Analysis
-
max time kernel
56s -
max time network
58s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
26-06-2024 21:04
Behavioral task
behavioral1
Sample
c72c3a367f9fae9b5968a85d366a92f69d4578249f5cc480af5697494f9ea4e7.xls
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
c72c3a367f9fae9b5968a85d366a92f69d4578249f5cc480af5697494f9ea4e7.xls
Resource
win10v2004-20240508-en
General
-
Target
c72c3a367f9fae9b5968a85d366a92f69d4578249f5cc480af5697494f9ea4e7.xls
-
Size
715KB
-
MD5
a1d7ed30bb66850eaa404c96c9cc6402
-
SHA1
fe8757e954b7d144baee4c2a3cd14d9ccb517a9b
-
SHA256
c72c3a367f9fae9b5968a85d366a92f69d4578249f5cc480af5697494f9ea4e7
-
SHA512
57c0ad29f4fc7419b30b29fbaef758005d29df166592859a33583af4bfe8af81b0063507e7136babcc4cb16513a1636775403d2b1faad5b58c6a3e01e9bbec6d
-
SSDEEP
12288:QRsUpcHnXXzNkRKFfsAqdlVDczXZejbeAQjSY4VTZoLtq57kWjuNMfK:QRsSc3DGUFfpqdUzXM/GjS/VTZoIP
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 4276 1724 cmd.exe EXCEL.EXE -
Executes dropped EXE 1 IoCs
Processes:
zvi7zvmktwd2.exepid process 3560 zvi7zvmktwd2.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1724 EXCEL.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
zvi7zvmktwd2.exedescription pid process Token: SeDebugPrivilege 3560 zvi7zvmktwd2.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 1724 EXCEL.EXE 1724 EXCEL.EXE 1724 EXCEL.EXE 1724 EXCEL.EXE 1724 EXCEL.EXE 1724 EXCEL.EXE 1724 EXCEL.EXE 1724 EXCEL.EXE 1724 EXCEL.EXE 1724 EXCEL.EXE 1724 EXCEL.EXE 1724 EXCEL.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
EXCEL.EXEcmd.execsc.exedescription pid process target process PID 1724 wrote to memory of 4276 1724 EXCEL.EXE cmd.exe PID 1724 wrote to memory of 4276 1724 EXCEL.EXE cmd.exe PID 4276 wrote to memory of 4584 4276 cmd.exe csc.exe PID 4276 wrote to memory of 4584 4276 cmd.exe csc.exe PID 4276 wrote to memory of 4584 4276 cmd.exe csc.exe PID 4584 wrote to memory of 4408 4584 csc.exe cvtres.exe PID 4584 wrote to memory of 4408 4584 csc.exe cvtres.exe PID 4584 wrote to memory of 4408 4584 csc.exe cvtres.exe PID 4276 wrote to memory of 3560 4276 cmd.exe zvi7zvmktwd2.exe PID 4276 wrote to memory of 3560 4276 cmd.exe zvi7zvmktwd2.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\c72c3a367f9fae9b5968a85d366a92f69d4578249f5cc480af5697494f9ea4e7.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\SYSTEM32\cmd.execmd /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:winexe /out:"C:\Users\Admin\AppData\Roaming\Microsoft\zvi7zvmktwd2.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\udajk0b395l9.cs" & "C:\Users\Admin\AppData\Roaming\Microsoft\zvi7zvmktwd2.exe"2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4276 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:winexe /out:"C:\Users\Admin\AppData\Roaming\Microsoft\zvi7zvmktwd2.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\udajk0b395l9.cs"3⤵
- Suspicious use of WriteProcessMemory
PID:4584 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5BCC.tmp" "c:\Users\Admin\AppData\Roaming\Microsoft\CSC439EB693C3E04754AF3539864C2186B8.TMP"4⤵PID:4408
-
C:\Users\Admin\AppData\Roaming\Microsoft\zvi7zvmktwd2.exe"C:\Users\Admin\AppData\Roaming\Microsoft\zvi7zvmktwd2.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3560
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD57f8a33b52fe301ef6324285615dfa566
SHA11c8f92f240da38fb85c3127d93fdb66c424d33a8
SHA256dae3c2ddfac4e34aa02adc2fd5e7ca61d858bc6ed80ae3546cb0bc684c8e5d61
SHA512daae8508f2ca813911811bf92cc8040b3da4f9bc79aba55bf7ed965cddd38c04bcb970d6d0b118eb73aa329f3c85d6ca050563b8564113402c7e310a6e9adfd9
-
Filesize
6KB
MD59323346641539c8588878271387c6873
SHA10b893116148f1a8f6eff724248539c0ecfcde2ff
SHA256923e9260ea58bb32b2729d698612d63c7f9f4e1188d8683ee3bc27d6e7113205
SHA512f5ea2646939f1948e49cd3bd385c66cdc51482ca88ff7ba6406c2ddd6013bd69793eeb6b656a68fe1029fb605a912932622852f4a127fb67fe433384cd49319f
-
Filesize
1KB
MD56826c6efbd872f20e7874bbd5dcf9fab
SHA190bdd59c81f888ecb71f9a55523b0da5d392a1a5
SHA256ee134976dc074047c509a602e88019d8bcb3b9da4e3911f6413ce69a29cfbf7b
SHA5123bb6a6a8c77b61532716910c6ca9309becc9774413616da624dac658bd471c4d6bd12b914fcabd57a239995629a53f57e1a8d1fbc302f4e935d449e8457d0678
-
Filesize
2KB
MD53d6a86624aed949ac6b72ecfac76ff6d
SHA1bdbb6a1619b57c5ee0e8577fc25b74ff29c74e94
SHA256b00fdf715ad530babc4a92749ff05cdeee1eb81069f28fbe4ae27933d74533e0
SHA512b2fc0f8218bd9c8c534adf7c8716bb60f3de94a3e73c9e77515fa927c681d1b7c1fdc1b83a92f5ee5ef75d9a3279cc2db1a3b118332b346148a239555b14a1ae