2646e0b7f4010fc3f87c6f6823a50b8b3f3177e1c18510cac83768c8a3783ac2

Analysis

max time kernel
130s
max time network
168s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
27/03/2024, 12:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e1a517cccb0156d9effac26d7a063524.xlsb
Size

137KB
MD5

e1a517cccb0156d9effac26d7a063524
SHA1

81043b6907ee9579d4388fdb9bf9feca65b40f11
SHA256

2646e0b7f4010fc3f87c6f6823a50b8b3f3177e1c18510cac83768c8a3783ac2
SHA512

04b7b1763e846cbe6c2e42b91cbdd3e681ab103cc05f74038e8cf4dad9a5a9323283ef20e8a67acaf16f1357052f645472a61989fd434ee553187f536b682c6b
SSDEEP

3072:oU1cNMFiqNQctE7/GBrCCni63LD6z2qoaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaah:oi+cbQc6/GBGCi67Moaaaaaaaaaaaaaf

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4020	832	wmic.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	4840	mshta.exe	94

Blocklisted process makes network request 2 IoCs

flow	pid	Process
32	1936	mshta.exe
49	1936	mshta.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
832	EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4020	wmic.exe
Token: SeSecurityPrivilege	4020	wmic.exe
Token: SeTakeOwnershipPrivilege	4020	wmic.exe
Token: SeLoadDriverPrivilege	4020	wmic.exe
Token: SeSystemProfilePrivilege	4020	wmic.exe
Token: SeSystemtimePrivilege	4020	wmic.exe
Token: SeProfSingleProcessPrivilege	4020	wmic.exe
Token: SeIncBasePriorityPrivilege	4020	wmic.exe
Token: SeCreatePagefilePrivilege	4020	wmic.exe
Token: SeBackupPrivilege	4020	wmic.exe
Token: SeRestorePrivilege	4020	wmic.exe
Token: SeShutdownPrivilege	4020	wmic.exe
Token: SeDebugPrivilege	4020	wmic.exe
Token: SeSystemEnvironmentPrivilege	4020	wmic.exe
Token: SeRemoteShutdownPrivilege	4020	wmic.exe
Token: SeUndockPrivilege	4020	wmic.exe
Token: SeManageVolumePrivilege	4020	wmic.exe
Token: 33	4020	wmic.exe
Token: 34	4020	wmic.exe
Token: 35	4020	wmic.exe
Token: 36	4020	wmic.exe
Token: SeIncreaseQuotaPrivilege	4020	wmic.exe
Token: SeSecurityPrivilege	4020	wmic.exe
Token: SeTakeOwnershipPrivilege	4020	wmic.exe
Token: SeLoadDriverPrivilege	4020	wmic.exe
Token: SeSystemProfilePrivilege	4020	wmic.exe
Token: SeSystemtimePrivilege	4020	wmic.exe
Token: SeProfSingleProcessPrivilege	4020	wmic.exe
Token: SeIncBasePriorityPrivilege	4020	wmic.exe
Token: SeCreatePagefilePrivilege	4020	wmic.exe
Token: SeBackupPrivilege	4020	wmic.exe
Token: SeRestorePrivilege	4020	wmic.exe
Token: SeShutdownPrivilege	4020	wmic.exe
Token: SeDebugPrivilege	4020	wmic.exe
Token: SeSystemEnvironmentPrivilege	4020	wmic.exe
Token: SeRemoteShutdownPrivilege	4020	wmic.exe
Token: SeUndockPrivilege	4020	wmic.exe
Token: SeManageVolumePrivilege	4020	wmic.exe
Token: 33	4020	wmic.exe
Token: 34	4020	wmic.exe
Token: 35	4020	wmic.exe
Token: 36	4020	wmic.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
832	EXCEL.EXE
832	EXCEL.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
832	EXCEL.EXE
832	EXCEL.EXE
832	EXCEL.EXE
832	EXCEL.EXE
832	EXCEL.EXE
832	EXCEL.EXE
832	EXCEL.EXE
832	EXCEL.EXE
832	EXCEL.EXE
832	EXCEL.EXE
832	EXCEL.EXE
832	EXCEL.EXE
832	EXCEL.EXE
832	EXCEL.EXE
832	EXCEL.EXE
832	EXCEL.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 832 wrote to memory of 4020	832	EXCEL.EXE	98
PID 832 wrote to memory of 4020	832	EXCEL.EXE	98

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\e1a517cccb0156d9effac26d7a063524.xlsb"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:832
- C:\Windows\System32\Wbem\wmic.exe
  wmic process call create 'mshta C:\ProgramData\FucTRclOMGTl.sct'
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of AdjustPrivilegeToken
  PID:4020

C:\Windows\system32\mshta.exe
mshta C:\ProgramData\FucTRclOMGTl.sct
1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
PID:1936

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3244 --field-trial-handle=3488,i,1267426273081718772,6254127258555406296,262144 --variations-seed-version /prefetch:8
1⤵
PID:1144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\FucTRclOMGTl.sct

Filesize
15KB

MD5
55f8611eb449b1740b23c7e6639cc25a

SHA1
335be277cbf58549d48a892e4b32231e06c741c4

SHA256
f404003eb42091563b0573d1782a4e82fe6bd85cf726947d935c8932d70b9aed

SHA512
d509bbf642031320390978ca7f552c88001d211b4b98b1c413960f75d68e8403defd463d17dc7ec7f4c17ebcfbe08cf313132d705e0d25a0a69d3d4b5bb6f107

Download Submit
memory/832-3-0x00007FFF24FD0000-0x00007FFF251C5000-memory.dmp

Filesize
2.0MB

Download
memory/832-17-0x00007FFF24FD0000-0x00007FFF251C5000-memory.dmp

Filesize
2.0MB

Download
memory/832-4-0x00007FFEE5050000-0x00007FFEE5060000-memory.dmp

Filesize
64KB

Download
memory/832-5-0x00007FFF24FD0000-0x00007FFF251C5000-memory.dmp

Filesize
2.0MB

Download
memory/832-7-0x00007FFEE5050000-0x00007FFEE5060000-memory.dmp

Filesize
64KB

Download
memory/832-6-0x00007FFF24FD0000-0x00007FFF251C5000-memory.dmp

Filesize
2.0MB

Download
memory/832-8-0x00007FFF24FD0000-0x00007FFF251C5000-memory.dmp

Filesize
2.0MB

Download
memory/832-10-0x00007FFF24FD0000-0x00007FFF251C5000-memory.dmp

Filesize
2.0MB

Download
memory/832-11-0x00007FFF24FD0000-0x00007FFF251C5000-memory.dmp

Filesize
2.0MB

Download
memory/832-12-0x00007FFF24FD0000-0x00007FFF251C5000-memory.dmp

Filesize
2.0MB

Download
memory/832-13-0x00007FFF24FD0000-0x00007FFF251C5000-memory.dmp

Filesize
2.0MB

Download
memory/832-14-0x00007FFEE2F50000-0x00007FFEE2F60000-memory.dmp

Filesize
64KB

Download
memory/832-9-0x00007FFEE5050000-0x00007FFEE5060000-memory.dmp

Filesize
64KB

Download
memory/832-15-0x00007FFF24FD0000-0x00007FFF251C5000-memory.dmp

Filesize
2.0MB

Download
memory/832-2-0x00007FFEE5050000-0x00007FFEE5060000-memory.dmp

Filesize
64KB

Download
memory/832-16-0x00007FFF24FD0000-0x00007FFF251C5000-memory.dmp

Filesize
2.0MB

Download
memory/832-20-0x00007FFF24FD0000-0x00007FFF251C5000-memory.dmp

Filesize
2.0MB

Download
memory/832-19-0x00007FFEE2F50000-0x00007FFEE2F60000-memory.dmp

Filesize
64KB

Download
memory/832-0-0x00007FFEE5050000-0x00007FFEE5060000-memory.dmp

Filesize
64KB

Download
memory/832-18-0x00007FFF24FD0000-0x00007FFF251C5000-memory.dmp

Filesize
2.0MB

Download
memory/832-1-0x00007FFF24FD0000-0x00007FFF251C5000-memory.dmp

Filesize
2.0MB

Download
memory/832-38-0x00007FFF24FD0000-0x00007FFF251C5000-memory.dmp

Filesize
2.0MB

Download
memory/832-41-0x00007FFF24FD0000-0x00007FFF251C5000-memory.dmp

Filesize
2.0MB

Download
memory/832-42-0x00007FFF24FD0000-0x00007FFF251C5000-memory.dmp

Filesize
2.0MB

Download
memory/832-58-0x00007FFEE5050000-0x00007FFEE5060000-memory.dmp

Filesize
64KB

Download
memory/832-59-0x00007FFEE5050000-0x00007FFEE5060000-memory.dmp

Filesize
64KB

Download
memory/832-61-0x00007FFEE5050000-0x00007FFEE5060000-memory.dmp

Filesize
64KB

Download
memory/832-62-0x00007FFF24FD0000-0x00007FFF251C5000-memory.dmp

Filesize
2.0MB

Download
memory/832-60-0x00007FFEE5050000-0x00007FFEE5060000-memory.dmp

Filesize
64KB

Download
memory/832-63-0x00007FFF24FD0000-0x00007FFF251C5000-memory.dmp

Filesize
2.0MB

Download
memory/832-64-0x00007FFF24FD0000-0x00007FFF251C5000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads