7f322b2e240f3dfc09f4be7d9cbc806feb902587fbba27520d4d8641c6fa683c

General

Target

666f323aaaeb3ad7c537561f66d74132.xlsm
Size

187KB
MD5

666f323aaaeb3ad7c537561f66d74132
SHA1

478f0bb55cef539818bffde3dc7f3175c29bf2cb
SHA256

7f322b2e240f3dfc09f4be7d9cbc806feb902587fbba27520d4d8641c6fa683c
SHA512

2caad2f2a45683475637dc331016be9ac642ea3119f7265d6d76a6994153ce88e14ba9985664231c3e48e0f52f94a6506f90d1ce4ea800dfc7e6e056596955ac

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

wmic.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3936 3540 wmic.exe
Blocklisted process makes network request 2 IoCs

Processes:

wmic.exe

flow pid process

31 3936 wmic.exe
33 3936 wmic.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3936	3540	wmic.exe

flow	pid	process
31	3936	wmic.exe
33	3936	wmic.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

wmic.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	wmic.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	wmic.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1456 EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

wmic.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	3936	wmic.exe
Token: SeSecurityPrivilege	3936	wmic.exe
Token: SeTakeOwnershipPrivilege	3936	wmic.exe
Token: SeLoadDriverPrivilege	3936	wmic.exe
Token: SeSystemProfilePrivilege	3936	wmic.exe
Token: SeSystemtimePrivilege	3936	wmic.exe
Token: SeProfSingleProcessPrivilege	3936	wmic.exe
Token: SeIncBasePriorityPrivilege	3936	wmic.exe
Token: SeCreatePagefilePrivilege	3936	wmic.exe
Token: SeBackupPrivilege	3936	wmic.exe
Token: SeRestorePrivilege	3936	wmic.exe
Token: SeShutdownPrivilege	3936	wmic.exe
Token: SeDebugPrivilege	3936	wmic.exe
Token: SeSystemEnvironmentPrivilege	3936	wmic.exe
Token: SeRemoteShutdownPrivilege	3936	wmic.exe
Token: SeUndockPrivilege	3936	wmic.exe
Token: SeManageVolumePrivilege	3936	wmic.exe
Token: 33	3936	wmic.exe
Token: 34	3936	wmic.exe
Token: 35	3936	wmic.exe
Token: 36	3936	wmic.exe
Token: SeIncreaseQuotaPrivilege	3936	wmic.exe
Token: SeSecurityPrivilege	3936	wmic.exe
Token: SeTakeOwnershipPrivilege	3936	wmic.exe
Token: SeLoadDriverPrivilege	3936	wmic.exe
Token: SeSystemProfilePrivilege	3936	wmic.exe
Token: SeSystemtimePrivilege	3936	wmic.exe
Token: SeProfSingleProcessPrivilege	3936	wmic.exe
Token: SeIncBasePriorityPrivilege	3936	wmic.exe
Token: SeCreatePagefilePrivilege	3936	wmic.exe
Token: SeBackupPrivilege	3936	wmic.exe
Token: SeRestorePrivilege	3936	wmic.exe
Token: SeShutdownPrivilege	3936	wmic.exe
Token: SeDebugPrivilege	3936	wmic.exe
Token: SeSystemEnvironmentPrivilege	3936	wmic.exe
Token: SeRemoteShutdownPrivilege	3936	wmic.exe
Token: SeUndockPrivilege	3936	wmic.exe
Token: SeManageVolumePrivilege	3936	wmic.exe
Token: 33	3936	wmic.exe
Token: 34	3936	wmic.exe
Token: 35	3936	wmic.exe
Token: 36	3936	wmic.exe

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

EXCEL.EXE

pid	process
1456	EXCEL.EXE
1456	EXCEL.EXE
1456	EXCEL.EXE
1456	EXCEL.EXE
1456	EXCEL.EXE
1456	EXCEL.EXE
1456	EXCEL.EXE
1456	EXCEL.EXE
1456	EXCEL.EXE
1456	EXCEL.EXE
1456	EXCEL.EXE
1456	EXCEL.EXE
1456	EXCEL.EXE
1456	EXCEL.EXE

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

wmic.exerundll32.exe

description	pid	process	target process
PID 3936 wrote to memory of 3952	3936	wmic.exe	rundll32.exe
PID 3936 wrote to memory of 3952	3936	wmic.exe	rundll32.exe
PID 3952 wrote to memory of 1652	3952	rundll32.exe	rundll32.exe
PID 3952 wrote to memory of 1652	3952	rundll32.exe	rundll32.exe
PID 3952 wrote to memory of 1652	3952	rundll32.exe	rundll32.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\666f323aaaeb3ad7c537561f66d74132.xlsm"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1456

C:\Windows\system32\wbem\wmic.exe
wmic os get /format:"C:\Users\Admin\AppData\Roaming\27041.xsl"
1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3936

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:/Windows/Temp//iqlns.dll RunXml
2⤵
- Suspicious use of WriteProcessMemory
PID:3952

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:/Windows/Temp//iqlns.dll RunXml
3⤵
PID:1652

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\27041.xsl
MD5
6e5e3a0f3b3e45d2b8aa4872750a5b21

SHA1
43322560fb8685b61946dd7dc7e2ab8bc6522807

SHA256
4679aecd0ebdca18aecc3df289e29557ad36e8530cae3628a5de5985f43d808d

SHA512
0d0d017983dbb1e4def10ffc465416bead0be6af556eae45859e14390a646449f3b3e7069588393f4747409e7abc38a2804dd93846e7351b1bfab5209f38e260

Download Submit
C:\Windows\Temp\iqlns.dll
MD5
38ff27fe8a92379cbdfdabc07d111a90

SHA1
cd340aae7738b9aae1e2898509c364a3d1ff9087

SHA256
5c0757f27a6ad23fb98bf1833e2d8a42f030cd81a0a921f8ae267ed24d15aa57

SHA512
6d468522ced4961da1618e80784e88db4de310c77aeb53a4df6b05d662ac495830c5dbc0d385e37c10be47285b786ab5ad0eed2c5a6edbc2e4b7958751c30c2d

Download Submit
memory/1456-2-0x00007FFB33400000-0x00007FFB33410000-memory.dmp

Filesize
64KB

Download
memory/1456-3-0x00007FFB33400000-0x00007FFB33410000-memory.dmp

Filesize
64KB

Download
memory/1456-4-0x00007FFB33400000-0x00007FFB33410000-memory.dmp

Filesize
64KB

Download
memory/1456-5-0x00007FFB33400000-0x00007FFB33410000-memory.dmp

Filesize
64KB

Download
memory/1456-6-0x00007FFB568F0000-0x00007FFB56F27000-memory.dmp

Filesize
6.2MB

Download
memory/1456-7-0x000002029AF00000-0x000002029AF04000-memory.dmp

Filesize
16KB

Download
memory/1652-11-0x0000000000000000-mapping.dmp

Download
memory/3952-9-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads