Analysis
-
max time kernel
145s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
24-07-2024 09:07
Static task
static1
Behavioral task
behavioral1
Sample
Quotation.xls
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
Quotation.xls
Resource
win10v2004-20240709-en
General
-
Target
Quotation.xls
-
Size
1.0MB
-
MD5
7a9a6e2a484c942e9247513bf8420f13
-
SHA1
9a0399a2c75537687cdcaa939adb4a871b56f26e
-
SHA256
c0484101a8ad9d96190d39f100d6a6ed337873df68eb587c74a91b5cdd19cdd5
-
SHA512
a48ad2da1dddb561a8a64414a8576e03180dccc65cedb94e4733c1d7dba3f8881230d6ec7bb10fe495e13e5fc7449585f52921f9d05d3d1f41361e0b99ec3d2c
-
SSDEEP
24576:QCvOsc3umX8S4lMiK4uwQP6DdRgLd5+HKtGboP:QCG2xRISDdRgLQu
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 408 1628 mshta.exe 83 -
Detected phishing page
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1628 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 1628 EXCEL.EXE 1628 EXCEL.EXE 1628 EXCEL.EXE 1628 EXCEL.EXE 1628 EXCEL.EXE 1628 EXCEL.EXE 1628 EXCEL.EXE 1628 EXCEL.EXE 1628 EXCEL.EXE 1628 EXCEL.EXE 1628 EXCEL.EXE 1628 EXCEL.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 1628 wrote to memory of 408 1628 EXCEL.EXE 90 PID 1628 wrote to memory of 408 1628 EXCEL.EXE 90 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Quotation.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\System32\mshta.exeC:\Windows\System32\mshta.exe -Embedding2⤵
- Process spawned unexpected child process
PID:408
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
Filesize1KB
MD520027ba84ae3f3642a88a2f6010f2f35
SHA13be4122787603891ca3baf5d2a8624ca8c5d9327
SHA256baecfa0a690faa5ef8d323dbbde6974b69c02abc09819496040754d5071af9c8
SHA512062b863625702d69cf4dddd8000ec3b6cd37a433de2ab37f7bb01a7f2b04e8b0004ca629df801f3737240ae649674d41d6af3c9fc2bed88a05f001151930c5d0