Analysis
-
max time kernel
47s -
max time network
35s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
31-05-2024 02:17
Behavioral task
behavioral1
Sample
fbb04533ccfc98e4772691ba209f9e095d6c7b6cc845ee0f670fb07b4edb4d28.xlsm
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
fbb04533ccfc98e4772691ba209f9e095d6c7b6cc845ee0f670fb07b4edb4d28.xlsm
Resource
win10v2004-20240508-en
General
-
Target
fbb04533ccfc98e4772691ba209f9e095d6c7b6cc845ee0f670fb07b4edb4d28.xlsm
-
Size
92KB
-
MD5
6a9f3e19e85111e55438878effe2dbbe
-
SHA1
d883600b3c171221eadf560532517f2b890e4519
-
SHA256
fbb04533ccfc98e4772691ba209f9e095d6c7b6cc845ee0f670fb07b4edb4d28
-
SHA512
e978eb22f488b75912ba8ca7de420445d952639462c9a33ced694ef8c4abbba030a695e5d4e00ef4d4ba45d837bbc38de072908117edb28c5f3bf7cf34922acb
-
SSDEEP
1536:CguZCa6S5khUI2rjqnVY14znOSjhLM+vGa/M1NIpPkUlB7583fjncFYIIlFy:CgugapkhlUj6Y1aPjpM+d/Ms8ULavLcd
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3496 EXCEL.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3496 EXCEL.EXE 3496 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 3496 EXCEL.EXE 3496 EXCEL.EXE 3496 EXCEL.EXE 3496 EXCEL.EXE 3496 EXCEL.EXE 3496 EXCEL.EXE 3496 EXCEL.EXE 3496 EXCEL.EXE 3496 EXCEL.EXE 3496 EXCEL.EXE 3496 EXCEL.EXE 3496 EXCEL.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\fbb04533ccfc98e4772691ba209f9e095d6c7b6cc845ee0f670fb07b4edb4d28.xlsm"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3496