Analysis
-
max time kernel
151s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
10/03/2024, 08:14
Behavioral task
behavioral1
Sample
a42817e38a7db2906d43037f3c7de8ce88222ae689013b6dc995336846d9e821.xlsm
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a42817e38a7db2906d43037f3c7de8ce88222ae689013b6dc995336846d9e821.xlsm
Resource
win10v2004-20240226-en
General
-
Target
a42817e38a7db2906d43037f3c7de8ce88222ae689013b6dc995336846d9e821.xlsm
-
Size
251KB
-
MD5
d0aacfad0c782b2ed3c8f17e7bca79ff
-
SHA1
9ef2a5c792f3cd4ce0d7e8fe537f156a7adbee16
-
SHA256
a42817e38a7db2906d43037f3c7de8ce88222ae689013b6dc995336846d9e821
-
SHA512
d7d8bae1661927fed0171c16b2ca349adae32a6966113138b8e86b7112695fee0c4d3bb4521ce6a815d3c63d7188bf9e17397b75d2d6e63993ec0a00cb841f41
-
SSDEEP
6144:B3EFtYtisaY9sPR01FTHe0zpWxAVp9LGSPfNoU0:B7rPWixjWxk//Pf/0
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3456 EXCEL.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3456 EXCEL.EXE 3456 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 3456 EXCEL.EXE 3456 EXCEL.EXE 3456 EXCEL.EXE 3456 EXCEL.EXE 3456 EXCEL.EXE 3456 EXCEL.EXE 3456 EXCEL.EXE 3456 EXCEL.EXE 3456 EXCEL.EXE 3456 EXCEL.EXE 3456 EXCEL.EXE 3456 EXCEL.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 3456 wrote to memory of 5080 3456 EXCEL.EXE 98 PID 3456 wrote to memory of 5080 3456 EXCEL.EXE 98
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\a42817e38a7db2906d43037f3c7de8ce88222ae689013b6dc995336846d9e821.xlsm"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3456 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:5080
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:4152
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4232 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:81⤵PID:4416