2355f05bca712ce31b1fef911395862eb34e73db7a3ca0a6bee2664024e47518

General

Target

SpaceX Starbase Invite.xlsm
Size

242KB
MD5

b46aa5f81d293bc7791a720b6447d01f
SHA1

a8ab19110c407b6e04e460fa8bc33685868a026d
SHA256

2355f05bca712ce31b1fef911395862eb34e73db7a3ca0a6bee2664024e47518
SHA512

8c3b80ff99948aa1f67ed9b6a9c5b2b1225b9246b71b7a8f97661bd054339f67e82aa7f118fed8462ce20ff1a58d9f07cb07c91f1220ac48d8fd1502f1be1e93

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

wmic.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2212 3540 wmic.exe
Blocklisted process makes network request 2 IoCs

Processes:

wmic.exe

flow pid process

31 2212 wmic.exe
33 2212 wmic.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	3540	wmic.exe

flow	pid	process
31	2212	wmic.exe
33	2212	wmic.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

wmic.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	wmic.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	wmic.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1456 EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

wmic.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2212	wmic.exe
Token: SeSecurityPrivilege	2212	wmic.exe
Token: SeTakeOwnershipPrivilege	2212	wmic.exe
Token: SeLoadDriverPrivilege	2212	wmic.exe
Token: SeSystemProfilePrivilege	2212	wmic.exe
Token: SeSystemtimePrivilege	2212	wmic.exe
Token: SeProfSingleProcessPrivilege	2212	wmic.exe
Token: SeIncBasePriorityPrivilege	2212	wmic.exe
Token: SeCreatePagefilePrivilege	2212	wmic.exe
Token: SeBackupPrivilege	2212	wmic.exe
Token: SeRestorePrivilege	2212	wmic.exe
Token: SeShutdownPrivilege	2212	wmic.exe
Token: SeDebugPrivilege	2212	wmic.exe
Token: SeSystemEnvironmentPrivilege	2212	wmic.exe
Token: SeRemoteShutdownPrivilege	2212	wmic.exe
Token: SeUndockPrivilege	2212	wmic.exe
Token: SeManageVolumePrivilege	2212	wmic.exe
Token: 33	2212	wmic.exe
Token: 34	2212	wmic.exe
Token: 35	2212	wmic.exe
Token: 36	2212	wmic.exe
Token: SeIncreaseQuotaPrivilege	2212	wmic.exe
Token: SeSecurityPrivilege	2212	wmic.exe
Token: SeTakeOwnershipPrivilege	2212	wmic.exe
Token: SeLoadDriverPrivilege	2212	wmic.exe
Token: SeSystemProfilePrivilege	2212	wmic.exe
Token: SeSystemtimePrivilege	2212	wmic.exe
Token: SeProfSingleProcessPrivilege	2212	wmic.exe
Token: SeIncBasePriorityPrivilege	2212	wmic.exe
Token: SeCreatePagefilePrivilege	2212	wmic.exe
Token: SeBackupPrivilege	2212	wmic.exe
Token: SeRestorePrivilege	2212	wmic.exe
Token: SeShutdownPrivilege	2212	wmic.exe
Token: SeDebugPrivilege	2212	wmic.exe
Token: SeSystemEnvironmentPrivilege	2212	wmic.exe
Token: SeRemoteShutdownPrivilege	2212	wmic.exe
Token: SeUndockPrivilege	2212	wmic.exe
Token: SeManageVolumePrivilege	2212	wmic.exe
Token: 33	2212	wmic.exe
Token: 34	2212	wmic.exe
Token: 35	2212	wmic.exe
Token: 36	2212	wmic.exe

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

EXCEL.EXE

pid	process
1456	EXCEL.EXE
1456	EXCEL.EXE
1456	EXCEL.EXE
1456	EXCEL.EXE
1456	EXCEL.EXE
1456	EXCEL.EXE
1456	EXCEL.EXE
1456	EXCEL.EXE
1456	EXCEL.EXE
1456	EXCEL.EXE
1456	EXCEL.EXE
1456	EXCEL.EXE
1456	EXCEL.EXE
1456	EXCEL.EXE

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

wmic.exerundll32.exe

description	pid	process	target process
PID 2212 wrote to memory of 2944	2212	wmic.exe	rundll32.exe
PID 2212 wrote to memory of 2944	2212	wmic.exe	rundll32.exe
PID 2944 wrote to memory of 2712	2944	rundll32.exe	rundll32.exe
PID 2944 wrote to memory of 2712	2944	rundll32.exe	rundll32.exe
PID 2944 wrote to memory of 2712	2944	rundll32.exe	rundll32.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\SpaceX Starbase Invite.xlsm"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1456

C:\Windows\system32\wbem\wmic.exe
wmic os get /format:"C:\Users\Admin\AppData\Roaming\1DF1C.xsl"
1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2212

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:/Windows/Temp//e2ogy.dll ValidateLog
2⤵
- Suspicious use of WriteProcessMemory
PID:2944

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:/Windows/Temp//e2ogy.dll ValidateLog
3⤵
PID:2712

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1

T1130

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

3

T1082

Query Registry

2

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\1DF1C.xsl
MD5
ea71d43dea5ac0a4f1687d4b4c0f7a73

SHA1
06abfa510041b5eadaaad4aed4a196eca63f475a

SHA256
9aecdb029868fb446bad577f10695472497bb2bfe87d30b3ef13da834742efaa

SHA512
7e597efd1045738621da21c0972f46f360fe13d9988085fc29b479bb73d7de0506d6eef396eca1e6526505b5874760eaa73c1e09fcd149846306edd5bd73a40f

Download Submit
C:\Windows\Temp\e2ogy.dll
MD5
f62f3498e07e5cb35723f9e89f0748f9

SHA1
9a1324bc689c49c7480b5c423467ef1557f8c89e

SHA256
5a7af7eff2116cbca9b096161cd25b924c5ea277c7a834060b703fc3f5991a94

SHA512
39fa805e04a349003cd7ffefccec7bc8db27ff8916fff990058b1ad2330e45b7aa967e1e6842a661fd7e8b62e58b1120be2ab817cf99bc4e7ab0ad647df2c05b

Download Submit
memory/1456-2-0x00007FFB33400000-0x00007FFB33410000-memory.dmp

Filesize
64KB

Download
memory/1456-3-0x00007FFB33400000-0x00007FFB33410000-memory.dmp

Filesize
64KB

Download
memory/1456-4-0x00007FFB33400000-0x00007FFB33410000-memory.dmp

Filesize
64KB

Download
memory/1456-5-0x00007FFB33400000-0x00007FFB33410000-memory.dmp

Filesize
64KB

Download
memory/1456-6-0x00007FFB59020000-0x00007FFB59657000-memory.dmp

Filesize
6.2MB

Download
memory/1456-7-0x000002029AF10000-0x000002029AF14000-memory.dmp

Filesize
16KB

Download
memory/2712-11-0x0000000000000000-mapping.dmp

Download
memory/2944-9-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads