Malware executes its payload only when the screen is locked.

3/48 detections on VirusTotal
as of 04.06.2024

The VMRay Labs team has uncovered a malicious Excel file uses macros to download an image from a remote resource – but hidden inside are the commands to execute the next payload

Then the malware schedules a task that is only executed when the user locks the screen. 

3 of 48

detections on VirusTotal

 

HASH: 5dbcefc3f5401265b8fe4bb0c8a645914b45b850a13dfaa5ec313ec8e108b2c5

VirusTotal Code Insight reports that the sample “does not exhibit any signs of malicious intent”

 

Sample downloads valid PNG file with hidden commands

 

XLS → Macros → C2 → PNG image → Commands

 

Schedules task which is only executed when the screen is locked

 

schtasks.exe → Wait until user locks screen → verclsid → DLL

 

Drops spyware

Dive deeper into the report

See why we think this is malicious in plain language.

See the whole path of the sample’s execution

Map the malicious activities on the MITRE ATT&CK Framework

Explore detailed information on the IP addresses, URLs and DNS, including function logs and PCAP Streams

Download the IOCs and artifacts to have a clear picture of the threat.

Download the files that the malware downloads, drops or modifies.

Explore how you can use these insights