Analysis
-
max time kernel
147s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
28-02-2024 14:28
Behavioral task
behavioral1
Sample
ac1b8577a721e73837052d5593c90f12.xlsm
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
ac1b8577a721e73837052d5593c90f12.xlsm
Resource
win10v2004-20240226-en
General
-
Target
ac1b8577a721e73837052d5593c90f12.xlsm
-
Size
328KB
-
MD5
ac1b8577a721e73837052d5593c90f12
-
SHA1
035a9336fc6a6436d38e68b781d953f1ab8b41f1
-
SHA256
c4bca83a64ee93e07d2e4dba612043123ae8760aad3878ead07762b1dd978d40
-
SHA512
2937eb315f1a729f38570108f9e039dc18dce937e6857b028821170423c5262bd43f150de14f7a9904b6eb33ee529fd4e56173303b20f2e3e998458f0e5f0c27
-
SSDEEP
6144:Q59HMInvpPbR/5L4YvQ6bgcsEEmi+efMi0oG2wzmtQH4kCUP1dB:Q59tRbtp4Wl8cnEQeNGHzm+d/B
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
mshta.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3692 1388 mshta.exe EXCEL.EXE -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1388 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 16 IoCs
Processes:
EXCEL.EXEpid process 1388 EXCEL.EXE 1388 EXCEL.EXE 1388 EXCEL.EXE 1388 EXCEL.EXE 1388 EXCEL.EXE 1388 EXCEL.EXE 1388 EXCEL.EXE 1388 EXCEL.EXE 1388 EXCEL.EXE 1388 EXCEL.EXE 1388 EXCEL.EXE 1388 EXCEL.EXE 1388 EXCEL.EXE 1388 EXCEL.EXE 1388 EXCEL.EXE 1388 EXCEL.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
EXCEL.EXEdescription pid process target process PID 1388 wrote to memory of 3692 1388 EXCEL.EXE mshta.exe PID 1388 wrote to memory of 3692 1388 EXCEL.EXE mshta.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\ac1b8577a721e73837052d5593c90f12.xlsm"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Windows\SYSTEM32\mshta.exemshta C:\ProgramData\UiFvWAOVUWShU.sct2⤵
- Process spawned unexpected child process
PID:3692
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
15KB
MD504d0cd1fd3a3937aa3dfabafc97299e9
SHA1375358fd0f1915791b305b86d0f71a5c58d130a9
SHA256828df944cbf1dd7475816027c0cee83009e03e8fa8e436487383da9115d7a4b7
SHA512eb2170972a3651ff67f449d142592acf10348c8516982482b5b80fb6f8020bcf3210a3aba5adc02b170dc6f2e0630600e9dcd922fb6415b8401f17aabddb0bac