Analysis
-
max time kernel
144s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-11-2024 02:27
Static task
static1
Behavioral task
behavioral1
Sample
61718bc890c69da3085e39ae891336f349b76b739377ae010835920ba72d7315.xls
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
61718bc890c69da3085e39ae891336f349b76b739377ae010835920ba72d7315.xls
Resource
win10v2004-20241007-en
General
-
Target
61718bc890c69da3085e39ae891336f349b76b739377ae010835920ba72d7315.xls
-
Size
1.1MB
-
MD5
76bd9584f6a265e3c2bfe63d525efeec
-
SHA1
8ccf96ad8c846dae552135a39f4b1eabb11ca1a8
-
SHA256
61718bc890c69da3085e39ae891336f349b76b739377ae010835920ba72d7315
-
SHA512
f0dc84c5b80f7ada2ccc4777e9bf4669a65ad4b8642e7bddb303ecc709d537b213de1cb58f774fc34b9e175fb8322421ca515edbb266f4201cca1eeb4384aba6
-
SSDEEP
24576:7q9PLiijE2Z5Z2am8afU/gY/tMJE8F84LJQods11ZsX7Gh:7EPLiij7Z5ZK8ayg8tMpFjLJQodS4L
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
mshta.exedescription pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 1820 2884 mshta.exe 82 -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid Process 2884 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid Process 2884 EXCEL.EXE 2884 EXCEL.EXE 2884 EXCEL.EXE 2884 EXCEL.EXE 2884 EXCEL.EXE 2884 EXCEL.EXE 2884 EXCEL.EXE 2884 EXCEL.EXE 2884 EXCEL.EXE 2884 EXCEL.EXE 2884 EXCEL.EXE 2884 EXCEL.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
EXCEL.EXEdescription pid Process procid_target PID 2884 wrote to memory of 1820 2884 EXCEL.EXE 91 PID 2884 wrote to memory of 1820 2884 EXCEL.EXE 91 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\61718bc890c69da3085e39ae891336f349b76b739377ae010835920ba72d7315.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\System32\mshta.exeC:\Windows\System32\mshta.exe -Embedding2⤵
- Process spawned unexpected child process
PID:1820
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
Filesize1KB
MD5f59dbdf0187527f62589cb0e8e7bf603
SHA1aa5556daa12c1b48340b297ec2ebf38e800d5338
SHA25630bf72f7907e19a2a21742089c1b93eecbb0e8cbf7334cd0d1cff0e05df3eb3f
SHA512f445c654db5f08febeb9b67c7fceaf9ca799519cbd0ac732b38e9eef3ecc63c2dbd1351e02e75d3962bf9cb5b2b1c7358674321f480830cc4a89a1f1acbdb70d