Analysis

  • max time kernel
    147s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-02-2024 03:36

General

  • Target

    ad9620b98d697b603f0c3ec4e618e4d3.xlsm

  • Size

    237KB

  • MD5

    ad9620b98d697b603f0c3ec4e618e4d3

  • SHA1

    7f7c8a54cbac1207f6a936fd174fba71db8b4be1

  • SHA256

    a2c0961c68aa8ec95213014e570ae11abe0ee633670c676b43914bd3c4b8ce52

  • SHA512

    1c4f9f24d387441711a9ba3171b7b3a2a86758a6c875f88f381a307d1fd06d02d5e023914fec03667da59dd9887f096e06bcd4379417bc57a3d1b492f4257dd9

  • SSDEEP

    6144:S4NSLcq+YXEsJZ0cSd3ipzX7DdXrW9c/qT:bPYXEsnSp+pCQqT

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 8 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies system certificate store 2 TTPs 5 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\ad9620b98d697b603f0c3ec4e618e4d3.xlsm"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3368
    • C:\Windows\SYSTEM32\MSHTA.exe
      MSHTA C:\ProgramData\QGabxSwVNnZoHBs.sct
      2⤵
      • Process spawned unexpected child process
      • Blocklisted process makes network request
      • Modifies system certificate store
      PID:2088

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\QGabxSwVNnZoHBs.sct

    Filesize

    25KB

    MD5

    384d0746179cd1c43daf8efb619c65f0

    SHA1

    4a27be65a8dda50d8c136dd53be4e0136b9c0643

    SHA256

    b5fa57334d68bab89ff681e3f08216407b8b3744bb8f0b6fd160c056b588d805

    SHA512

    ad39bc3ebe8784b9ab725cf66f115e4456c0b64a603230e992afbb403682bcae866c056cce0587a88fbd9223f91650f808af418a5bf15cc9603d470be990b1f3

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1DACDF24B1A6BE956942FD9410960C1E

    Filesize

    5B

    MD5

    5bfa51f3a417b98e7443eca90fc94703

    SHA1

    8c015d80b8a23f780bdd215dc842b0f5551f63bd

    SHA256

    bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

    SHA512

    4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

  • memory/3368-7-0x00007FFDB0830000-0x00007FFDB0A25000-memory.dmp

    Filesize

    2.0MB

  • memory/3368-78-0x00007FFD708B0000-0x00007FFD708C0000-memory.dmp

    Filesize

    64KB

  • memory/3368-2-0x00007FFD708B0000-0x00007FFD708C0000-memory.dmp

    Filesize

    64KB

  • memory/3368-5-0x00007FFD708B0000-0x00007FFD708C0000-memory.dmp

    Filesize

    64KB

  • memory/3368-6-0x00007FFD708B0000-0x00007FFD708C0000-memory.dmp

    Filesize

    64KB

  • memory/3368-0-0x00007FFD708B0000-0x00007FFD708C0000-memory.dmp

    Filesize

    64KB

  • memory/3368-8-0x00007FFDB0830000-0x00007FFDB0A25000-memory.dmp

    Filesize

    2.0MB

  • memory/3368-9-0x00007FFDB0830000-0x00007FFDB0A25000-memory.dmp

    Filesize

    2.0MB

  • memory/3368-10-0x00007FFDB0830000-0x00007FFDB0A25000-memory.dmp

    Filesize

    2.0MB

  • memory/3368-12-0x00007FFDB0830000-0x00007FFDB0A25000-memory.dmp

    Filesize

    2.0MB

  • memory/3368-13-0x00007FFD6E330000-0x00007FFD6E340000-memory.dmp

    Filesize

    64KB

  • memory/3368-11-0x00007FFDB0830000-0x00007FFDB0A25000-memory.dmp

    Filesize

    2.0MB

  • memory/3368-80-0x00007FFDB0830000-0x00007FFDB0A25000-memory.dmp

    Filesize

    2.0MB

  • memory/3368-4-0x00007FFDB0830000-0x00007FFDB0A25000-memory.dmp

    Filesize

    2.0MB

  • memory/3368-20-0x00007FFDB0830000-0x00007FFDB0A25000-memory.dmp

    Filesize

    2.0MB

  • memory/3368-17-0x00007FFDB0830000-0x00007FFDB0A25000-memory.dmp

    Filesize

    2.0MB

  • memory/3368-18-0x00007FFDB0830000-0x00007FFDB0A25000-memory.dmp

    Filesize

    2.0MB

  • memory/3368-19-0x00007FFDB0830000-0x00007FFDB0A25000-memory.dmp

    Filesize

    2.0MB

  • memory/3368-16-0x00007FFD6E330000-0x00007FFD6E340000-memory.dmp

    Filesize

    64KB

  • memory/3368-3-0x00007FFD708B0000-0x00007FFD708C0000-memory.dmp

    Filesize

    64KB

  • memory/3368-1-0x00007FFDB0830000-0x00007FFDB0A25000-memory.dmp

    Filesize

    2.0MB

  • memory/3368-59-0x00007FFDB0830000-0x00007FFDB0A25000-memory.dmp

    Filesize

    2.0MB

  • memory/3368-60-0x00007FFDB0830000-0x00007FFDB0A25000-memory.dmp

    Filesize

    2.0MB

  • memory/3368-76-0x00007FFD708B0000-0x00007FFD708C0000-memory.dmp

    Filesize

    64KB

  • memory/3368-77-0x00007FFD708B0000-0x00007FFD708C0000-memory.dmp

    Filesize

    64KB

  • memory/3368-15-0x00007FFDB0830000-0x00007FFDB0A25000-memory.dmp

    Filesize

    2.0MB

  • memory/3368-79-0x00007FFD708B0000-0x00007FFD708C0000-memory.dmp

    Filesize

    64KB

  • memory/3368-14-0x00007FFDB0830000-0x00007FFDB0A25000-memory.dmp

    Filesize

    2.0MB