Analysis
-
max time kernel
37s -
max time network
34s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
31-05-2024 02:22
Behavioral task
behavioral1
Sample
af9e9b5792c58a4fb8c70da658a6a012d560426e29c4b183acaacc8db684166b.xlsm
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
af9e9b5792c58a4fb8c70da658a6a012d560426e29c4b183acaacc8db684166b.xlsm
Resource
win10v2004-20240508-en
General
-
Target
af9e9b5792c58a4fb8c70da658a6a012d560426e29c4b183acaacc8db684166b.xlsm
-
Size
91KB
-
MD5
8b86d36447dfb35cdb255ca5c7bb9e8f
-
SHA1
c8a9b0ec929818ab9292570842bb4e586f695279
-
SHA256
af9e9b5792c58a4fb8c70da658a6a012d560426e29c4b183acaacc8db684166b
-
SHA512
4d0e243f31989f7ff2a77d9a17dac91a3a59f8662209ae036f18dbb96465820adf83d28fe6c1ab3f1a6af9f76dd10b8b2a78fc9faa66bf836225cd91499c55ac
-
SSDEEP
1536:CguZCa6S5khUIdWNlLmJ4znOSjhLM+vGa/M1NIpPkUlB7583fjncFYII5mFE:CgugapkhldWmJaPjpM+d/Ms8ULavLcq
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2932 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 2932 EXCEL.EXE 2932 EXCEL.EXE 2932 EXCEL.EXE 2932 EXCEL.EXE 2932 EXCEL.EXE 2932 EXCEL.EXE 2932 EXCEL.EXE 2932 EXCEL.EXE 2932 EXCEL.EXE 2932 EXCEL.EXE 2932 EXCEL.EXE 2932 EXCEL.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\af9e9b5792c58a4fb8c70da658a6a012d560426e29c4b183acaacc8db684166b.xlsm"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2932