Analysis
-
max time kernel
60s -
max time network
60s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
26-06-2024 21:03
Behavioral task
behavioral1
Sample
4eb4479bc171cf863692960c79fa47e5af6d5015abb6f9fa6773a59c4081e726.xls
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
4eb4479bc171cf863692960c79fa47e5af6d5015abb6f9fa6773a59c4081e726.xls
Resource
win10v2004-20240611-en
General
-
Target
4eb4479bc171cf863692960c79fa47e5af6d5015abb6f9fa6773a59c4081e726.xls
-
Size
714KB
-
MD5
257657cea05f52aa9aac824a09154ba6
-
SHA1
cd0def0e4249832315869591c8ff3245da88b0fb
-
SHA256
4eb4479bc171cf863692960c79fa47e5af6d5015abb6f9fa6773a59c4081e726
-
SHA512
3e40c1763a42134d572b01130ac954b6518076e6c99bd0e48c91e761ce48fb71d11501945b72f0e3e8b14863bcebccffb89247391998d72136f7a3a4e4bbd5bf
-
SSDEEP
12288:qRsQpcLnXXzNoRKFfsIqdlV7czXZejbWAQzSY4VTZo3tq57UWGel94f:qRsWcDDiUFfBqd8zXM/ezS/VTZoU/
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 2524 3952 cmd.exe EXCEL.EXE -
Executes dropped EXE 1 IoCs
Processes:
mtw6lhlanajr.exepid process 1808 mtw6lhlanajr.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 3952 EXCEL.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
mtw6lhlanajr.exedescription pid process Token: SeDebugPrivilege 1808 mtw6lhlanajr.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
EXCEL.EXEpid process 3952 EXCEL.EXE 3952 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 3952 EXCEL.EXE 3952 EXCEL.EXE 3952 EXCEL.EXE 3952 EXCEL.EXE 3952 EXCEL.EXE 3952 EXCEL.EXE 3952 EXCEL.EXE 3952 EXCEL.EXE 3952 EXCEL.EXE 3952 EXCEL.EXE 3952 EXCEL.EXE 3952 EXCEL.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
EXCEL.EXEcmd.execsc.exedescription pid process target process PID 3952 wrote to memory of 2524 3952 EXCEL.EXE cmd.exe PID 3952 wrote to memory of 2524 3952 EXCEL.EXE cmd.exe PID 2524 wrote to memory of 3428 2524 cmd.exe csc.exe PID 2524 wrote to memory of 3428 2524 cmd.exe csc.exe PID 2524 wrote to memory of 3428 2524 cmd.exe csc.exe PID 3428 wrote to memory of 1224 3428 csc.exe cvtres.exe PID 3428 wrote to memory of 1224 3428 csc.exe cvtres.exe PID 3428 wrote to memory of 1224 3428 csc.exe cvtres.exe PID 2524 wrote to memory of 1808 2524 cmd.exe mtw6lhlanajr.exe PID 2524 wrote to memory of 1808 2524 cmd.exe mtw6lhlanajr.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\4eb4479bc171cf863692960c79fa47e5af6d5015abb6f9fa6773a59c4081e726.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3952 -
C:\Windows\SYSTEM32\cmd.execmd /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:winexe /out:"C:\Users\Admin\AppData\Roaming\Microsoft\mtw6lhlanajr.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\icoi6lau3irx.cs" & "C:\Users\Admin\AppData\Roaming\Microsoft\mtw6lhlanajr.exe"2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:winexe /out:"C:\Users\Admin\AppData\Roaming\Microsoft\mtw6lhlanajr.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\icoi6lau3irx.cs"3⤵
- Suspicious use of WriteProcessMemory
PID:3428 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF9F0.tmp" "c:\Users\Admin\AppData\Roaming\Microsoft\CSC745A0317A25B44C9A5295B1388E147AA.TMP"4⤵PID:1224
-
C:\Users\Admin\AppData\Roaming\Microsoft\mtw6lhlanajr.exe"C:\Users\Admin\AppData\Roaming\Microsoft\mtw6lhlanajr.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1808
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4156,i,16866810346450717340,3849854439116899380,262144 --variations-seed-version --mojo-platform-channel-handle=4356 /prefetch:81⤵PID:1608
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5bb0ad78687610883c7f0f6cc1ffcf73c
SHA1dee8062e1c6e217525edf89bc66a965f549f679a
SHA256a0f4113062f75845aa89e51502e3a260698f7c804f8048ec1d9491af5a0ed29b
SHA51248c4a07e1dad1e3524bf9278d5ed4981fcf03575c8d9b5bdc35285a7113debf46aa81f02f4a7f1f2d8be877a5ea63c9bf33d310ea2bcf72833463be8418bb5e0
-
Filesize
6KB
MD5e41e4c64a02480aa1a18581a017cee87
SHA1102b57582148ea3e0ebb017dee8599fa749deb27
SHA2568fc0903d877ce418637cc2c207a22f33f678ff704de4d53a8ca6ee92dfbc9922
SHA5120e1cfdb4eb9aa95e043c05380a6c271602569362cbb6ca2226df84665f368bc22e42f64d2557242a972daf0543714dfacd6b8e289ab7dde0afbce52984a5c7dd
-
Filesize
1KB
MD5a2045b809a28a1cef9cd029c087ef40d
SHA1e26c0b36c1ae50b06bd5d3a59db5c39dd32b5f58
SHA256fd784622589e7e6c3d05a1f91b76cd315b1e29dabd52dcce3ee0f5fe9fb23bb8
SHA5124604bfa641c7888c3219db8485f36a51022da2db2079b7d3b7aff5fd57e17bd454f1d665f0501babe631961f06e5eb660d95d79221010922e492154317890b74
-
Filesize
2KB
MD53d6a86624aed949ac6b72ecfac76ff6d
SHA1bdbb6a1619b57c5ee0e8577fc25b74ff29c74e94
SHA256b00fdf715ad530babc4a92749ff05cdeee1eb81069f28fbe4ae27933d74533e0
SHA512b2fc0f8218bd9c8c534adf7c8716bb60f3de94a3e73c9e77515fa927c681d1b7c1fdc1b83a92f5ee5ef75d9a3279cc2db1a3b118332b346148a239555b14a1ae