Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
29-02-2024 14:44
Behavioral task
behavioral1
Sample
aec46d8da7a1c5e06d6ceadb8691dbe3.xlsb
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
aec46d8da7a1c5e06d6ceadb8691dbe3.xlsb
Resource
win10v2004-20240226-en
General
-
Target
aec46d8da7a1c5e06d6ceadb8691dbe3.xlsb
-
Size
116KB
-
MD5
aec46d8da7a1c5e06d6ceadb8691dbe3
-
SHA1
477a896c207c3b1ebc866f9862aa481bcf8c001c
-
SHA256
2b1206d427d4676f608ce841f7e847fd9949ab8457d66a3071e9408321e86434
-
SHA512
27ec53772b17325e0c2937ed165a5d493ba01cee54d6a5b7b6a94330d7c728ae464b922d10429c3595bd6b355bf1309242182d8b5821b9b8eb08861c7807525a
-
SSDEEP
3072:oUanAhD3TysKYZM8i63LD6z2qoaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa3RY3/:oDAh3PKYo67Moaaaaaaaaaaaaaaaaaal
Malware Config
Signatures
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
wmic.exemshta.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 2328 4964 wmic.exe EXCEL.EXE Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 464 2272 mshta.exe -
Blocklisted process makes network request 2 IoCs
Processes:
mshta.exeflow pid process 21 464 mshta.exe 24 464 mshta.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 4964 EXCEL.EXE -
Suspicious use of AdjustPrivilegeToken 42 IoCs
Processes:
wmic.exedescription pid process Token: SeIncreaseQuotaPrivilege 2328 wmic.exe Token: SeSecurityPrivilege 2328 wmic.exe Token: SeTakeOwnershipPrivilege 2328 wmic.exe Token: SeLoadDriverPrivilege 2328 wmic.exe Token: SeSystemProfilePrivilege 2328 wmic.exe Token: SeSystemtimePrivilege 2328 wmic.exe Token: SeProfSingleProcessPrivilege 2328 wmic.exe Token: SeIncBasePriorityPrivilege 2328 wmic.exe Token: SeCreatePagefilePrivilege 2328 wmic.exe Token: SeBackupPrivilege 2328 wmic.exe Token: SeRestorePrivilege 2328 wmic.exe Token: SeShutdownPrivilege 2328 wmic.exe Token: SeDebugPrivilege 2328 wmic.exe Token: SeSystemEnvironmentPrivilege 2328 wmic.exe Token: SeRemoteShutdownPrivilege 2328 wmic.exe Token: SeUndockPrivilege 2328 wmic.exe Token: SeManageVolumePrivilege 2328 wmic.exe Token: 33 2328 wmic.exe Token: 34 2328 wmic.exe Token: 35 2328 wmic.exe Token: 36 2328 wmic.exe Token: SeIncreaseQuotaPrivilege 2328 wmic.exe Token: SeSecurityPrivilege 2328 wmic.exe Token: SeTakeOwnershipPrivilege 2328 wmic.exe Token: SeLoadDriverPrivilege 2328 wmic.exe Token: SeSystemProfilePrivilege 2328 wmic.exe Token: SeSystemtimePrivilege 2328 wmic.exe Token: SeProfSingleProcessPrivilege 2328 wmic.exe Token: SeIncBasePriorityPrivilege 2328 wmic.exe Token: SeCreatePagefilePrivilege 2328 wmic.exe Token: SeBackupPrivilege 2328 wmic.exe Token: SeRestorePrivilege 2328 wmic.exe Token: SeShutdownPrivilege 2328 wmic.exe Token: SeDebugPrivilege 2328 wmic.exe Token: SeSystemEnvironmentPrivilege 2328 wmic.exe Token: SeRemoteShutdownPrivilege 2328 wmic.exe Token: SeUndockPrivilege 2328 wmic.exe Token: SeManageVolumePrivilege 2328 wmic.exe Token: 33 2328 wmic.exe Token: 34 2328 wmic.exe Token: 35 2328 wmic.exe Token: 36 2328 wmic.exe -
Suspicious use of SetWindowsHookEx 16 IoCs
Processes:
EXCEL.EXEpid process 4964 EXCEL.EXE 4964 EXCEL.EXE 4964 EXCEL.EXE 4964 EXCEL.EXE 4964 EXCEL.EXE 4964 EXCEL.EXE 4964 EXCEL.EXE 4964 EXCEL.EXE 4964 EXCEL.EXE 4964 EXCEL.EXE 4964 EXCEL.EXE 4964 EXCEL.EXE 4964 EXCEL.EXE 4964 EXCEL.EXE 4964 EXCEL.EXE 4964 EXCEL.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
EXCEL.EXEdescription pid process target process PID 4964 wrote to memory of 2328 4964 EXCEL.EXE wmic.exe PID 4964 wrote to memory of 2328 4964 EXCEL.EXE wmic.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\aec46d8da7a1c5e06d6ceadb8691dbe3.xlsb"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\Windows\System32\Wbem\wmic.exewmic process call create 'mshta C:\ProgramData\YKCdakNtTmr.sct'2⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
PID:2328
-
C:\Windows\system32\mshta.exemshta C:\ProgramData\YKCdakNtTmr.sct1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
PID:464
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14KB
MD5ddce19b9903f579aa00f77b4b3676ac3
SHA1c47755e7a82979aa272f0b7b5de4cb4ab12e72a7
SHA2568880191127574faf1694bd8619faabde8ffdf1e961f86f5002d6797fe376d1e3
SHA51240b186ff3157ed33532d970377be1ad78c996ee1f120f7ab304f96e6afbfcd4b863e9d982932f061d244305986eb417fe08f7a0d03e122d333f421d72dc0a958