Analysis
-
max time kernel
60s -
max time network
61s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
26-06-2024 22:08
Behavioral task
behavioral1
Sample
ed609af5b983f9f09ae4e148d2e118da993bdc378483c26f36aabcdd2b9938bd.xls
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
ed609af5b983f9f09ae4e148d2e118da993bdc378483c26f36aabcdd2b9938bd.xls
Resource
win10v2004-20240611-en
General
-
Target
ed609af5b983f9f09ae4e148d2e118da993bdc378483c26f36aabcdd2b9938bd.xls
-
Size
715KB
-
MD5
25222a9cd85a1d7f0916f4464b1e9980
-
SHA1
c9d7c303bdf62d738cc047b45d1cbcdda11369f5
-
SHA256
ed609af5b983f9f09ae4e148d2e118da993bdc378483c26f36aabcdd2b9938bd
-
SHA512
5cc9383762f6b934d6df972e7a7f8b8c5c2c0249307cfccc5fe382efb7e64306eef3f0c1eb34c0b82e9e27d2832ad2a3b3b25cf174d6433f88ddfaae9a7a04dd
-
SSDEEP
12288:jRsUpcHnXXzNkRKFfsAqdlVDczXZejbeAQjSY4VTZoLtq57kWjuNMfK:jRsSc3DGUFfpqdUzXM/GjS/VTZoIP
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 1152 968 cmd.exe EXCEL.EXE -
Executes dropped EXE 1 IoCs
Processes:
fkcyvpiqygoi.exepid process 512 fkcyvpiqygoi.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 968 EXCEL.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
fkcyvpiqygoi.exedescription pid process Token: SeDebugPrivilege 512 fkcyvpiqygoi.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
EXCEL.EXEpid process 968 EXCEL.EXE 968 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 968 EXCEL.EXE 968 EXCEL.EXE 968 EXCEL.EXE 968 EXCEL.EXE 968 EXCEL.EXE 968 EXCEL.EXE 968 EXCEL.EXE 968 EXCEL.EXE 968 EXCEL.EXE 968 EXCEL.EXE 968 EXCEL.EXE 968 EXCEL.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
EXCEL.EXEcmd.execsc.exedescription pid process target process PID 968 wrote to memory of 1152 968 EXCEL.EXE cmd.exe PID 968 wrote to memory of 1152 968 EXCEL.EXE cmd.exe PID 1152 wrote to memory of 2484 1152 cmd.exe csc.exe PID 1152 wrote to memory of 2484 1152 cmd.exe csc.exe PID 1152 wrote to memory of 2484 1152 cmd.exe csc.exe PID 2484 wrote to memory of 1852 2484 csc.exe cvtres.exe PID 2484 wrote to memory of 1852 2484 csc.exe cvtres.exe PID 2484 wrote to memory of 1852 2484 csc.exe cvtres.exe PID 1152 wrote to memory of 512 1152 cmd.exe fkcyvpiqygoi.exe PID 1152 wrote to memory of 512 1152 cmd.exe fkcyvpiqygoi.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\ed609af5b983f9f09ae4e148d2e118da993bdc378483c26f36aabcdd2b9938bd.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:968 -
C:\Windows\SYSTEM32\cmd.execmd /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:winexe /out:"C:\Users\Admin\AppData\Roaming\Microsoft\fkcyvpiqygoi.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\r9sobdat8tpl.cs" & "C:\Users\Admin\AppData\Roaming\Microsoft\fkcyvpiqygoi.exe"2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:winexe /out:"C:\Users\Admin\AppData\Roaming\Microsoft\fkcyvpiqygoi.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\r9sobdat8tpl.cs"3⤵
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES474A.tmp" "c:\Users\Admin\AppData\Roaming\Microsoft\CSC744F2574B650475D9EC84BD8E77D974D.TMP"4⤵PID:1852
-
C:\Users\Admin\AppData\Roaming\Microsoft\fkcyvpiqygoi.exe"C:\Users\Admin\AppData\Roaming\Microsoft\fkcyvpiqygoi.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:512
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5310d11a208469eca1c654fc3255b077c
SHA16e6f54faa296b0faec2e6b05b607e273abcd2639
SHA256c910c2e1df1293b0080afac83b6b87924664b53dbfe640a7ecde367aead9ff2c
SHA512ce1404076a52a631a97017a802dd7c05178feea58ed5a9c39ffba871ec5baaef0494eb627bac822fc93aa14e8b999a0e814bef97e3784708fe0c4e788ef175b1
-
Filesize
6KB
MD5076e869d885e74f5cbbc684994df4c7e
SHA1c5fafe3f168d58296cc2c0e9f721a4264ffd9831
SHA256ec57c5b2251a4c0638b150c4612bd37fc023d18b69e9bde53fbb33a97fe0d11e
SHA51233df288b60ffe89862efa38564160c086cb4e3d6d256d5f528c235ff2cd8102749e9c27a62faa40f377279e17c435d308fbd55b3da2de3fdc23b54ef50bf16f4
-
Filesize
1KB
MD543b53f8238a12d06956c2bdafc519368
SHA1ffcba6444cb9e74b6d446b069515f1b5b78ae2e6
SHA25618e80d8515e5261a79ea5946f9cfd0eacca8b8487a4a7a2168157e389a4a1676
SHA51267ba6b46b27e5c61180860e880dd6e65dc47c52ef9854d5958da92eace16fd34f35ee64e0845d077189fd9fe3f525d523d1bc6ff7a2a6915e63a61486fc1982c
-
Filesize
2KB
MD53d6a86624aed949ac6b72ecfac76ff6d
SHA1bdbb6a1619b57c5ee0e8577fc25b74ff29c74e94
SHA256b00fdf715ad530babc4a92749ff05cdeee1eb81069f28fbe4ae27933d74533e0
SHA512b2fc0f8218bd9c8c534adf7c8716bb60f3de94a3e73c9e77515fa927c681d1b7c1fdc1b83a92f5ee5ef75d9a3279cc2db1a3b118332b346148a239555b14a1ae