Analysis
-
max time kernel
149s -
max time network
115s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
29-02-2024 10:10
Behavioral task
behavioral1
Sample
ae41465505f5e3112df8bf3071f00722.xls
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
ae41465505f5e3112df8bf3071f00722.xls
Resource
win10v2004-20240226-en
General
-
Target
ae41465505f5e3112df8bf3071f00722.xls
-
Size
36KB
-
MD5
ae41465505f5e3112df8bf3071f00722
-
SHA1
6cdcd3ef1be0dba601599a7f049b329d52f607c8
-
SHA256
a94d88d532c1bc66f823784f02f93a8302dbfcc4d9e3285af23d023657a303f9
-
SHA512
2345a41ab8fe3807c76b12c870d6f6b33ae7b8a2ad374b7b0a388a0fa3e5415ad261135d26bc4cc86b4aca07ccf7b4f9defbd69a037429a94c7771c35ab4a7c3
-
SSDEEP
768:nPqNk3hbdlylKsgqopeJBWhZFGkE+cL2NdAJTKFCjh0PBc4jeK:Pok3hbdlylKsgqopeJBWhZFGkE+cL2NB
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
explorer.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 2824 2548 explorer.exe EXCEL.EXE -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Modifies registry class 1 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings explorer.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 2548 EXCEL.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
EXCEL.EXEpid process 2548 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
EXCEL.EXEpid process 2548 EXCEL.EXE 2548 EXCEL.EXE 2548 EXCEL.EXE 2548 EXCEL.EXE 2548 EXCEL.EXE 2548 EXCEL.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
EXCEL.EXEexplorer.exedescription pid process target process PID 2548 wrote to memory of 2824 2548 EXCEL.EXE explorer.exe PID 2548 wrote to memory of 2824 2548 EXCEL.EXE explorer.exe PID 2888 wrote to memory of 3856 2888 explorer.exe WScript.exe PID 2888 wrote to memory of 3856 2888 explorer.exe WScript.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\ae41465505f5e3112df8bf3071f00722.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\explorer.exeexplorer.exe C:\Users\Public\Documents\a5SV.vbs2⤵
- Process spawned unexpected child process
PID:2824
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\a5SV.vbs"2⤵PID:3856
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
542B
MD51801bf56d0920860df4e2f947ab4c6ca
SHA13a50bdeb2d8e79f71058cf9f50d5102370062604
SHA2562bf88180ac74c0ca05f2e27a7751d050fa9a801f52c278b7b2c07547f0e9a14f
SHA5121637ab28baea6d09425414df990b928cb5538dd8dc3d830f6f6ccd8803f95d2ab42fd01420c0159540382086638c3448023afdf3979fcf26de8a920bc60f3f76