Analysis
-
max time kernel
58s -
max time network
65s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
26-06-2024 21:10
Behavioral task
behavioral1
Sample
f036e1ccae9f4a1f50f3d75cead709e3a817f99c39adabc7573a2143f64e7858.xls
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
f036e1ccae9f4a1f50f3d75cead709e3a817f99c39adabc7573a2143f64e7858.xls
Resource
win10v2004-20240226-en
General
-
Target
f036e1ccae9f4a1f50f3d75cead709e3a817f99c39adabc7573a2143f64e7858.xls
-
Size
715KB
-
MD5
e3cf707b9c567f6d5ff98d7eaa16ff6d
-
SHA1
ec7c59cc1157cbffc1c5b19475f5f93d2982e2d0
-
SHA256
f036e1ccae9f4a1f50f3d75cead709e3a817f99c39adabc7573a2143f64e7858
-
SHA512
06c0e9ea87cb09b0e10392d6beeed74c9d58d23a192268f1efee4868526cdf4ce376ed6a67da210a7dd7e1bd442f6a41679d691b957d13f8d5dde9c1442a189f
-
SSDEEP
12288:iRsUpcHnXXzNkRKFfsAqdlVDczXZejbeAQjSY4VTZoLtq57kWjuNMfK:iRsSc3DGUFfpqdUzXM/GjS/VTZoIP
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 416 4888 cmd.exe EXCEL.EXE -
Executes dropped EXE 1 IoCs
Processes:
gocy02av625z.exepid process 2440 gocy02av625z.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 4888 EXCEL.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
EXCEL.EXEpid process 4888 EXCEL.EXE 4888 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 4888 EXCEL.EXE 4888 EXCEL.EXE 4888 EXCEL.EXE 4888 EXCEL.EXE 4888 EXCEL.EXE 4888 EXCEL.EXE 4888 EXCEL.EXE 4888 EXCEL.EXE 4888 EXCEL.EXE 4888 EXCEL.EXE 4888 EXCEL.EXE 4888 EXCEL.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
EXCEL.EXEcmd.execsc.exedescription pid process target process PID 4888 wrote to memory of 416 4888 EXCEL.EXE cmd.exe PID 4888 wrote to memory of 416 4888 EXCEL.EXE cmd.exe PID 416 wrote to memory of 3744 416 cmd.exe csc.exe PID 416 wrote to memory of 3744 416 cmd.exe csc.exe PID 416 wrote to memory of 3744 416 cmd.exe csc.exe PID 3744 wrote to memory of 1108 3744 csc.exe cvtres.exe PID 3744 wrote to memory of 1108 3744 csc.exe cvtres.exe PID 3744 wrote to memory of 1108 3744 csc.exe cvtres.exe PID 416 wrote to memory of 2440 416 cmd.exe gocy02av625z.exe PID 416 wrote to memory of 2440 416 cmd.exe gocy02av625z.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\f036e1ccae9f4a1f50f3d75cead709e3a817f99c39adabc7573a2143f64e7858.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Windows\SYSTEM32\cmd.execmd /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:winexe /out:"C:\Users\Admin\AppData\Roaming\Microsoft\gocy02av625z.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\c64al7yembd6.cs" & "C:\Users\Admin\AppData\Roaming\Microsoft\gocy02av625z.exe"2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:416 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:winexe /out:"C:\Users\Admin\AppData\Roaming\Microsoft\gocy02av625z.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\c64al7yembd6.cs"3⤵
- Suspicious use of WriteProcessMemory
PID:3744 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD462.tmp" "c:\Users\Admin\AppData\Roaming\Microsoft\CSCDEB8B8A2BD4F41AB9EE0D1A577A5ADAE.TMP"4⤵PID:1108
-
C:\Users\Admin\AppData\Roaming\Microsoft\gocy02av625z.exe"C:\Users\Admin\AppData\Roaming\Microsoft\gocy02av625z.exe"3⤵
- Executes dropped EXE
PID:2440
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5240 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:81⤵PID:5040
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD52331068d32223e4d450713705226ac5a
SHA1a80f7df3715e1ee8bbd4d17d15108bdf6501f561
SHA256e459d96c53b5da03f032c586ecca8f50f7a3aa8c30d578e563bdb190f093f5b5
SHA51250b73ce045de71ca4471e40e62158b29174f0be39ad654ec468e2a1d2a5567c936a0d95a5469c560a0dddbdb3bfcdcdadd49cb886225a6d0de5f30008783d2d4
-
Filesize
6KB
MD5e31c65e3fbfd29194d1e82ddac0a9616
SHA147de0704fc51e5b0881c783b68149acb89803e4b
SHA256cc08489670687e99f577c56cf9c83aa99fd07d99d45a0822ec6700869fd5ebf0
SHA512f66d73e42d4182075fcb2b859b62b31c9c513fe967087286df94d20ac4863f7599a556f6234ccdb4a808400b4646103f79d6c27eabd0bf80af00bf69a57066c0
-
Filesize
1KB
MD5abd2700e2647c14c1cc19afbdd37f8c7
SHA1ecdc1cbfedaabeec9f4d8dc0cf8e9c207ac0046b
SHA256030e240ce92ca9806d89677adc2a2c4fc8dbe4e7ac35ede3a56ae20120c6c87b
SHA5125d9389d1aa2055cdca9909a5b1dbfff91695c393c230b907bbb71bba2b54dfd5b2bfdcd2986fd7596bdc004739653e598db050f931cfb91f8ed844f07bbdb5e2
-
Filesize
2KB
MD53d6a86624aed949ac6b72ecfac76ff6d
SHA1bdbb6a1619b57c5ee0e8577fc25b74ff29c74e94
SHA256b00fdf715ad530babc4a92749ff05cdeee1eb81069f28fbe4ae27933d74533e0
SHA512b2fc0f8218bd9c8c534adf7c8716bb60f3de94a3e73c9e77515fa927c681d1b7c1fdc1b83a92f5ee5ef75d9a3279cc2db1a3b118332b346148a239555b14a1ae