Analysis
-
max time kernel
130s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
20-08-2024 01:11
Static task
static1
Behavioral task
behavioral1
Sample
2e403c82a6acf935fdd859da68a70ea82e3caac01b87038cda50932f946115a2.xls
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
2e403c82a6acf935fdd859da68a70ea82e3caac01b87038cda50932f946115a2.xls
Resource
win10v2004-20240802-en
General
-
Target
2e403c82a6acf935fdd859da68a70ea82e3caac01b87038cda50932f946115a2.xls
-
Size
165KB
-
MD5
50d9cbf6510f65f00717afed1b81cc83
-
SHA1
182db58e797005d0a563c1fcb575d521b35533c1
-
SHA256
2e403c82a6acf935fdd859da68a70ea82e3caac01b87038cda50932f946115a2
-
SHA512
59f3079919f184861251b832ff0483d2e5e89d77a0c5a64b5544bdd495841901f85a5fce411826e29dfac8afab831fd9113f118b037da638e60e7a822f4752ce
-
SSDEEP
3072:HMYpmZjeshQNKqiJJhRgLjhjFkn9d4aiJDDc06CwSjWbaN+Ir9lM:sY0HPq6Fankn9yaiHc0JtiuN+IZlM
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4800 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 4800 EXCEL.EXE 4800 EXCEL.EXE 4800 EXCEL.EXE 4800 EXCEL.EXE 4800 EXCEL.EXE 4800 EXCEL.EXE 4800 EXCEL.EXE 4800 EXCEL.EXE 4800 EXCEL.EXE 4800 EXCEL.EXE 4800 EXCEL.EXE 4800 EXCEL.EXE -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\2e403c82a6acf935fdd859da68a70ea82e3caac01b87038cda50932f946115a2.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4800
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3036,i,11251706013556949551,5157034131170452377,262144 --variations-seed-version --mojo-platform-channel-handle=4352 /prefetch:81⤵PID:4624
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
Filesize1KB
MD52af7d389d2eddce84f1fdf8ae9140b5b
SHA199cfb2f11c63256b22d7e86fa2a3b550338ae1bc
SHA2567b483e2a3f5aa52ab22dd8791c74865603eee83fb2091aa57a7493b57ef98bee
SHA512e8b9568ab8d16e31ebb8b5431c43443de32219d9041fe0ed6ed1ff3a4e21c3924b21b4c9a26665accb16293adc43d924ace9636ca227f70980d2138e2efb70b5