Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
28-02-2024 18:50
Behavioral task
behavioral1
Sample
ac9838eccb489ac681ad7c32a82a69b3.xlsm
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
ac9838eccb489ac681ad7c32a82a69b3.xlsm
Resource
win10v2004-20240226-en
General
-
Target
ac9838eccb489ac681ad7c32a82a69b3.xlsm
-
Size
369KB
-
MD5
ac9838eccb489ac681ad7c32a82a69b3
-
SHA1
105a8bc6e20c2789b0c4edc0d462ace6988d5195
-
SHA256
08d5c791dafbb2e7a6ffbad4ab6145ebfa70a1edbb22ca1247b0a4b6beb88426
-
SHA512
00615abd46fad0c35ebb20a6bc06b011e181b958b90efc4e44e3a94cb730ac5cffe337a320d9b4ebc0503b4bbab068054af162e427947ed4307ba64d6c0a1282
-
SSDEEP
6144:Qp9HMInvpPbR/5L4YvQ6bgcsEEmi+efMi0oGS1ji0NcYaRUZXcbScPYCvSzd8:Qp9tRbtp4Wl8cnEQeNGv0ik5ew8
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
mshta.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 5064 224 mshta.exe EXCEL.EXE -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 224 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 16 IoCs
Processes:
EXCEL.EXEpid process 224 EXCEL.EXE 224 EXCEL.EXE 224 EXCEL.EXE 224 EXCEL.EXE 224 EXCEL.EXE 224 EXCEL.EXE 224 EXCEL.EXE 224 EXCEL.EXE 224 EXCEL.EXE 224 EXCEL.EXE 224 EXCEL.EXE 224 EXCEL.EXE 224 EXCEL.EXE 224 EXCEL.EXE 224 EXCEL.EXE 224 EXCEL.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
EXCEL.EXEdescription pid process target process PID 224 wrote to memory of 5064 224 EXCEL.EXE mshta.exe PID 224 wrote to memory of 5064 224 EXCEL.EXE mshta.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\ac9838eccb489ac681ad7c32a82a69b3.xlsm"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:224 -
C:\Windows\SYSTEM32\mshta.exemshta C:\ProgramData\dCnYDZfVBfE.sct2⤵
- Process spawned unexpected child process
PID:5064
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
17KB
MD51cce17c8c4782ef351ca32db47c1edfa
SHA1ca0979d2bb678fd9d97ad6cfcf03e0c133baf7a5
SHA256ae52264507303cddbe4a8913b4c1ae6297e2008ae4014aa2ea20aaf14521ff98
SHA5120177249820238d84084aef91298452a8ca9b2f6de6204271e2a3d5b3addd9f12f2d8b9bb15612691255e2342e52aebf9b716969e7b0bb4d15932b3d51d1f9339