Analysis
-
max time kernel
139s -
max time network
139s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
08-02-2021 07:12
Static task
static1
Behavioral task
behavioral1
Sample
Marine Tiger.xlsm
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Marine Tiger.xlsm
Resource
win10v20201028
General
-
Target
Marine Tiger.xlsm
-
Size
13KB
-
MD5
18d6c58d438aa199c43cec6503ae2a6c
-
SHA1
f2dbad3686195f07db9bac1aa7eba45120069ded
-
SHA256
6c92ed33934d5a604f57aac4ff33252720354285291791bed88b6f3f15b9631d
-
SHA512
2a0c139a909810abbeea86258c7fa4960b6eb2893e8203a0f5815a080070062957a7aa7ccfc27bd3ef5129c31c03c28139b9e05d2284d52b9f89ec15752c1621
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3180 828 cmd.exe EXCEL.EXE -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 828 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 14 IoCs
Processes:
EXCEL.EXEpid process 828 EXCEL.EXE 828 EXCEL.EXE 828 EXCEL.EXE 828 EXCEL.EXE 828 EXCEL.EXE 828 EXCEL.EXE 828 EXCEL.EXE 828 EXCEL.EXE 828 EXCEL.EXE 828 EXCEL.EXE 828 EXCEL.EXE 828 EXCEL.EXE 828 EXCEL.EXE 828 EXCEL.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
EXCEL.EXEcmd.exedescription pid process target process PID 828 wrote to memory of 3180 828 EXCEL.EXE cmd.exe PID 828 wrote to memory of 3180 828 EXCEL.EXE cmd.exe PID 3180 wrote to memory of 2104 3180 cmd.exe schtasks.exe PID 3180 wrote to memory of 2104 3180 cmd.exe schtasks.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Marine Tiger.xlsm"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/828-2-0x00007FFACA7F0000-0x00007FFACA800000-memory.dmpFilesize
64KB
-
memory/828-3-0x00007FFACA7F0000-0x00007FFACA800000-memory.dmpFilesize
64KB
-
memory/828-4-0x00007FFACA7F0000-0x00007FFACA800000-memory.dmpFilesize
64KB
-
memory/828-6-0x00007FFACA7F0000-0x00007FFACA800000-memory.dmpFilesize
64KB
-
memory/828-5-0x00007FFAEE470000-0x00007FFAEEAA7000-memory.dmpFilesize
6.2MB
-
memory/2104-8-0x0000000000000000-mapping.dmp
-
memory/3180-7-0x0000000000000000-mapping.dmp