Analysis
-
max time kernel
151s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
01-03-2024 03:37
Behavioral task
behavioral1
Sample
b0398e7c21b496f5ffdb4072b8106b33.xls
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
b0398e7c21b496f5ffdb4072b8106b33.xls
Resource
win10v2004-20240226-en
General
-
Target
b0398e7c21b496f5ffdb4072b8106b33.xls
-
Size
36KB
-
MD5
b0398e7c21b496f5ffdb4072b8106b33
-
SHA1
502212ee9b160926894914a6c415a73850311efa
-
SHA256
d6c1152b58e9824e2297666f13e67bc0a8cf46dbd57ab7b94957dc8f287c7dc4
-
SHA512
0689f8fbc592da298b752ca5647ce04b4bf1d1da41f5c58cf753e511224c739e2808683633080de0e4188d9a7a2dec393328bb72140902c110c9b240c59e3cc5
-
SSDEEP
768:NPqNk3hbdlylKsgqopeJBWhZFGkE+cL2NdAJEgQ57wSYbaVt5:lok3hbdlylKsgqopeJBWhZFGkE+cL2Nz
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
explorer.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 572 4016 explorer.exe EXCEL.EXE -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Modifies registry class 1 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings explorer.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 4016 EXCEL.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
EXCEL.EXEpid process 4016 EXCEL.EXE 4016 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 14 IoCs
Processes:
EXCEL.EXEpid process 4016 EXCEL.EXE 4016 EXCEL.EXE 4016 EXCEL.EXE 4016 EXCEL.EXE 4016 EXCEL.EXE 4016 EXCEL.EXE 4016 EXCEL.EXE 4016 EXCEL.EXE 4016 EXCEL.EXE 4016 EXCEL.EXE 4016 EXCEL.EXE 4016 EXCEL.EXE 4016 EXCEL.EXE 4016 EXCEL.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
EXCEL.EXEexplorer.exedescription pid process target process PID 4016 wrote to memory of 572 4016 EXCEL.EXE explorer.exe PID 4016 wrote to memory of 572 4016 EXCEL.EXE explorer.exe PID 2320 wrote to memory of 3444 2320 explorer.exe WScript.exe PID 2320 wrote to memory of 3444 2320 explorer.exe WScript.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\b0398e7c21b496f5ffdb4072b8106b33.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4016 -
C:\Windows\explorer.exeexplorer.exe C:\Users\Public\Documents\g7d8.vbs2⤵
- Process spawned unexpected child process
PID:572
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\g7d8.vbs"2⤵PID:3444
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3912 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:81⤵PID:3476
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
599B
MD53d4cbf23fa7b6fef22fba67b5de9ad2b
SHA18c5730e67257cc3dac12531d0ce696f07988e557
SHA25653619ec1dbf40c085fa9f3db1138a0b97734bad0166ad73cae6f47538e92bc7a
SHA51270400a6e88a4637b253fd68d21c2f83057088e8160e3201bf23509f0c7f9f1dbe3331546d4d3f6aef807099ac9fedd00d68066a54e5f7ecd9f7746806167146c