36f6bebf6d72d93823c099be1f465542dc18b3e6ce67a335baf9b6234993c93e

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28-02-2024 15:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ac2b251fb7aa144307c7718160380cb2.xls
Size

178KB
MD5

ac2b251fb7aa144307c7718160380cb2
SHA1

12793377feecb4812ed60ec22eefbce6d2db3bd4
SHA256

36f6bebf6d72d93823c099be1f465542dc18b3e6ce67a335baf9b6234993c93e
SHA512

9b4710e681e27f75e571d8f2d3ff2c7a1ffd1e055fa444fabb6acd33f0576479ca317823a3af077bcf9eada32982a64d58fd4706fb4f777cae8c9a743ce01d12
SSDEEP

3072:BOl6Nc7yRzs1H75wkZUgsCgI4ukoRWGN/XD4RetWVbrzQ704Tk9O8EJtXwIv4b0:cl6Nc7yRzs1H75wkZUgsCgI4ukoRWGNw

Score

10^/10

macro xlm

Malware Config

Signatures

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2940	2748	cmd.exe	37
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1856	2748	cmd.exe	37
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2384	2748	cmd.exe	37

Suspicious Office macro 1 IoCs

Office document equipped with 4.0 macros.

macro xlm

resource	yara_rule
behavioral2/files/0x0009000000023205-107.dat	office_xlm_macros

Deletes itself 1 IoCs

pid	Process
2748	EXCEL.EXE

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\B7475E00\:Zone.Identifier:$DATA	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2748	EXCEL.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2748	EXCEL.EXE
2748	EXCEL.EXE

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
2748	EXCEL.EXE
2748	EXCEL.EXE
2748	EXCEL.EXE
2748	EXCEL.EXE
2748	EXCEL.EXE
2748	EXCEL.EXE
2748	EXCEL.EXE
2748	EXCEL.EXE
2748	EXCEL.EXE
2748	EXCEL.EXE
2748	EXCEL.EXE
2748	EXCEL.EXE
2748	EXCEL.EXE
2748	EXCEL.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2748 wrote to memory of 2384	2748	EXCEL.EXE	98
PID 2748 wrote to memory of 2384	2748	EXCEL.EXE	98
PID 2748 wrote to memory of 1856	2748	EXCEL.EXE	97
PID 2748 wrote to memory of 1856	2748	EXCEL.EXE	97
PID 2748 wrote to memory of 2940	2748	EXCEL.EXE	93
PID 2748 wrote to memory of 2940	2748	EXCEL.EXE	93
PID 2384 wrote to memory of 4000	2384	cmd.exe	99
PID 2384 wrote to memory of 4000	2384	cmd.exe	99

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4000	attrib.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\ac2b251fb7aa144307c7718160380cb2.xls"
1⤵
- Deletes itself
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2748
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c RD /S /Q "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"
  2⤵
  - Process spawned unexpected child process
  PID:2940
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Del /F /Q "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"
  2⤵
  - Process spawned unexpected child process
  PID:1856
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c attrib -S -h "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  PID:2384
- - C:\Windows\system32\attrib.exe
    attrib -S -h "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"
    3⤵
    - Views/modifies file attributes
    PID:4000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ac2b251fb7aa144307c7718160380cb2.xls

Filesize
190KB

MD5
777040f62d36ccd313aad66317c36557

SHA1
df04dcd8852b76b154b81371e884c504f13b9638

SHA256
f8972a5675fd377c1c808f2d2a7d1addda105c3efd897083b4c59620e54a239e

SHA512
ac14579e731bfe09476b12d83ca0d3ecc2d6a624f68989d970620f496f4da3929b85f2ae0865c2b1f23ea30ac345a2b4f6effbf891f581f472f2640f35c2b886

Download Submit
memory/2748-0-0x00007FFA5BFB0000-0x00007FFA5BFC0000-memory.dmp

Filesize
64KB

Download
memory/2748-1-0x00007FFA5BFB0000-0x00007FFA5BFC0000-memory.dmp

Filesize
64KB

Download
memory/2748-3-0x00007FFA9BF30000-0x00007FFA9C125000-memory.dmp

Filesize
2.0MB

Download
memory/2748-2-0x00007FFA5BFB0000-0x00007FFA5BFC0000-memory.dmp

Filesize
64KB

Download
memory/2748-5-0x00007FFA5BFB0000-0x00007FFA5BFC0000-memory.dmp

Filesize
64KB

Download
memory/2748-6-0x00007FFA9BF30000-0x00007FFA9C125000-memory.dmp

Filesize
2.0MB

Download
memory/2748-4-0x00007FFA9BF30000-0x00007FFA9C125000-memory.dmp

Filesize
2.0MB

Download
memory/2748-7-0x00007FFA5BFB0000-0x00007FFA5BFC0000-memory.dmp

Filesize
64KB

Download
memory/2748-8-0x00007FFA9BF30000-0x00007FFA9C125000-memory.dmp

Filesize
2.0MB

Download
memory/2748-10-0x00007FFA9BF30000-0x00007FFA9C125000-memory.dmp

Filesize
2.0MB

Download
memory/2748-11-0x00007FFA9BF30000-0x00007FFA9C125000-memory.dmp

Filesize
2.0MB

Download
memory/2748-9-0x00007FFA59F50000-0x00007FFA59F60000-memory.dmp

Filesize
64KB

Download
memory/2748-12-0x00007FFA9BF30000-0x00007FFA9C125000-memory.dmp

Filesize
2.0MB

Download
memory/2748-13-0x00007FFA9BF30000-0x00007FFA9C125000-memory.dmp

Filesize
2.0MB

Download
memory/2748-14-0x00007FFA59F50000-0x00007FFA59F60000-memory.dmp

Filesize
64KB

Download
memory/2748-15-0x00007FFA9BF30000-0x00007FFA9C125000-memory.dmp

Filesize
2.0MB

Download
memory/2748-16-0x00007FFA9BF30000-0x00007FFA9C125000-memory.dmp

Filesize
2.0MB

Download
memory/2748-17-0x00007FFA9BF30000-0x00007FFA9C125000-memory.dmp

Filesize
2.0MB

Download
memory/2748-19-0x00007FFA9BF30000-0x00007FFA9C125000-memory.dmp

Filesize
2.0MB

Download
memory/2748-18-0x00007FFA9BF30000-0x00007FFA9C125000-memory.dmp

Filesize
2.0MB

Download
memory/2748-21-0x00007FFA9BF30000-0x00007FFA9C125000-memory.dmp

Filesize
2.0MB

Download
memory/2748-20-0x00007FFA9BF30000-0x00007FFA9C125000-memory.dmp

Filesize
2.0MB

Download
memory/2748-22-0x00007FFA9BF30000-0x00007FFA9C125000-memory.dmp

Filesize
2.0MB

Download
memory/2748-35-0x0000013504EF0000-0x00000135056F0000-memory.dmp

Filesize
8.0MB

Download
memory/2748-47-0x0000013504EF0000-0x00000135056F0000-memory.dmp

Filesize
8.0MB

Download
memory/2748-49-0x0000013504EF0000-0x00000135056F0000-memory.dmp

Filesize
8.0MB

Download
memory/2748-52-0x0000013509C80000-0x000001350AC50000-memory.dmp

Filesize
15.8MB

Download
memory/2748-55-0x0000013509C80000-0x000001350AC50000-memory.dmp

Filesize
15.8MB

Download
memory/2748-58-0x0000013509C80000-0x000001350AC50000-memory.dmp

Filesize
15.8MB

Download
memory/2748-60-0x0000013509C80000-0x000001350AC50000-memory.dmp

Filesize
15.8MB

Download
memory/2748-64-0x0000013509C80000-0x000001350AC50000-memory.dmp

Filesize
15.8MB

Download
memory/2748-71-0x0000013504EF0000-0x00000135056F0000-memory.dmp

Filesize
8.0MB

Download
memory/2748-79-0x0000013509C80000-0x000001350AC50000-memory.dmp

Filesize
15.8MB

Download
memory/2748-82-0x0000013509C80000-0x000001350AC50000-memory.dmp

Filesize
15.8MB

Download
memory/2748-100-0x0000013509C80000-0x000001350AC50000-memory.dmp

Filesize
15.8MB

Download
memory/2748-110-0x00007FFA9BF30000-0x00007FFA9C125000-memory.dmp

Filesize
2.0MB

Download
memory/2748-111-0x00007FFA9BF30000-0x00007FFA9C125000-memory.dmp

Filesize
2.0MB

Download
memory/2748-112-0x0000013504EF0000-0x00000135056F0000-memory.dmp

Filesize
8.0MB

Download
memory/2748-113-0x0000013504EF0000-0x00000135056F0000-memory.dmp

Filesize
8.0MB

Download
memory/2748-114-0x0000013504EF0000-0x00000135056F0000-memory.dmp

Filesize
8.0MB

Download
memory/2748-115-0x0000013509C80000-0x000001350AC50000-memory.dmp

Filesize
15.8MB

Download
memory/2748-118-0x0000013509C80000-0x000001350AC50000-memory.dmp

Filesize
15.8MB

Download
memory/2748-119-0x0000013509C80000-0x000001350AC50000-memory.dmp

Filesize
15.8MB

Download
memory/2748-120-0x0000013509C80000-0x000001350AC50000-memory.dmp

Filesize
15.8MB

Download
memory/2748-121-0x0000013504EF0000-0x00000135056F0000-memory.dmp

Filesize
8.0MB

Download
memory/2748-122-0x0000013509C80000-0x000001350AC50000-memory.dmp

Filesize
15.8MB

Download
memory/2748-123-0x0000013509C80000-0x000001350AC50000-memory.dmp

Filesize
15.8MB

Download
memory/2748-138-0x00007FFA5BFB0000-0x00007FFA5BFC0000-memory.dmp

Filesize
64KB

Download
memory/2748-139-0x00007FFA5BFB0000-0x00007FFA5BFC0000-memory.dmp

Filesize
64KB

Download
memory/2748-140-0x00007FFA5BFB0000-0x00007FFA5BFC0000-memory.dmp

Filesize
64KB

Download
memory/2748-141-0x00007FFA5BFB0000-0x00007FFA5BFC0000-memory.dmp

Filesize
64KB

Download
memory/2748-143-0x00007FFA9BF30000-0x00007FFA9C125000-memory.dmp

Filesize
2.0MB

Download
memory/2748-142-0x00007FFA9BF30000-0x00007FFA9C125000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads