EXEpid process 3292 EXCEL.EXE 3292 EXCEL.EXE 3292 EXCEL.EXE 3292 EXCEL.EXE 3292 EXCEL.EXE 3292 EXCEL.EXE 3292 EXCEL.EXE 3292 EXCEL.EXE 3292 EXCEL.EXE 3292 EXCEL.EXE 3292 EXCEL.EXE 3292 EXCEL.EXE 3292 EXCEL.EXE 3292 EXCEL.EXE 3292 EXCEL.EXE 3292 EXCEL.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
EXCEL.EXEdescription pid process target process PID 3292 wrote to memory of 1816 3292 EXCEL.EXE MSHTA.exe PID 3292 wrote to memory of 1816 3292 EXCEL.EXE MSHTA.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\ac01655c93b0e07eadfa2c8dc5d436bb.xlsm"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3292 -
C:\Windows\SYSTEM32\MSHTA.exeMSHTA C:\ProgramData\IYqITJv.sct2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
PID:1816
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
25KB
MD5f533b7802fb061541f5f206ab7957b92
SHA1c9c88794ab63018009786f601722f103d30b9c00
SHA2565b825f606dfc7e67d23c00233216d5043241d6f014152825ad9eb690699e620d
SHA512c6a961cffbf627a2d993468276ddb949714562935e8ea45fe154733ae248b120e258756c5020af5f9bee2b9598ddb4614d250200cfb8fbf22aae5540aa5f23dc