cfc6981de86af094cf3db2e7ae18d12e843ec0af676775163da859034b872f8f

General

Target

Pro-forma Da.xlsm
Size

48KB
MD5

1b9914f176f853c624ff4727bb45180a
SHA1

7da7342da3b8e83b2d8e3783d7044c42c23385f0
SHA256

cfc6981de86af094cf3db2e7ae18d12e843ec0af676775163da859034b872f8f
SHA512

b7072ab08115b8dbe9f1efed333fe0eb003be4ad9370115b7175b71c27e8f5faa1e582f48827a46b6b8e1e190be244342199e9bd460e47d80d99888123e86cd1

Score

10^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2176	EXCEL.EXE
2176	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2176	EXCEL.EXE

Executes dropped EXE 1 IoCs

pid	Process
3800	b0zjyDTDj3.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	856	WerFault.exe
Token: SeBackupPrivilege	856	WerFault.exe
Token: SeDebugPrivilege	856	WerFault.exe

NTFS ADS 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\mm:Zone.Identifier	EXCEL.EXE
File opened for modification	C:\Users\Admin\AppData\Local\Temp\xx:Zone.Identifier	EXCEL.EXE
File created	C:\programdata\asc.txt:script1.vbs	EXCEL.EXE

Script User-Agent 1 IoCs

description	flow	ioc
HTTP User-Agent header	8	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3796	2176	cscript.exe	66

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 3796	2176	EXCEL.EXE	71
PID 2176 wrote to memory of 3796	2176	EXCEL.EXE	71
PID 3796 wrote to memory of 3800	3796	cscript.exe	73
PID 3796 wrote to memory of 3800	3796	cscript.exe	73
PID 3796 wrote to memory of 3800	3796	cscript.exe	73

Blacklisted process makes network request 1 IoCs

flow	pid	Process
8	3796	cscript.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
856	3800	WerFault.exe	73

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
856	WerFault.exe
856	WerFault.exe
856	WerFault.exe
856	WerFault.exe
856	WerFault.exe
856	WerFault.exe
856	WerFault.exe
856	WerFault.exe
856	WerFault.exe
856	WerFault.exe
856	WerFault.exe
856	WerFault.exe
856	WerFault.exe
856	WerFault.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2176	EXCEL.EXE
2176	EXCEL.EXE
2176	EXCEL.EXE
2176	EXCEL.EXE
2176	EXCEL.EXE
2176	EXCEL.EXE
2176	EXCEL.EXE
2176	EXCEL.EXE
2176	EXCEL.EXE
2176	EXCEL.EXE
2176	EXCEL.EXE
2176	EXCEL.EXE

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Pro-forma Da.xlsm"
1⤵
- Enumerates system info in registry
- Suspicious use of FindShellTrayWindow
- Suspicious behavior: AddClipboardFormatListener
- NTFS ADS
- Suspicious use of WriteProcessMemory
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:2176
- C:\Windows\System32\cscript.exe
  "C:\Windows\System32\cscript.exe" C:\programdata\asc.txt:script1.vbs
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  - Blacklisted process makes network request
  PID:3796
- - C:\programdata\b0zjyDTDj3.exe
    C:\programdata\b0zjyDTDj3.exe
    3⤵
    - Executes dropped EXE
    PID:3800
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3800 -s 1184
      4⤵
      Suspicious use of AdjustPrivilegeToken
      Program crash
      Suspicious behavior: EnumeratesProcesses
      PID:856

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/856-8-0x0000000004520000-0x0000000004521000-memory.dmp

Filesize
4KB

Download
memory/2176-1-0x000001ABDCE39000-0x000001ABDCE44000-memory.dmp

Filesize
44KB

Download
memory/2176-0-0x000001ABD8B7D000-0x000001ABD8B82000-memory.dmp

Filesize
20KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads