Analysis

  • max time kernel
    100s
  • max time network
    118s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-03-2024 03:47

General

  • Target

    b03eaae645175fee6b0f687c6050dddc.xlsm

  • Size

    301KB

  • MD5

    b03eaae645175fee6b0f687c6050dddc

  • SHA1

    9d35aa426118f0de3407e589a73b6cb6271419a5

  • SHA256

    c7145230db673b23895e029db218f15a5f99e338f1ed5b842d2ef0ab61496b9d

  • SHA512

    85ae9a917922c88b7101eace1f5e2e26fa459f7d68d513ce75e16e1ccf1fcdc378233df06d54b9348cfe79b5e98a5a660cadfa137daca6c40e3b802d68d44ecc

  • SSDEEP

    6144:S+NSLcq+YXEsz1rqlvfGMklr2WfbeYh0HS64Swzp:FPYXEsRelmM4r56VHe

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 6 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies system certificate store 2 TTPs 5 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\b03eaae645175fee6b0f687c6050dddc.xlsm"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3944
    • C:\Windows\SYSTEM32\MSHTA.exe
      MSHTA C:\ProgramData\smZERrFnhAx.sct
      2⤵
      • Process spawned unexpected child process
      • Blocklisted process makes network request
      • Modifies system certificate store
      PID:4580

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\smZERrFnhAx.sct

    Filesize

    25KB

    MD5

    aa531e556219495608454adcbd555078

    SHA1

    b81aa83d37a5110f39155e4a90a061612da1a2e8

    SHA256

    9790e16f9ae156304fc4fc017f3cf9aa854c7f265f6f368c878d275f84f005ae

    SHA512

    4edd402be771681ef3b207b722b6eb050952e740be5c1703fcade9865734263866969bc90bb436cb8811ce4f64c2c047e9a49380abafe59a417f1cb8cb06650f

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1DACDF24B1A6BE956942FD9410960C1E

    Filesize

    5B

    MD5

    5bfa51f3a417b98e7443eca90fc94703

    SHA1

    8c015d80b8a23f780bdd215dc842b0f5551f63bd

    SHA256

    bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

    SHA512

    4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

  • memory/3944-16-0x00007FFB7AE90000-0x00007FFB7B085000-memory.dmp

    Filesize

    2.0MB

  • memory/3944-4-0x00007FFB7AE90000-0x00007FFB7B085000-memory.dmp

    Filesize

    2.0MB

  • memory/3944-17-0x00007FFB7AE90000-0x00007FFB7B085000-memory.dmp

    Filesize

    2.0MB

  • memory/3944-6-0x00007FFB3AF10000-0x00007FFB3AF20000-memory.dmp

    Filesize

    64KB

  • memory/3944-7-0x00007FFB7AE90000-0x00007FFB7B085000-memory.dmp

    Filesize

    2.0MB

  • memory/3944-8-0x00007FFB7AE90000-0x00007FFB7B085000-memory.dmp

    Filesize

    2.0MB

  • memory/3944-5-0x00007FFB7AE90000-0x00007FFB7B085000-memory.dmp

    Filesize

    2.0MB

  • memory/3944-10-0x00007FFB7AE90000-0x00007FFB7B085000-memory.dmp

    Filesize

    2.0MB

  • memory/3944-9-0x00007FFB38CB0000-0x00007FFB38CC0000-memory.dmp

    Filesize

    64KB

  • memory/3944-11-0x00007FFB7AE90000-0x00007FFB7B085000-memory.dmp

    Filesize

    2.0MB

  • memory/3944-12-0x00007FFB7AE90000-0x00007FFB7B085000-memory.dmp

    Filesize

    2.0MB

  • memory/3944-14-0x00007FFB38CB0000-0x00007FFB38CC0000-memory.dmp

    Filesize

    64KB

  • memory/3944-13-0x00007FFB7AE90000-0x00007FFB7B085000-memory.dmp

    Filesize

    2.0MB

  • memory/3944-15-0x00007FFB7AE90000-0x00007FFB7B085000-memory.dmp

    Filesize

    2.0MB

  • memory/3944-79-0x00007FFB7AE90000-0x00007FFB7B085000-memory.dmp

    Filesize

    2.0MB

  • memory/3944-3-0x00007FFB3AF10000-0x00007FFB3AF20000-memory.dmp

    Filesize

    64KB

  • memory/3944-18-0x00007FFB7AE90000-0x00007FFB7B085000-memory.dmp

    Filesize

    2.0MB

  • memory/3944-19-0x00007FFB7AE90000-0x00007FFB7B085000-memory.dmp

    Filesize

    2.0MB

  • memory/3944-20-0x00007FFB7AE90000-0x00007FFB7B085000-memory.dmp

    Filesize

    2.0MB

  • memory/3944-21-0x00007FFB7AE90000-0x00007FFB7B085000-memory.dmp

    Filesize

    2.0MB

  • memory/3944-1-0x00007FFB3AF10000-0x00007FFB3AF20000-memory.dmp

    Filesize

    64KB

  • memory/3944-2-0x00007FFB3AF10000-0x00007FFB3AF20000-memory.dmp

    Filesize

    64KB

  • memory/3944-57-0x00007FFB7AE90000-0x00007FFB7B085000-memory.dmp

    Filesize

    2.0MB

  • memory/3944-73-0x00007FFB3AF10000-0x00007FFB3AF20000-memory.dmp

    Filesize

    64KB

  • memory/3944-74-0x00007FFB3AF10000-0x00007FFB3AF20000-memory.dmp

    Filesize

    64KB

  • memory/3944-76-0x00007FFB7AE90000-0x00007FFB7B085000-memory.dmp

    Filesize

    2.0MB

  • memory/3944-78-0x00007FFB7AE90000-0x00007FFB7B085000-memory.dmp

    Filesize

    2.0MB

  • memory/3944-77-0x00007FFB3AF10000-0x00007FFB3AF20000-memory.dmp

    Filesize

    64KB

  • memory/3944-75-0x00007FFB3AF10000-0x00007FFB3AF20000-memory.dmp

    Filesize

    64KB

  • memory/3944-0-0x00007FFB3AF10000-0x00007FFB3AF20000-memory.dmp

    Filesize

    64KB