Analysis
-
max time kernel
143s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
21/08/2024, 07:07
Static task
static1
Behavioral task
behavioral1
Sample
ALFATECH-4500068045.xls
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
ALFATECH-4500068045.xls
Resource
win10v2004-20240802-en
General
-
Target
ALFATECH-4500068045.xls
-
Size
331KB
-
MD5
02b90b88aed63a901dbcb9f1c06e34c1
-
SHA1
0744024e070c8840acf9f787c18d279c242d1734
-
SHA256
a4004b765b4e62bd32933c91301f783d2b864bbb45cf9ae35f0b6681078bb40d
-
SHA512
b9394b6b59287940a94faceda10c584aae3155765e4bb88bbda4b04fe3bc23a1bf44951398ba723913c2c0c661a77c3efb6b000ff5a2efc312dc95c4bf81f901
-
SSDEEP
6144:c/WOvPZ8NdyOseQAz1Wapbb2zIFhzBvxaLqRRZYj+oUzCJeYILmCL1P:IWOX+PsJAz1p9fhzBIqRR4+BYILt1
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 64 3092 mshta.exe 83 -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3092 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 3092 EXCEL.EXE 3092 EXCEL.EXE 3092 EXCEL.EXE 3092 EXCEL.EXE 3092 EXCEL.EXE 3092 EXCEL.EXE 3092 EXCEL.EXE 3092 EXCEL.EXE 3092 EXCEL.EXE 3092 EXCEL.EXE 3092 EXCEL.EXE 3092 EXCEL.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 3092 wrote to memory of 64 3092 EXCEL.EXE 90 PID 3092 wrote to memory of 64 3092 EXCEL.EXE 90 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\ALFATECH-4500068045.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3092 -
C:\Windows\System32\mshta.exeC:\Windows\System32\mshta.exe -Embedding2⤵
- Process spawned unexpected child process
PID:64
-