8bac502d02aebef57de2e4b324a71cb0d843c7cc1c66082ab37405e83afa6993

General

Target

d3127b922e70794c42034aaf238cb358.xlsm
Size

359KB
MD5

d3127b922e70794c42034aaf238cb358
SHA1

0ab11895b528eeabf2e544567f0f467d27b7a1fb
SHA256

8bac502d02aebef57de2e4b324a71cb0d843c7cc1c66082ab37405e83afa6993
SHA512

860afda64d73a9761faaeb096cdb8294c93121e4b3c85bbae9e3c66f650234a9721c6801afd11af02b376936d3b6ad32ee20b7ce526ce54ded97e358b9a15284

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

wmic.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3964 3460 wmic.exe
Blocklisted process makes network request 3 IoCs

Processes:

wmic.exe

flow pid process

32 3964 wmic.exe
34 3964 wmic.exe
36 3964 wmic.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3964	3460	wmic.exe

flow	pid	process
32	3964	wmic.exe
34	3964	wmic.exe
36	3964	wmic.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

652 EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

wmic.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	3964	wmic.exe
Token: SeSecurityPrivilege	3964	wmic.exe
Token: SeTakeOwnershipPrivilege	3964	wmic.exe
Token: SeLoadDriverPrivilege	3964	wmic.exe
Token: SeSystemProfilePrivilege	3964	wmic.exe
Token: SeSystemtimePrivilege	3964	wmic.exe
Token: SeProfSingleProcessPrivilege	3964	wmic.exe
Token: SeIncBasePriorityPrivilege	3964	wmic.exe
Token: SeCreatePagefilePrivilege	3964	wmic.exe
Token: SeBackupPrivilege	3964	wmic.exe
Token: SeRestorePrivilege	3964	wmic.exe
Token: SeShutdownPrivilege	3964	wmic.exe
Token: SeDebugPrivilege	3964	wmic.exe
Token: SeSystemEnvironmentPrivilege	3964	wmic.exe
Token: SeRemoteShutdownPrivilege	3964	wmic.exe
Token: SeUndockPrivilege	3964	wmic.exe
Token: SeManageVolumePrivilege	3964	wmic.exe
Token: 33	3964	wmic.exe
Token: 34	3964	wmic.exe
Token: 35	3964	wmic.exe
Token: 36	3964	wmic.exe
Token: SeIncreaseQuotaPrivilege	3964	wmic.exe
Token: SeSecurityPrivilege	3964	wmic.exe
Token: SeTakeOwnershipPrivilege	3964	wmic.exe
Token: SeLoadDriverPrivilege	3964	wmic.exe
Token: SeSystemProfilePrivilege	3964	wmic.exe
Token: SeSystemtimePrivilege	3964	wmic.exe
Token: SeProfSingleProcessPrivilege	3964	wmic.exe
Token: SeIncBasePriorityPrivilege	3964	wmic.exe
Token: SeCreatePagefilePrivilege	3964	wmic.exe
Token: SeBackupPrivilege	3964	wmic.exe
Token: SeRestorePrivilege	3964	wmic.exe
Token: SeShutdownPrivilege	3964	wmic.exe
Token: SeDebugPrivilege	3964	wmic.exe
Token: SeSystemEnvironmentPrivilege	3964	wmic.exe
Token: SeRemoteShutdownPrivilege	3964	wmic.exe
Token: SeUndockPrivilege	3964	wmic.exe
Token: SeManageVolumePrivilege	3964	wmic.exe
Token: 33	3964	wmic.exe
Token: 34	3964	wmic.exe
Token: 35	3964	wmic.exe
Token: 36	3964	wmic.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXE

pid	process
652	EXCEL.EXE
652	EXCEL.EXE
652	EXCEL.EXE
652	EXCEL.EXE
652	EXCEL.EXE
652	EXCEL.EXE
652	EXCEL.EXE
652	EXCEL.EXE
652	EXCEL.EXE
652	EXCEL.EXE
652	EXCEL.EXE
652	EXCEL.EXE

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

wmic.exe

description pid process target process

PID 3964 wrote to memory of 3164 3964 wmic.exe rundll32.exe
PID 3964 wrote to memory of 3164 3964 wmic.exe rundll32.exe

description	pid	process	target process
PID 3964 wrote to memory of 3164	3964	wmic.exe	rundll32.exe
PID 3964 wrote to memory of 3164	3964	wmic.exe	rundll32.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\d3127b922e70794c42034aaf238cb358.xlsm"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:652

C:\Windows\system32\wbem\wmic.exe
wmic os get /format:"C:\Users\Admin\AppData\Roaming\357BF.xsl"
1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3964

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:/Windows/Temp//bd2oj.dll RunXml
2⤵
PID:3164

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\357BF.xsl
MD5
7d698fe6441ba051b9445fb35c6296c7

SHA1
e7c940533df3415b17416701d2da27602843fd84

SHA256
4c2ef808ef4bfd79dcc35a89c3f8eb1743a9e94b80e4372da72bdce4bc712934

SHA512
2dcf1f94e68669f8ac91bd3a66bcd11332b9722a22d8f0c5e8daf37c35da7d6e817c8f09504992b73624d1f63660f956798c067fff922a987ded7439f9ba54d2

Download Submit
C:\Windows\Temp\bd2oj.dll
MD5
7b73f442b523b7d8da25a1bfd365fea3

SHA1
e4e2d9b6219b8b2c2f682afbd6feab83bf8401a0

SHA256
ab20a5ee4c252e0326509dca7baf29819fdff75145487d5cadf4046ae2a91a28

SHA512
b07a285a24a76e34e348d4a6a099f005441f780b7585853311c04698ee1528a17f2237720a441dc9f5051b9e595e75fd1c9b83f77714c3cbfbc51943f1f180ec

Download Submit
memory/652-2-0x00007FFC10600000-0x00007FFC10610000-memory.dmp

Filesize
64KB

Download
memory/652-3-0x00007FFC10600000-0x00007FFC10610000-memory.dmp

Filesize
64KB

Download
memory/652-4-0x00007FFC10600000-0x00007FFC10610000-memory.dmp

Filesize
64KB

Download
memory/652-5-0x00007FFC10600000-0x00007FFC10610000-memory.dmp

Filesize
64KB

Download
memory/652-6-0x00007FFC336D0000-0x00007FFC33D07000-memory.dmp

Filesize
6.2MB

Download
memory/652-7-0x000001EAA8880000-0x000001EAA8884000-memory.dmp

Filesize
16KB

Download
memory/3164-9-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads