020f81f9c5ff58cce183a45b51770b5fa15486446250d168f492264e71701078

General

Target

OBL.xlsm
Size

51KB
MD5

701f9328e7a3342f0dfa48698c6c613b
SHA1

6edc2590af618b480f1c40e2eb7931fc731850bd
SHA256

020f81f9c5ff58cce183a45b51770b5fa15486446250d168f492264e71701078
SHA512

c0998664d42b7915f3a9cdbc517662e0625f02b3d4f06f5ec872d7f71674d3392fa36e4cf72424187bbb5902b8f5797f82c81b41b125c90473e2a2664a58c7fa

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4048	1360	cscript.exe	67

Executes dropped EXE 1 IoCs

pid	Process
3692	mPCoN67gt4d.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	1200	WerFault.exe
Token: SeBackupPrivilege	1200	WerFault.exe
Token: SeDebugPrivilege	1200	WerFault.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

NTFS ADS 3 IoCs

description	ioc	Process
File created	C:\programdata\asc.txt:script1.vbs	EXCEL.EXE
File opened for modification	C:\Users\Admin\AppData\Local\Temp\mm:Zone.Identifier	EXCEL.EXE
File opened for modification	C:\Users\Admin\AppData\Local\Temp\xx:Zone.Identifier	EXCEL.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1360	EXCEL.EXE
1360	EXCEL.EXE
1360	EXCEL.EXE
1360	EXCEL.EXE
1360	EXCEL.EXE
1360	EXCEL.EXE
1360	EXCEL.EXE
1360	EXCEL.EXE
1360	EXCEL.EXE
1360	EXCEL.EXE
1360	EXCEL.EXE
1360	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1360	EXCEL.EXE

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1360 wrote to memory of 4048	1360	EXCEL.EXE	72
PID 1360 wrote to memory of 4048	1360	EXCEL.EXE	72
PID 4048 wrote to memory of 3692	4048	cscript.exe	76
PID 4048 wrote to memory of 3692	4048	cscript.exe	76
PID 4048 wrote to memory of 3692	4048	cscript.exe	76

Blacklisted process makes network request 1 IoCs

flow	pid	Process
16	4048	cscript.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1200	3692	WerFault.exe	76

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1200	WerFault.exe
1200	WerFault.exe
1200	WerFault.exe
1200	WerFault.exe
1200	WerFault.exe
1200	WerFault.exe
1200	WerFault.exe
1200	WerFault.exe
1200	WerFault.exe
1200	WerFault.exe
1200	WerFault.exe
1200	WerFault.exe
1200	WerFault.exe
1200	WerFault.exe

Script User-Agent 1 IoCs

description	flow	ioc
HTTP User-Agent header	16	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\OBL.xlsm"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of WriteProcessMemory
PID:1360
- C:\Windows\System32\cscript.exe
  "C:\Windows\System32\cscript.exe" C:\programdata\asc.txt:script1.vbs
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  - Blacklisted process makes network request
  PID:4048
- - C:\programdata\mPCoN67gt4d.exe
    C:\programdata\mPCoN67gt4d.exe
    3⤵
    - Executes dropped EXE
    PID:3692
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3692 -s 928
      4⤵
      Suspicious use of AdjustPrivilegeToken
      Program crash
      Suspicious behavior: EnumeratesProcesses
      PID:1200

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1200-10-0x0000000004DA0000-0x0000000004DA1000-memory.dmp

Filesize
4KB

Download
memory/1200-20-0x0000000005620000-0x0000000005621000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads