Analysis
-
max time kernel
149s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
24-07-2024 19:29
Behavioral task
behavioral1
Sample
a908acf29dde8279b28c8b1b15892cf602a90a0d387b904176d63d7eac0203b9.xls
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
a908acf29dde8279b28c8b1b15892cf602a90a0d387b904176d63d7eac0203b9.xls
Resource
win10v2004-20240709-en
General
-
Target
a908acf29dde8279b28c8b1b15892cf602a90a0d387b904176d63d7eac0203b9.xls
-
Size
1.3MB
-
MD5
6a5b15d9e6bb033e46489be8cdd09849
-
SHA1
c67e28a3dc3bd24b3013ed445e961dac2bc40905
-
SHA256
a908acf29dde8279b28c8b1b15892cf602a90a0d387b904176d63d7eac0203b9
-
SHA512
f3af74171844d7a91de289921b670215b5534c7c7a98e707e2750fbc2c46705811ce121f02fc2bab7b269e208dd1796de385e3aab4a19ec9ebb369843de77e76
-
SSDEEP
24576:TCEyzgdI6eFAj99CB5ml31tD1HlmKQPpsmsyX1JRIwIz1QVEl:TCEwT6eFAj3Cjm3HlUhOa1nRRVA
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3160 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 3160 EXCEL.EXE 3160 EXCEL.EXE 3160 EXCEL.EXE 3160 EXCEL.EXE 3160 EXCEL.EXE 3160 EXCEL.EXE 3160 EXCEL.EXE 3160 EXCEL.EXE 3160 EXCEL.EXE 3160 EXCEL.EXE 3160 EXCEL.EXE 3160 EXCEL.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 3160 wrote to memory of 4920 3160 EXCEL.EXE 88 PID 3160 wrote to memory of 4920 3160 EXCEL.EXE 88
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\a908acf29dde8279b28c8b1b15892cf602a90a0d387b904176d63d7eac0203b9.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3160 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:4920
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:2732
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16B
MD5d29962abc88624befc0135579ae485ec
SHA1e40a6458296ec6a2427bcb280572d023a9862b31
SHA256a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866
SHA5124311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
Filesize1KB
MD5a46a354abd9f27b13e92b26be0dd58ba
SHA1da4d9147b1355dde467d51b2f988353940af0419
SHA256fcf3abfe10332bda952c6208e3dd9b9d2e1b76a0869dfa7897595051c766311d
SHA51266bb92ecf4c065719dc9e75df62b19bce97734219dee9211fc36924d147dc58e862675b32b881dfa9e9ba5da1e23685624a9a0a142a2951d113d90c6ec18c60f