Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
29-02-2024 16:32
Behavioral task
behavioral1
Sample
aef8e94c089eb854ff05fa01a24e36c7.xls
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
aef8e94c089eb854ff05fa01a24e36c7.xls
Resource
win10v2004-20240226-en
General
-
Target
aef8e94c089eb854ff05fa01a24e36c7.xls
-
Size
36KB
-
MD5
aef8e94c089eb854ff05fa01a24e36c7
-
SHA1
895a0d509244c9f0329ff953908c33190573292b
-
SHA256
45f7965e784a9e2c4afdf5a3aab0e56328cc8d54a6423b9790c1a028c4e92adf
-
SHA512
eeb4cef165527698c5c3cfb1bd36adc6fe2da06865e4616bce0439be41c423dfccdbe80be10ba552e1113674ba58821e3ed7abfe0c5137e66fa4fbca28299f39
-
SSDEEP
768:PPqNk3hbdlylKsgqopeJBWhZFGkE+cL2NdAJTUEnkjX8USLc1:nok3hbdlylKsgqopeJBWhZFGkE+cL2NF
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
explorer.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3000 4460 explorer.exe EXCEL.EXE -
Blocklisted process makes network request 2 IoCs
Processes:
WScript.exeflow pid process 26 1420 WScript.exe 34 1420 WScript.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Modifies registry class 1 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings explorer.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 4460 EXCEL.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
EXCEL.EXEpid process 4460 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
EXCEL.EXEpid process 4460 EXCEL.EXE 4460 EXCEL.EXE 4460 EXCEL.EXE 4460 EXCEL.EXE 4460 EXCEL.EXE 4460 EXCEL.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
EXCEL.EXEexplorer.exedescription pid process target process PID 4460 wrote to memory of 3000 4460 EXCEL.EXE explorer.exe PID 4460 wrote to memory of 3000 4460 EXCEL.EXE explorer.exe PID 2800 wrote to memory of 1420 2800 explorer.exe WScript.exe PID 2800 wrote to memory of 1420 2800 explorer.exe WScript.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\aef8e94c089eb854ff05fa01a24e36c7.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4460 -
C:\Windows\explorer.exeexplorer.exe C:\Users\Public\Documents\sFx.vbs2⤵
- Process spawned unexpected child process
PID:3000
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\sFx.vbs"2⤵
- Blocklisted process makes network request
PID:1420
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
586B
MD5d815d9d60dc701eb114b57298102fc7e
SHA1360c1734a124546476f0b4f7ad4ee25d0838e9ad
SHA2566ac19fb19edf0cec7b1d8d78bbd31767e40af4c9b18ef9dbee34aa45139a3652
SHA512769ee63fb02c8acef94e2442e0305d32630da1d086da1ae1c9dea4730baded5d4e681e597baf6beee36888fd2fb57438628ce9cee5c701e3ca085ec18c2c1a3c