Overview

overview

8

Static

static

8

159bbf2097...58.xls

windows7-x64

3

159bbf2097...58.xls

windows10-2004-x64

1

Analysis

  • max time kernel
    24s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    06-08-2024 22:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    159bbf20977f80289e54d468f1c240cfec079a6df6e279e024b3ff406a0acd58.xls

  • Size

    6.7MB

  • MD5

    b1f779ce36012c743c370ad44be3b709

  • SHA1

    bb428956aaa17e96e47902e1a243cf8ab8d151ab

  • SHA256

    159bbf20977f80289e54d468f1c240cfec079a6df6e279e024b3ff406a0acd58

  • SHA512

    ed05f9167a288ade3a829ce77c034e0b31d6abe83e886fdebb4e3e592127ba547a4d2bd6e03c4f04cfacb94c962c31f61f1950e41801cc3d6c00cede29ae5134

  • SSDEEP

    196608:Fw6RUj6CQQzFpsj/j1/WkxLRDUp9IsfPHz7D3qfk:Fw6R1CPps9Og1DUp9IsfCk

Score
3/10
discovery

Malware Config

Signatures

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\159bbf20977f80289e54d468f1c240cfec079a6df6e279e024b3ff406a0acd58.xls
    1⤵
    • System Location Discovery: System Language Discovery
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1864
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2876

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1864-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1864-1-0x00000000727CD000-0x00000000727D8000-memory.dmp

      Filesize

      44KB

      Download

    • memory/1864-8-0x00000000076E0000-0x00000000077E0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/1864-9-0x00000000727CD000-0x00000000727D8000-memory.dmp

      Filesize

      44KB

      Download

    • memory/1864-10-0x00000000076E0000-0x00000000077E0000-memory.dmp

      Filesize

      1024KB

      Download