7d1bd0f1e6c73ead87681243ebfc1576158807ae4d3448d39b1ee35db265b753

General

Target

Revised-RBG-180129940.xlsx
Size

402KB
MD5

9a21b20bf0f722b2cd46058cbfad5571
SHA1

f359c45f331d5b159a1ae6ef80135f937bf32856
SHA256

7d1bd0f1e6c73ead87681243ebfc1576158807ae4d3448d39b1ee35db265b753
SHA512

8f350b572b864c5a2a96ad8306266e1cc6dfb7c3d81d18894dfdddda099a9d21a97b3aabaee41769693e862158f5282bc873d2f0e9bcfdea3be62a0b4e116328

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEWINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEWINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid process

4000 EXCEL.EXE
1288 WINWORD.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WINWORD.EXE

description pid process

Token: SeAuditPrivilege 1288 WINWORD.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

EXCEL.EXE

pid process

4000 EXCEL.EXE
4000 EXCEL.EXE

description	pid	process
Token: SeAuditPrivilege	1288	WINWORD.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid	process
4000	EXCEL.EXE
4000	EXCEL.EXE
4000	EXCEL.EXE
4000	EXCEL.EXE
4000	EXCEL.EXE
4000	EXCEL.EXE
1288	WINWORD.EXE
1288	WINWORD.EXE
1288	WINWORD.EXE
1288	WINWORD.EXE
4000	EXCEL.EXE
4000	EXCEL.EXE
4000	EXCEL.EXE
4000	EXCEL.EXE
4000	EXCEL.EXE
4000	EXCEL.EXE

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 1288 wrote to memory of 1564	1288	WINWORD.EXE	splwow64.exe
PID 1288 wrote to memory of 1564	1288	WINWORD.EXE	splwow64.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Revised-RBG-180129940.xlsx"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4000

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1288

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1564

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868
MD5
913295ae276ac3b81a7be9fd9bfb6afa

SHA1
9bd14d91c6cc4038d0232c987d2290ee92712ba2

SHA256
71d9343548e2b881bce4a4f620c05c3812a41fb0a0b986f2f0501a87e8d6902d

SHA512
94005bc5fe89f8e84b7d3a1c7552f1f8393945c4b6ecb2596b9de12cbaacc159febebd5d640d9f3ce0487a3f6929a26547eb7a9921350edf15efa05da4159138

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868
MD5
6999b645b02cffb969d479289317d44c

SHA1
ec477d1054ed63d8c8c8650328e6f85890522258

SHA256
4a95336f31c461cb4b4ff21496efaadc89d87d1e263a806b7432ed352f2b03d0

SHA512
b869d46434afb47cb7c6833bf10bfd6b95d031dbe7f90580ca60e675e4fad31531ec4b43adb80687188eab29ccb0d0253c9b90822600b7f6388480da7b2292e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\C75WK71L\document_v4120012[1].doc
MD5
446988fed3c06a2a0195479fccbed955

SHA1
3650070fada6121e813e3635b3734d9e80f43653

SHA256
4329673b6bb9797151a7eab278f0b82466d73303149f2e9ab797a95d04a982bd

SHA512
f00dd3d683087321ac0d200fa995a51b8c65109e5c1786b2a7f47b34b69b64d257ceca6b4a380ea6165f7268bc673e8d6861c992e47dda9cbf1c18c251714ab2

Download Submit
memory/1288-10-0x00007FFCBFC70000-0x00007FFCC02A7000-memory.dmp

Filesize
6.2MB

Download
memory/1564-13-0x0000000000000000-mapping.dmp

Download
memory/1564-14-0x0000000002890000-0x0000000002991000-memory.dmp

Filesize
1.0MB

Download
memory/4000-2-0x00007FFC9C810000-0x00007FFC9C820000-memory.dmp

Filesize
64KB

Download
memory/4000-3-0x00007FFC9C810000-0x00007FFC9C820000-memory.dmp

Filesize
64KB

Download
memory/4000-4-0x00007FFC9C810000-0x00007FFC9C820000-memory.dmp

Filesize
64KB

Download
memory/4000-5-0x00007FFC9C810000-0x00007FFC9C820000-memory.dmp

Filesize
64KB

Download
memory/4000-6-0x00007FFCBFC70000-0x00007FFCC02A7000-memory.dmp

Filesize
6.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads