Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11-11-2024 17:39
Behavioral task
behavioral1
Sample
4b1957a0c7ef9069fdb0d2c3a88b422d1e7de46673e94a3d8502e4ea799a3587.xlsm
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
4b1957a0c7ef9069fdb0d2c3a88b422d1e7de46673e94a3d8502e4ea799a3587.xlsm
Resource
win10v2004-20241007-en
General
-
Target
4b1957a0c7ef9069fdb0d2c3a88b422d1e7de46673e94a3d8502e4ea799a3587.xlsm
-
Size
190KB
-
MD5
936076475141668bd1e2b250899b2a9b
-
SHA1
2e795a59ebe228c058ec8930b056ab5c6e3910e9
-
SHA256
4b1957a0c7ef9069fdb0d2c3a88b422d1e7de46673e94a3d8502e4ea799a3587
-
SHA512
60cd25cfc8ec5e617f8dd148273a5b6b6323b5ff429c956e6484794957e0b87007f9f8d5e0d987908206565d71a592c90f52e3753abd8500f4efe649167b1365
-
SSDEEP
3072:RUjWNX3hRqo2wDtStV6ofIWPQZzzjqlHsgGgYGfnKFUw/:R6WVxwoNDtiMofIrZfqeFP/
Malware Config
Extracted
https://shadesofask.com/10000-ncsa/iwqc/
https://yatrataxi.com/wp-content/X4Ce/
https://lukrify.com/wp-admin/UePJk/
https://haciendazorita.t1.curious.tech/v/eAGLtzRQ5/
http://68.183.232.164/wp-admin/PnJY1/
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2180 EXCEL.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2180 EXCEL.EXE 2180 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 2180 EXCEL.EXE 2180 EXCEL.EXE 2180 EXCEL.EXE 2180 EXCEL.EXE 2180 EXCEL.EXE 2180 EXCEL.EXE 2180 EXCEL.EXE 2180 EXCEL.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\4b1957a0c7ef9069fdb0d2c3a88b422d1e7de46673e94a3d8502e4ea799a3587.xlsm"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2180
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
Filesize3KB
MD5db3821d0d7edb9f0ab5c07a3c6b38a0e
SHA1597c78df9056e892cdcbe14a4115d83ba834eeec
SHA2569e3c24065d660d536d47dbb814f5d4bdc49b2ac1f91c728d1bd61b51f3def2dd
SHA512828cb9256208b5e5a718cf37532fa10b44d8bbc3446c34eb2d500310e28b377bccff437fc945be32953ebcfcd477c21ebe75cc0cb3da2513a047e137b1807420