Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-02-2024 13:40

General

  • Target

    ac03a2d9b008d75a4d5781ba90d6ab75.xls

  • Size

    36KB

  • MD5

    ac03a2d9b008d75a4d5781ba90d6ab75

  • SHA1

    043f1af8805ea0cb21c958d1535b87a3fb195c0a

  • SHA256

    aca489f0fc8955260e4fb24aacc59a261891fd40e0fbcfcc3be9cc651b8035eb

  • SHA512

    817556ad5eb6e876ce789d5e8f52f9e68ca70e5778ce08e094e7a3ba1ad545521005f38cbd627c56e961bd533d12e4b99ef5b3c3d86e4aede3de9292090f69f2

  • SSDEEP

    768:2PqNk3hbdlylKsgqopeJBWhZFGkE+cL2NdAJKdJFIAxh7usSLVN:Kok3hbdlylKsgqopeJBWhZFGkE+cL2N0

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\ac03a2d9b008d75a4d5781ba90d6ab75.xls"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2616
    • C:\Windows\explorer.exe
      explorer.exe C:\Users\Public\Documents\nPrrovD.vbs
      2⤵
      • Process spawned unexpected child process
      PID:1940
  • C:\Windows\explorer.exe
    C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1852
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\nPrrovD.vbs"
      2⤵
        PID:876

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Public\Documents\nPrrovD.vbs

      Filesize

      600B

      MD5

      2a16944dcbb437e12f999aa101f0f26d

      SHA1

      90e71d0eb96ff41adb88bea69c8394c67e3cd79a

      SHA256

      01523f1774ea0eb6b7502ca98031addb047f3d8a2c6dd8dc9f7f0dbebffdca55

      SHA512

      11efd37fafbfb0eb0bef4d8a5b9f40dad401902697c1b0c8661a0bd4cfb055375b27b472f135d5b342f3c304f9cc4d3b5298d0ea016ea458d176367ca4fe3813

    • memory/2616-10-0x00007FFA87250000-0x00007FFA87445000-memory.dmp

      Filesize

      2.0MB

    • memory/2616-5-0x00007FFA472D0000-0x00007FFA472E0000-memory.dmp

      Filesize

      64KB

    • memory/2616-11-0x00007FFA44C20000-0x00007FFA44C30000-memory.dmp

      Filesize

      64KB

    • memory/2616-4-0x00007FFA87250000-0x00007FFA87445000-memory.dmp

      Filesize

      2.0MB

    • memory/2616-3-0x00007FFA472D0000-0x00007FFA472E0000-memory.dmp

      Filesize

      64KB

    • memory/2616-6-0x00007FFA87250000-0x00007FFA87445000-memory.dmp

      Filesize

      2.0MB

    • memory/2616-7-0x00007FFA472D0000-0x00007FFA472E0000-memory.dmp

      Filesize

      64KB

    • memory/2616-8-0x00007FFA87250000-0x00007FFA87445000-memory.dmp

      Filesize

      2.0MB

    • memory/2616-13-0x00007FFA87250000-0x00007FFA87445000-memory.dmp

      Filesize

      2.0MB

    • memory/2616-0-0x00007FFA472D0000-0x00007FFA472E0000-memory.dmp

      Filesize

      64KB

    • memory/2616-28-0x00007FFA87250000-0x00007FFA87445000-memory.dmp

      Filesize

      2.0MB

    • memory/2616-1-0x00007FFA472D0000-0x00007FFA472E0000-memory.dmp

      Filesize

      64KB

    • memory/2616-9-0x00007FFA87250000-0x00007FFA87445000-memory.dmp

      Filesize

      2.0MB

    • memory/2616-15-0x00007FFA87250000-0x00007FFA87445000-memory.dmp

      Filesize

      2.0MB

    • memory/2616-16-0x00007FFA87250000-0x00007FFA87445000-memory.dmp

      Filesize

      2.0MB

    • memory/2616-17-0x00007FFA87250000-0x00007FFA87445000-memory.dmp

      Filesize

      2.0MB

    • memory/2616-18-0x00007FFA87250000-0x00007FFA87445000-memory.dmp

      Filesize

      2.0MB

    • memory/2616-14-0x00007FFA44C20000-0x00007FFA44C30000-memory.dmp

      Filesize

      64KB

    • memory/2616-20-0x00007FFA87250000-0x00007FFA87445000-memory.dmp

      Filesize

      2.0MB

    • memory/2616-19-0x00007FFA87250000-0x00007FFA87445000-memory.dmp

      Filesize

      2.0MB

    • memory/2616-2-0x00007FFA87250000-0x00007FFA87445000-memory.dmp

      Filesize

      2.0MB

    • memory/2616-12-0x00007FFA87250000-0x00007FFA87445000-memory.dmp

      Filesize

      2.0MB