Analysis
-
max time kernel
865s -
max time network
841s -
platform
windows10-1703_x64 -
resource
win10-20240611-en -
resource tags
arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system -
submitted
13-06-2024 07:23
Static task
static1
Behavioral task
behavioral1
Sample
file1.xlsm
Resource
win7-20240508-en
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
file1.xlsm
Resource
win10-20240611-en
6 signatures
150 seconds
General
-
Target
file1.xlsm
-
Size
38KB
-
MD5
ac9f06fe9df388eb7bb593f0ddf3a304
-
SHA1
73bf01daa5a2c204bde31ca65b27cb4b71185c44
-
SHA256
429503b9474908ff3f001a224d45fb3397fc60252b9c2025f2453df02bbef3da
-
SHA512
9139a09839e8bb28c759e8b1371c2b112e9ad49c6141ce7f6d65b375d7dc829b389f304128584708808a79731d0371bc795ce90dc0a232a0fc77e7644db6bce3
-
SSDEEP
768:Y1YEzJ7utTytMcCpp/txkw30Zpw5JZTVi73xmOAyfJdPi9/0YLv4B:Y1397upDcCpJtj0ZO5J/uvAyfJdaU
Score
6/10
Malware Config
Signatures
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 13 raw.githubusercontent.com 14 raw.githubusercontent.com -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4500 EXCEL.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 4500 EXCEL.EXE 4500 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 4500 EXCEL.EXE 4500 EXCEL.EXE 4500 EXCEL.EXE 4500 EXCEL.EXE 4500 EXCEL.EXE 4500 EXCEL.EXE 4500 EXCEL.EXE 4500 EXCEL.EXE 4500 EXCEL.EXE 4500 EXCEL.EXE 4500 EXCEL.EXE 4500 EXCEL.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\file1.xlsm"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4500