5548251bf7e67b8dfa368d5b1e6699d9f260324e419d3e530c1d5ea927e3aaf2

General

Target

428E1ABAB62B190787DB4A57D19CCF86.xls
Size

799KB
MD5

428e1abab62b190787db4a57d19ccf86
SHA1

b443cbc0b74ac39f696585f99160ddb5bfdc1e3a
SHA256

5548251bf7e67b8dfa368d5b1e6699d9f260324e419d3e530c1d5ea927e3aaf2
SHA512

3988a34186641af8c65feb0a0938eeee5d849fc3df0b93d82fa7f9b44527f17dd714dd0e2539058691fbbf48f0d72469acdb597ea2e4233192f4a8f936ef9d3b

Score

10^/10

ransomware

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

wmiC.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3936 3660 wmiC.exe
Blocklisted process makes network request 2 IoCs

Processes:

wmiC.exe

flow pid process

32 3936 wmiC.exe
34 3936 wmiC.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
ransomware

System Information Discovery
T1082

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3936	3660	wmiC.exe

flow	pid	process
32	3936	wmiC.exe
34	3936	wmiC.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

3084 EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

wmiC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	3936	wmiC.exe
Token: SeSecurityPrivilege	3936	wmiC.exe
Token: SeTakeOwnershipPrivilege	3936	wmiC.exe
Token: SeLoadDriverPrivilege	3936	wmiC.exe
Token: SeSystemProfilePrivilege	3936	wmiC.exe
Token: SeSystemtimePrivilege	3936	wmiC.exe
Token: SeProfSingleProcessPrivilege	3936	wmiC.exe
Token: SeIncBasePriorityPrivilege	3936	wmiC.exe
Token: SeCreatePagefilePrivilege	3936	wmiC.exe
Token: SeBackupPrivilege	3936	wmiC.exe
Token: SeRestorePrivilege	3936	wmiC.exe
Token: SeShutdownPrivilege	3936	wmiC.exe
Token: SeDebugPrivilege	3936	wmiC.exe
Token: SeSystemEnvironmentPrivilege	3936	wmiC.exe
Token: SeRemoteShutdownPrivilege	3936	wmiC.exe
Token: SeUndockPrivilege	3936	wmiC.exe
Token: SeManageVolumePrivilege	3936	wmiC.exe
Token: 33	3936	wmiC.exe
Token: 34	3936	wmiC.exe
Token: 35	3936	wmiC.exe
Token: 36	3936	wmiC.exe
Token: SeIncreaseQuotaPrivilege	3936	wmiC.exe
Token: SeSecurityPrivilege	3936	wmiC.exe
Token: SeTakeOwnershipPrivilege	3936	wmiC.exe
Token: SeLoadDriverPrivilege	3936	wmiC.exe
Token: SeSystemProfilePrivilege	3936	wmiC.exe
Token: SeSystemtimePrivilege	3936	wmiC.exe
Token: SeProfSingleProcessPrivilege	3936	wmiC.exe
Token: SeIncBasePriorityPrivilege	3936	wmiC.exe
Token: SeCreatePagefilePrivilege	3936	wmiC.exe
Token: SeBackupPrivilege	3936	wmiC.exe
Token: SeRestorePrivilege	3936	wmiC.exe
Token: SeShutdownPrivilege	3936	wmiC.exe
Token: SeDebugPrivilege	3936	wmiC.exe
Token: SeSystemEnvironmentPrivilege	3936	wmiC.exe
Token: SeRemoteShutdownPrivilege	3936	wmiC.exe
Token: SeUndockPrivilege	3936	wmiC.exe
Token: SeManageVolumePrivilege	3936	wmiC.exe
Token: 33	3936	wmiC.exe
Token: 34	3936	wmiC.exe
Token: 35	3936	wmiC.exe
Token: 36	3936	wmiC.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXE

pid	process
3084	EXCEL.EXE
3084	EXCEL.EXE
3084	EXCEL.EXE
3084	EXCEL.EXE
3084	EXCEL.EXE
3084	EXCEL.EXE
3084	EXCEL.EXE
3084	EXCEL.EXE
3084	EXCEL.EXE
3084	EXCEL.EXE
3084	EXCEL.EXE
3084	EXCEL.EXE

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

wmiC.exe

description pid process target process

PID 3936 wrote to memory of 4080 3936 wmiC.exe rundll32.exe
PID 3936 wrote to memory of 4080 3936 wmiC.exe rundll32.exe

description	pid	process	target process
PID 3936 wrote to memory of 4080	3936	wmiC.exe	rundll32.exe
PID 3936 wrote to memory of 4080	3936	wmiC.exe	rundll32.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\428E1ABAB62B190787DB4A57D19CCF86.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3084

C:\Windows\system32\wbem\wmiC.exe
wmiC
1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3936
- C:\Windows\System32\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:/Windows/Temp//b7h2t.dll InitHelperDll
  2⤵
  PID:4080

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\2553F.xsL

MD5
5cdd36af549532a525403c3bf0a197e3

SHA1
37f4135a3883580001c1bb777e423618386f27bc

SHA256
ad49647554d461875b482b64e08c02fe47c4f0d2dcbdf84560a0be690dd803a4

SHA512
3c783d943b8935cf6851fc738243526fc909af3b0515b1188d2edbfcc2bebad556f7b6fa74bff8403e45edea274a62c7a9ee466e9415842f54e3f6317b4d11f9

Download Submit
C:\Windows\Temp\b7h2t.dll

MD5
b73d09e9ad4a4132a00240a15739a078

SHA1
57e60b13c7945b008f615bea543da3bd9e64a085

SHA256
8c0e184d7769ea6e335f8b197989377deaa698987dda8d3cbcbde2a973b4e488

SHA512
e3044516cde3c3ef3c40b99b2f2d85bc4d2e4bf501114595fb96c7cea1d06b4343791687ecf6f69be28b812868499b4d525afc6dad3d831ae7d360af53ed03d2

Download Submit
memory/3084-2-0x00007FF8731B0000-0x00007FF8731C0000-memory.dmp

Filesize
64KB

Download
memory/3084-3-0x00007FF8731B0000-0x00007FF8731C0000-memory.dmp

Filesize
64KB

Download
memory/3084-4-0x00007FF8731B0000-0x00007FF8731C0000-memory.dmp

Filesize
64KB

Download
memory/3084-5-0x00007FF896620000-0x00007FF896C57000-memory.dmp

Filesize
6.2MB

Download
memory/3084-6-0x00007FF8731B0000-0x00007FF8731C0000-memory.dmp

Filesize
64KB

Download
memory/3084-7-0x000001BEC3D90000-0x000001BEC3D94000-memory.dmp

Filesize
16KB

Download
memory/4080-9-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads