Analysis
-
max time kernel
148s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
07-09-2024 07:08
Behavioral task
behavioral1
Sample
中小学名单/2012农村中学.xls
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
中小学名单/2012农村中学.xls
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
中小学名单/2012农村小学.xls
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
中小学名单/2012农村小学.xls
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
中小学名单/2012城市中学.xls
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
中小学名单/2012城市中学.xls
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
中小学名单/2012城市小学.xls
Resource
win7-20240708-en
Behavioral task
behavioral8
Sample
中小学名单/2012城市小学.xls
Resource
win10v2004-20240802-en
General
-
Target
中小学名单/2012城市中学.xls
-
Size
143KB
-
MD5
58b2fe2ccfd1a8b74ab0ea928cdfd8e2
-
SHA1
e1911d4e2dd11414aaf7ba73fe3332e10772a327
-
SHA256
ec344428a3d915f86e93e75d51836c029a12e728a64ecd1734bf4985cf3d32a3
-
SHA512
50986f91831ac2d062c224745e3d9346b32b6a0b3b13e0f17b7bc24e2e68facfb42d2df833eca5ec037ecce3452fe105c1a82014badb105624bd5ee70153dbe1
-
SSDEEP
3072:Lss93EkqzdTKWIIL2j33c0lbxOslU0JtXwXJ/:7ind1iQ
Malware Config
Signatures
-
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.execmd.execmd.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 928 2968 cmd.exe EXCEL.EXE Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3860 2968 cmd.exe EXCEL.EXE Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 440 2968 cmd.exe EXCEL.EXE -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\中小学名单\2012城市中学.xls office_xlm_macros -
Deletes itself 1 IoCs
Processes:
EXCEL.EXEpid process 2968 EXCEL.EXE -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE -
NTFS ADS 1 IoCs
Processes:
EXCEL.EXEdescription ioc process File created C:\Users\Admin\AppData\Local\Temp\中小学名单\7FA75E00\:Zone.Identifier:$DATA EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 2968 EXCEL.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
EXCEL.EXEpid process 2968 EXCEL.EXE 2968 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 2968 EXCEL.EXE 2968 EXCEL.EXE 2968 EXCEL.EXE 2968 EXCEL.EXE 2968 EXCEL.EXE 2968 EXCEL.EXE 2968 EXCEL.EXE 2968 EXCEL.EXE 2968 EXCEL.EXE 2968 EXCEL.EXE 2968 EXCEL.EXE 2968 EXCEL.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
EXCEL.EXEcmd.exedescription pid process target process PID 2968 wrote to memory of 440 2968 EXCEL.EXE cmd.exe PID 2968 wrote to memory of 440 2968 EXCEL.EXE cmd.exe PID 2968 wrote to memory of 3860 2968 EXCEL.EXE cmd.exe PID 2968 wrote to memory of 3860 2968 EXCEL.EXE cmd.exe PID 2968 wrote to memory of 928 2968 EXCEL.EXE cmd.exe PID 2968 wrote to memory of 928 2968 EXCEL.EXE cmd.exe PID 440 wrote to memory of 5064 440 cmd.exe attrib.exe PID 440 wrote to memory of 5064 440 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\中小学名单\2012城市中学.xls"1⤵
- Deletes itself
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c attrib -S -h "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:440 -
C:\Windows\system32\attrib.exeattrib -S -h "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"3⤵
- Views/modifies file attributes
PID:5064 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Del /F /Q "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"2⤵
- Process spawned unexpected child process
PID:3860 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c RD /S /Q "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"2⤵
- Process spawned unexpected child process
PID:928
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
170KB
MD5af6614572d5ad580229f0fc9e9361829
SHA13a495aa4a6ca0eb990b178117a68c6a892ccb225
SHA2561f5c4d8652d37be60b183e29f634cae884cf9b2b4836223d1eb85dc5916b8c62
SHA512b7e411365f4ca27e645e7f2a8cdb3f57f26c0634e04dda55a5f6a27251c39a526e46f9bb026b18c2d34f58823630b3ec2fc0c4334844c37597fa53c4de2fb50d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
Filesize3KB
MD5de9c19d811816db54ca18fb7877145bf
SHA1a91b0542efdccc99feb219ed9d4a337dbf7d0ee6
SHA256de55d8f8cfca1632a4c05bbe80e17f8f7b59336932a2577338b0203ea8e25ff7
SHA512031bb7bc5efce6b96b9651a2ab06caa54961ec8b8d9684b081f686be7984e4e95c1a17302c87bf56611a0bb8cbebcf398a470f945fecce9885421760bb0b4c18