Analysis

  • max time kernel
    120s
  • max time network
    132s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    28-02-2024 17:11

General

  • Target

    ac6a30beef122bf03b58cdf3ca44da99.xls

  • Size

    133KB

  • MD5

    ac6a30beef122bf03b58cdf3ca44da99

  • SHA1

    acbb0ba349920edefa49b21a8c46160f14f41c24

  • SHA256

    42cc135bba7641d534f8588b94f13f838d9bf29f9b2b02990f1df1d76f02b8cf

  • SHA512

    1e67894392e7325032956b2b2492f574c6a9f72adf529537a6594110410b3560fe2bb14136cdcc81101e463dfc40438652c459487fd04f3dd24172aa5a63a7df

  • SSDEEP

    1536:F444SBBv4RVtUj0sqN4UnWHkLWX/6xBSu9sqIg2GHArAIVR+TtXWVbrzQ7ITkApK:NuzHArAFWVbrzQ7ITkylKDRvqTc

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 3 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Deletes itself 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\ac6a30beef122bf03b58cdf3ca44da99.xls
    1⤵
    • Deletes itself
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • NTFS ADS
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: RenamesItself
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1612
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c attrib -S -h "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:1336
      • C:\Windows\SysWOW64\attrib.exe
        attrib -S -h "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"
        3⤵
        • Views/modifies file attributes
        PID:1408
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Del /F /Q "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"
      2⤵
      • Process spawned unexpected child process
      PID:1224
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c RD /S /Q "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"
      2⤵
      • Process spawned unexpected child process
      PID:1888

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1612-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

  • memory/1612-1-0x000000007214D000-0x0000000072158000-memory.dmp

    Filesize

    44KB

  • memory/1612-2-0x00000000004E0000-0x00000000005E0000-memory.dmp

    Filesize

    1024KB

  • memory/1612-3-0x00000000004E0000-0x00000000005E0000-memory.dmp

    Filesize

    1024KB

  • memory/1612-4-0x00000000004E0000-0x00000000005E0000-memory.dmp

    Filesize

    1024KB

  • memory/1612-5-0x00000000004E0000-0x00000000005E0000-memory.dmp

    Filesize

    1024KB

  • memory/1612-6-0x00000000004E0000-0x00000000005E0000-memory.dmp

    Filesize

    1024KB

  • memory/1612-7-0x00000000004E0000-0x00000000005E0000-memory.dmp

    Filesize

    1024KB

  • memory/1612-8-0x00000000004E0000-0x00000000005E0000-memory.dmp

    Filesize

    1024KB

  • memory/1612-9-0x00000000004E0000-0x00000000005E0000-memory.dmp

    Filesize

    1024KB

  • memory/1612-12-0x00000000004E0000-0x00000000005E0000-memory.dmp

    Filesize

    1024KB

  • memory/1612-13-0x00000000004E0000-0x00000000005E0000-memory.dmp

    Filesize

    1024KB

  • memory/1612-14-0x00000000004E0000-0x00000000005E0000-memory.dmp

    Filesize

    1024KB

  • memory/1612-15-0x00000000004E0000-0x00000000005E0000-memory.dmp

    Filesize

    1024KB

  • memory/1612-16-0x00000000004E0000-0x00000000005E0000-memory.dmp

    Filesize

    1024KB

  • memory/1612-18-0x00000000004E0000-0x00000000005E0000-memory.dmp

    Filesize

    1024KB

  • memory/1612-19-0x00000000004E0000-0x00000000005E0000-memory.dmp

    Filesize

    1024KB

  • memory/1612-20-0x00000000004E0000-0x00000000005E0000-memory.dmp

    Filesize

    1024KB

  • memory/1612-22-0x00000000004E0000-0x00000000005E0000-memory.dmp

    Filesize

    1024KB

  • memory/1612-24-0x00000000004E0000-0x00000000005E0000-memory.dmp

    Filesize

    1024KB

  • memory/1612-26-0x00000000004E0000-0x00000000005E0000-memory.dmp

    Filesize

    1024KB

  • memory/1612-25-0x00000000004E0000-0x00000000005E0000-memory.dmp

    Filesize

    1024KB

  • memory/1612-28-0x00000000004E0000-0x00000000005E0000-memory.dmp

    Filesize

    1024KB

  • memory/1612-29-0x00000000004E0000-0x00000000005E0000-memory.dmp

    Filesize

    1024KB

  • memory/1612-30-0x00000000004E0000-0x00000000005E0000-memory.dmp

    Filesize

    1024KB

  • memory/1612-27-0x00000000004E0000-0x00000000005E0000-memory.dmp

    Filesize

    1024KB

  • memory/1612-23-0x00000000004E0000-0x00000000005E0000-memory.dmp

    Filesize

    1024KB

  • memory/1612-21-0x00000000004E0000-0x00000000005E0000-memory.dmp

    Filesize

    1024KB

  • memory/1612-17-0x00000000004E0000-0x00000000005E0000-memory.dmp

    Filesize

    1024KB

  • memory/1612-10-0x00000000004E0000-0x00000000005E0000-memory.dmp

    Filesize

    1024KB

  • memory/1612-31-0x00000000004E0000-0x00000000005E0000-memory.dmp

    Filesize

    1024KB

  • memory/1612-33-0x00000000004E0000-0x00000000005E0000-memory.dmp

    Filesize

    1024KB

  • memory/1612-11-0x00000000004E0000-0x00000000005E0000-memory.dmp

    Filesize

    1024KB

  • memory/1612-56-0x000000007214D000-0x0000000072158000-memory.dmp

    Filesize

    44KB

  • memory/1612-55-0x00000000004E0000-0x00000000005E0000-memory.dmp

    Filesize

    1024KB

  • memory/1612-80-0x00000000004E0000-0x00000000005E0000-memory.dmp

    Filesize

    1024KB

  • memory/1612-103-0x00000000004E0000-0x00000000005E0000-memory.dmp

    Filesize

    1024KB

  • memory/1612-125-0x00000000004E0000-0x00000000005E0000-memory.dmp

    Filesize

    1024KB

  • memory/1612-161-0x00000000004E0000-0x00000000005E0000-memory.dmp

    Filesize

    1024KB

  • memory/1612-172-0x00000000004E0000-0x00000000005E0000-memory.dmp

    Filesize

    1024KB

  • memory/1612-194-0x00000000004E0000-0x00000000005E0000-memory.dmp

    Filesize

    1024KB

  • memory/1612-263-0x00000000004E0000-0x00000000005E0000-memory.dmp

    Filesize

    1024KB

  • memory/1612-264-0x00000000004E0000-0x00000000005E0000-memory.dmp

    Filesize

    1024KB

  • memory/1612-266-0x00000000004E0000-0x00000000005E0000-memory.dmp

    Filesize

    1024KB

  • memory/1612-290-0x00000000004E0000-0x00000000005E0000-memory.dmp

    Filesize

    1024KB

  • memory/1612-315-0x00000000004E0000-0x00000000005E0000-memory.dmp

    Filesize

    1024KB

  • memory/1612-341-0x00000000004E0000-0x00000000005E0000-memory.dmp

    Filesize

    1024KB

  • memory/1612-342-0x00000000004E0000-0x00000000005E0000-memory.dmp

    Filesize

    1024KB

  • memory/1612-343-0x00000000004E0000-0x00000000005E0000-memory.dmp

    Filesize

    1024KB

  • memory/1612-344-0x00000000004E0000-0x00000000005E0000-memory.dmp

    Filesize

    1024KB

  • memory/1612-345-0x00000000004E0000-0x00000000005E0000-memory.dmp

    Filesize

    1024KB

  • memory/1612-346-0x00000000004E0000-0x00000000005E0000-memory.dmp

    Filesize

    1024KB

  • memory/1612-347-0x00000000004E0000-0x00000000005E0000-memory.dmp

    Filesize

    1024KB

  • memory/1612-348-0x00000000004E0000-0x00000000005E0000-memory.dmp

    Filesize

    1024KB

  • memory/1612-349-0x00000000004E0000-0x00000000005E0000-memory.dmp

    Filesize

    1024KB

  • memory/1612-353-0x000000007214D000-0x0000000072158000-memory.dmp

    Filesize

    44KB