Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
29-02-2024 23:37
Behavioral task
behavioral1
Sample
afc37fe99822a78b3c2b87e30c559b00.xlsb
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
afc37fe99822a78b3c2b87e30c559b00.xlsb
Resource
win10v2004-20240226-en
General
-
Target
afc37fe99822a78b3c2b87e30c559b00.xlsb
-
Size
111KB
-
MD5
afc37fe99822a78b3c2b87e30c559b00
-
SHA1
26bf8bdf3101de21c750f734c16842c8f1c48a2c
-
SHA256
4989949bd322678be1f9f12b399a7714d9c4df1b0b4c4374c04ed671dc507d7d
-
SHA512
dee17dc3d073fc0b9e150add7edace2d427012066bb5e3ded58137c754cefc1abbab8dfbb2a3cba37a8d846608490af33ec1af7f553fcb5d7993477c2d9c67fe
-
SSDEEP
3072:oUqMOWM3XCF/y9ismgi63LD6z2qoaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa3R8:o1WMHxy67MoaaaaaaaaaaaaaaaaaaaaF
Malware Config
Signatures
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
wmic.exemshta.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 384 3700 wmic.exe EXCEL.EXE Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3956 3516 mshta.exe -
Blocklisted process makes network request 3 IoCs
Processes:
mshta.exeflow pid process 20 3956 mshta.exe 21 3956 mshta.exe 26 3956 mshta.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 3700 EXCEL.EXE -
Suspicious use of AdjustPrivilegeToken 42 IoCs
Processes:
wmic.exedescription pid process Token: SeIncreaseQuotaPrivilege 384 wmic.exe Token: SeSecurityPrivilege 384 wmic.exe Token: SeTakeOwnershipPrivilege 384 wmic.exe Token: SeLoadDriverPrivilege 384 wmic.exe Token: SeSystemProfilePrivilege 384 wmic.exe Token: SeSystemtimePrivilege 384 wmic.exe Token: SeProfSingleProcessPrivilege 384 wmic.exe Token: SeIncBasePriorityPrivilege 384 wmic.exe Token: SeCreatePagefilePrivilege 384 wmic.exe Token: SeBackupPrivilege 384 wmic.exe Token: SeRestorePrivilege 384 wmic.exe Token: SeShutdownPrivilege 384 wmic.exe Token: SeDebugPrivilege 384 wmic.exe Token: SeSystemEnvironmentPrivilege 384 wmic.exe Token: SeRemoteShutdownPrivilege 384 wmic.exe Token: SeUndockPrivilege 384 wmic.exe Token: SeManageVolumePrivilege 384 wmic.exe Token: 33 384 wmic.exe Token: 34 384 wmic.exe Token: 35 384 wmic.exe Token: 36 384 wmic.exe Token: SeIncreaseQuotaPrivilege 384 wmic.exe Token: SeSecurityPrivilege 384 wmic.exe Token: SeTakeOwnershipPrivilege 384 wmic.exe Token: SeLoadDriverPrivilege 384 wmic.exe Token: SeSystemProfilePrivilege 384 wmic.exe Token: SeSystemtimePrivilege 384 wmic.exe Token: SeProfSingleProcessPrivilege 384 wmic.exe Token: SeIncBasePriorityPrivilege 384 wmic.exe Token: SeCreatePagefilePrivilege 384 wmic.exe Token: SeBackupPrivilege 384 wmic.exe Token: SeRestorePrivilege 384 wmic.exe Token: SeShutdownPrivilege 384 wmic.exe Token: SeDebugPrivilege 384 wmic.exe Token: SeSystemEnvironmentPrivilege 384 wmic.exe Token: SeRemoteShutdownPrivilege 384 wmic.exe Token: SeUndockPrivilege 384 wmic.exe Token: SeManageVolumePrivilege 384 wmic.exe Token: 33 384 wmic.exe Token: 34 384 wmic.exe Token: 35 384 wmic.exe Token: 36 384 wmic.exe -
Suspicious use of SetWindowsHookEx 16 IoCs
Processes:
EXCEL.EXEpid process 3700 EXCEL.EXE 3700 EXCEL.EXE 3700 EXCEL.EXE 3700 EXCEL.EXE 3700 EXCEL.EXE 3700 EXCEL.EXE 3700 EXCEL.EXE 3700 EXCEL.EXE 3700 EXCEL.EXE 3700 EXCEL.EXE 3700 EXCEL.EXE 3700 EXCEL.EXE 3700 EXCEL.EXE 3700 EXCEL.EXE 3700 EXCEL.EXE 3700 EXCEL.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
EXCEL.EXEdescription pid process target process PID 3700 wrote to memory of 384 3700 EXCEL.EXE wmic.exe PID 3700 wrote to memory of 384 3700 EXCEL.EXE wmic.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\afc37fe99822a78b3c2b87e30c559b00.xlsb"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3700 -
C:\Windows\System32\Wbem\wmic.exewmic process call create 'mshta C:\ProgramData\OMpBBfLETXf.sct'2⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
PID:384
-
C:\Windows\system32\mshta.exemshta C:\ProgramData\OMpBBfLETXf.sct1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
PID:3956
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
15KB
MD52f60f42eedd2ae5f4f4472a8e4292b61
SHA1588f6c018b3e063102d7706d1a2e0d754dc38593
SHA256a683e383521769594792362686692ef05452ddd0ad5b418fa69610f7add18029
SHA512cb3dd463bec7d5ad9896f487dd1fb99b9f4eb8dc41998054f25868f84df58fd7f917ef4556eabfe79d90f4084202a0bc6d44e4eb24a0b887d6fade82b9fa445d