Analysis
-
max time kernel
143s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
24-07-2024 10:30
Static task
static1
Behavioral task
behavioral1
Sample
Quotation.xls
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
Quotation.xls
Resource
win10v2004-20240709-en
General
-
Target
Quotation.xls
-
Size
1.0MB
-
MD5
7a9a6e2a484c942e9247513bf8420f13
-
SHA1
9a0399a2c75537687cdcaa939adb4a871b56f26e
-
SHA256
c0484101a8ad9d96190d39f100d6a6ed337873df68eb587c74a91b5cdd19cdd5
-
SHA512
a48ad2da1dddb561a8a64414a8576e03180dccc65cedb94e4733c1d7dba3f8881230d6ec7bb10fe495e13e5fc7449585f52921f9d05d3d1f41361e0b99ec3d2c
-
SSDEEP
24576:QCvOsc3umX8S4lMiK4uwQP6DdRgLd5+HKtGboP:QCG2xRISDdRgLQu
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3688 1628 mshta.exe 83 -
Detected phishing page
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1628 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 1628 EXCEL.EXE 1628 EXCEL.EXE 1628 EXCEL.EXE 1628 EXCEL.EXE 1628 EXCEL.EXE 1628 EXCEL.EXE 1628 EXCEL.EXE 1628 EXCEL.EXE 1628 EXCEL.EXE 1628 EXCEL.EXE 1628 EXCEL.EXE 1628 EXCEL.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 1628 wrote to memory of 3688 1628 EXCEL.EXE 88 PID 1628 wrote to memory of 3688 1628 EXCEL.EXE 88 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Quotation.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\System32\mshta.exeC:\Windows\System32\mshta.exe -Embedding2⤵
- Process spawned unexpected child process
PID:3688
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
Filesize1KB
MD50e7ee9deb29b355cd65ec941d250191e
SHA1e9e0abd1e852a87b62599092ec99ff20e3baf211
SHA256af21a14f64edb0dd0499a6b7e7c031d039f61438c78d742479d33f94e040fa81
SHA5129d0fa54e29a5c5db95cd21893420b6923618c949cf7dc6d4547ec718993dc70c84c8209c46dc14b2f55eceb81d8070b92db8229f277d16b457f3d078f91ad187