Analysis
-
max time kernel
101s -
max time network
115s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
29-02-2024 10:43
Behavioral task
behavioral1
Sample
ae51f9c84aa952eb79dc4a1ae368aa3f.xls
Resource
win7-20240221-en
General
-
Target
ae51f9c84aa952eb79dc4a1ae368aa3f.xls
-
Size
125KB
-
MD5
ae51f9c84aa952eb79dc4a1ae368aa3f
-
SHA1
3e05f5c32bd710121bfeeac0835a99142694221d
-
SHA256
54c8e83e3600d0c86b6a24b9fc2522ea1f1ced9e7296aef429846ac75dbfff9d
-
SHA512
4cd0b64940cfba5c1814068a893291513b00cb7c41ef2f8b0877bdfab055aa62bcfc949badf0e8c415f37c509ec04689bda501f9e1922cac5f5801d02c0eece2
-
SSDEEP
1536:YUUUURJYAKZ0B6cVOPg1KAsWVbrzQ7ITkR62GUM88ScJtXwCv4DM1Yv9tK:5ApVbrzQ7ITk98jhJtXwCv4uYvHK
Malware Config
Signatures
-
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.execmd.execmd.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 4772 1196 cmd.exe EXCEL.EXE Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3552 1196 cmd.exe EXCEL.EXE Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 1884 1196 cmd.exe EXCEL.EXE -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\ae51f9c84aa952eb79dc4a1ae368aa3f.xls office_xlm_macros -
Deletes itself 1 IoCs
Processes:
EXCEL.EXEpid process 1196 EXCEL.EXE -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
NTFS ADS 1 IoCs
Processes:
EXCEL.EXEdescription ioc process File created C:\Users\Admin\AppData\Local\Temp\79475E00\:Zone.Identifier:$DATA EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1196 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 14 IoCs
Processes:
EXCEL.EXEpid process 1196 EXCEL.EXE 1196 EXCEL.EXE 1196 EXCEL.EXE 1196 EXCEL.EXE 1196 EXCEL.EXE 1196 EXCEL.EXE 1196 EXCEL.EXE 1196 EXCEL.EXE 1196 EXCEL.EXE 1196 EXCEL.EXE 1196 EXCEL.EXE 1196 EXCEL.EXE 1196 EXCEL.EXE 1196 EXCEL.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
EXCEL.EXEcmd.exedescription pid process target process PID 1196 wrote to memory of 1884 1196 EXCEL.EXE cmd.exe PID 1196 wrote to memory of 1884 1196 EXCEL.EXE cmd.exe PID 1196 wrote to memory of 3552 1196 EXCEL.EXE cmd.exe PID 1196 wrote to memory of 3552 1196 EXCEL.EXE cmd.exe PID 1196 wrote to memory of 4772 1196 EXCEL.EXE cmd.exe PID 1196 wrote to memory of 4772 1196 EXCEL.EXE cmd.exe PID 1884 wrote to memory of 4928 1884 cmd.exe attrib.exe PID 1884 wrote to memory of 4928 1884 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\ae51f9c84aa952eb79dc4a1ae368aa3f.xls"1⤵
- Deletes itself
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c RD /S /Q "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"2⤵
- Process spawned unexpected child process
PID:4772 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Del /F /Q "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"2⤵
- Process spawned unexpected child process
PID:3552 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c attrib -S -h "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Windows\system32\attrib.exeattrib -S -h "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"3⤵
- Views/modifies file attributes
PID:4928
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
148KB
MD55c92ef6c6c9758d538350edd6d88df71
SHA1a661e8c884d3e149abc7af37824ff710d30ba58b
SHA256e6cb64d376e9793c04ee10cb7c07923542ebdfed4d84c5578bf2aca0eb833e89
SHA512f2ff3fd9677ec7a62a585bb2c5f7ef1836a94b279617deb4a97e0f53fce693e455960fcd8a1aaf4def2b2c17bff46bb9f8c7f3a54139d7a1739c6d3b4fa3ec33