Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
21-07-2024 02:08
Static task
static1
Behavioral task
behavioral1
Sample
44e65a641fb970031c5efed324676b5018803e0a768608d3e186152102615795.xlsx
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
44e65a641fb970031c5efed324676b5018803e0a768608d3e186152102615795.xlsx
Resource
win10v2004-20240709-en
Behavioral task
behavioral3
Sample
decrypted.xlsx
Resource
win7-20240705-en
Behavioral task
behavioral4
Sample
decrypted.xlsx
Resource
win10v2004-20240709-en
General
-
Target
44e65a641fb970031c5efed324676b5018803e0a768608d3e186152102615795.xlsx
-
Size
2.1MB
-
MD5
c9ad9506bcccfaa987ff9fc11b91698d
-
SHA1
e788183a2a021f74a21f609e514bb63c4ef2fe49
-
SHA256
44e65a641fb970031c5efed324676b5018803e0a768608d3e186152102615795
-
SHA512
509c7c387810399b4a35371b1ae77733184299ee631f13b70e1582a9bed32c8eebaea79beb8ce7bf07ac8d3fcd7d09fd460a461266e073d6d2e6acc5e3bc68b2
-
SSDEEP
49152:hEK5fuBxYw1iHM+eP4yFIIFd52Mp21N5xb/CVBqCwj7IjLQc1U4l:SK5f6xYSl+VMy8G5ZC6CCIQc1/l
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 4 2876 EQNEDT32.EXE -
Drops file in Program Files directory 1 IoCs
Processes:
taskmgr.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE taskmgr.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 2924 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
taskmgr.exepid process 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
taskmgr.exepid process 3024 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
taskmgr.exedescription pid process Token: SeDebugPrivilege 3024 taskmgr.exe Token: SeSecurityPrivilege 3024 taskmgr.exe Token: SeTakeOwnershipPrivilege 3024 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
EXCEL.EXEtaskmgr.exepid process 2924 EXCEL.EXE 2924 EXCEL.EXE 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
taskmgr.exepid process 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
EXCEL.EXEpid process 2924 EXCEL.EXE 2924 EXCEL.EXE 2924 EXCEL.EXE 2924 EXCEL.EXE 2924 EXCEL.EXE 2924 EXCEL.EXE 2924 EXCEL.EXE
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\44e65a641fb970031c5efed324676b5018803e0a768608d3e186152102615795.xlsx1⤵
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Launches Equation Editor
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2876-4-0x0000000002FD0000-0x0000000002FD1000-memory.dmpFilesize
4KB
-
memory/2924-0-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2924-1-0x00000000724ED000-0x00000000724F8000-memory.dmpFilesize
44KB
-
memory/2924-5-0x00000000724ED000-0x00000000724F8000-memory.dmpFilesize
44KB
-
memory/3024-6-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/3024-7-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/3024-8-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB