Analysis
-
max time kernel
139s -
max time network
132s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
08-03-2021 18:09
Static task
static1
Behavioral task
behavioral1
Sample
SpaceX Starbase Invite.xlsm
Resource
win7v20201028
Behavioral task
behavioral2
Sample
SpaceX Starbase Invite.xlsm
Resource
win10v20201028
General
-
Target
SpaceX Starbase Invite.xlsm
-
Size
242KB
-
MD5
b46aa5f81d293bc7791a720b6447d01f
-
SHA1
a8ab19110c407b6e04e460fa8bc33685868a026d
-
SHA256
2355f05bca712ce31b1fef911395862eb34e73db7a3ca0a6bee2664024e47518
-
SHA512
8c3b80ff99948aa1f67ed9b6a9c5b2b1225b9246b71b7a8f97661bd054339f67e82aa7f118fed8462ce20ff1a58d9f07cb07c91f1220ac48d8fd1502f1be1e93
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
wmic.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2212 3540 wmic.exe -
Blocklisted process makes network request 2 IoCs
Processes:
wmic.exeflow pid process 31 2212 wmic.exe 33 2212 wmic.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Processes:
wmic.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 wmic.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e wmic.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1456 EXCEL.EXE -
Suspicious use of AdjustPrivilegeToken 42 IoCs
Processes:
wmic.exedescription pid process Token: SeIncreaseQuotaPrivilege 2212 wmic.exe Token: SeSecurityPrivilege 2212 wmic.exe Token: SeTakeOwnershipPrivilege 2212 wmic.exe Token: SeLoadDriverPrivilege 2212 wmic.exe Token: SeSystemProfilePrivilege 2212 wmic.exe Token: SeSystemtimePrivilege 2212 wmic.exe Token: SeProfSingleProcessPrivilege 2212 wmic.exe Token: SeIncBasePriorityPrivilege 2212 wmic.exe Token: SeCreatePagefilePrivilege 2212 wmic.exe Token: SeBackupPrivilege 2212 wmic.exe Token: SeRestorePrivilege 2212 wmic.exe Token: SeShutdownPrivilege 2212 wmic.exe Token: SeDebugPrivilege 2212 wmic.exe Token: SeSystemEnvironmentPrivilege 2212 wmic.exe Token: SeRemoteShutdownPrivilege 2212 wmic.exe Token: SeUndockPrivilege 2212 wmic.exe Token: SeManageVolumePrivilege 2212 wmic.exe Token: 33 2212 wmic.exe Token: 34 2212 wmic.exe Token: 35 2212 wmic.exe Token: 36 2212 wmic.exe Token: SeIncreaseQuotaPrivilege 2212 wmic.exe Token: SeSecurityPrivilege 2212 wmic.exe Token: SeTakeOwnershipPrivilege 2212 wmic.exe Token: SeLoadDriverPrivilege 2212 wmic.exe Token: SeSystemProfilePrivilege 2212 wmic.exe Token: SeSystemtimePrivilege 2212 wmic.exe Token: SeProfSingleProcessPrivilege 2212 wmic.exe Token: SeIncBasePriorityPrivilege 2212 wmic.exe Token: SeCreatePagefilePrivilege 2212 wmic.exe Token: SeBackupPrivilege 2212 wmic.exe Token: SeRestorePrivilege 2212 wmic.exe Token: SeShutdownPrivilege 2212 wmic.exe Token: SeDebugPrivilege 2212 wmic.exe Token: SeSystemEnvironmentPrivilege 2212 wmic.exe Token: SeRemoteShutdownPrivilege 2212 wmic.exe Token: SeUndockPrivilege 2212 wmic.exe Token: SeManageVolumePrivilege 2212 wmic.exe Token: 33 2212 wmic.exe Token: 34 2212 wmic.exe Token: 35 2212 wmic.exe Token: 36 2212 wmic.exe -
Suspicious use of SetWindowsHookEx 14 IoCs
Processes:
EXCEL.EXEpid process 1456 EXCEL.EXE 1456 EXCEL.EXE 1456 EXCEL.EXE 1456 EXCEL.EXE 1456 EXCEL.EXE 1456 EXCEL.EXE 1456 EXCEL.EXE 1456 EXCEL.EXE 1456 EXCEL.EXE 1456 EXCEL.EXE 1456 EXCEL.EXE 1456 EXCEL.EXE 1456 EXCEL.EXE 1456 EXCEL.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
wmic.exerundll32.exedescription pid process target process PID 2212 wrote to memory of 2944 2212 wmic.exe rundll32.exe PID 2212 wrote to memory of 2944 2212 wmic.exe rundll32.exe PID 2944 wrote to memory of 2712 2944 rundll32.exe rundll32.exe PID 2944 wrote to memory of 2712 2944 rundll32.exe rundll32.exe PID 2944 wrote to memory of 2712 2944 rundll32.exe rundll32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\SpaceX Starbase Invite.xlsm"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\wbem\wmic.exewmic os get /format:"C:\Users\Admin\AppData\Roaming\1DF1C.xsl"1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:/Windows/Temp//e2ogy.dll ValidateLog2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:/Windows/Temp//e2ogy.dll ValidateLog3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\1DF1C.xslMD5
ea71d43dea5ac0a4f1687d4b4c0f7a73
SHA106abfa510041b5eadaaad4aed4a196eca63f475a
SHA2569aecdb029868fb446bad577f10695472497bb2bfe87d30b3ef13da834742efaa
SHA5127e597efd1045738621da21c0972f46f360fe13d9988085fc29b479bb73d7de0506d6eef396eca1e6526505b5874760eaa73c1e09fcd149846306edd5bd73a40f
-
C:\Windows\Temp\e2ogy.dllMD5
f62f3498e07e5cb35723f9e89f0748f9
SHA19a1324bc689c49c7480b5c423467ef1557f8c89e
SHA2565a7af7eff2116cbca9b096161cd25b924c5ea277c7a834060b703fc3f5991a94
SHA51239fa805e04a349003cd7ffefccec7bc8db27ff8916fff990058b1ad2330e45b7aa967e1e6842a661fd7e8b62e58b1120be2ab817cf99bc4e7ab0ad647df2c05b
-
memory/1456-2-0x00007FFB33400000-0x00007FFB33410000-memory.dmpFilesize
64KB
-
memory/1456-3-0x00007FFB33400000-0x00007FFB33410000-memory.dmpFilesize
64KB
-
memory/1456-4-0x00007FFB33400000-0x00007FFB33410000-memory.dmpFilesize
64KB
-
memory/1456-5-0x00007FFB33400000-0x00007FFB33410000-memory.dmpFilesize
64KB
-
memory/1456-6-0x00007FFB59020000-0x00007FFB59657000-memory.dmpFilesize
6.2MB
-
memory/1456-7-0x000002029AF10000-0x000002029AF14000-memory.dmpFilesize
16KB
-
memory/2712-11-0x0000000000000000-mapping.dmp
-
memory/2944-9-0x0000000000000000-mapping.dmp