99bd5914039d840274690ce7223d6504d72724a3eb55dd4dfce6de855b989174

General

Target

SpaceX Starbase Invite.xlsm
Size

240KB
MD5

c203a4725a47fe34b5811a122d45733e
SHA1

6c39c1922d4f2c5b50d8431ec1b61e73b7d2731f
SHA256

99bd5914039d840274690ce7223d6504d72724a3eb55dd4dfce6de855b989174
SHA512

28b619c7ff7fd25f01a5231930c9913498c9e47056683cf98464fd48b938782c48e64f26f35401573031319da3d9f20543a61774c86710a5e3449b88063175f3

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

wmic.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 664 4032 wmic.exe
Blocklisted process makes network request 2 IoCs

Processes:

wmic.exe

flow pid process

29 664 wmic.exe
31 664 wmic.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	664	4032	wmic.exe

flow	pid	process
29	664	wmic.exe
31	664	wmic.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

wmic.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	wmic.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	wmic.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

580 EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

wmic.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	664	wmic.exe
Token: SeSecurityPrivilege	664	wmic.exe
Token: SeTakeOwnershipPrivilege	664	wmic.exe
Token: SeLoadDriverPrivilege	664	wmic.exe
Token: SeSystemProfilePrivilege	664	wmic.exe
Token: SeSystemtimePrivilege	664	wmic.exe
Token: SeProfSingleProcessPrivilege	664	wmic.exe
Token: SeIncBasePriorityPrivilege	664	wmic.exe
Token: SeCreatePagefilePrivilege	664	wmic.exe
Token: SeBackupPrivilege	664	wmic.exe
Token: SeRestorePrivilege	664	wmic.exe
Token: SeShutdownPrivilege	664	wmic.exe
Token: SeDebugPrivilege	664	wmic.exe
Token: SeSystemEnvironmentPrivilege	664	wmic.exe
Token: SeRemoteShutdownPrivilege	664	wmic.exe
Token: SeUndockPrivilege	664	wmic.exe
Token: SeManageVolumePrivilege	664	wmic.exe
Token: 33	664	wmic.exe
Token: 34	664	wmic.exe
Token: 35	664	wmic.exe
Token: 36	664	wmic.exe
Token: SeIncreaseQuotaPrivilege	664	wmic.exe
Token: SeSecurityPrivilege	664	wmic.exe
Token: SeTakeOwnershipPrivilege	664	wmic.exe
Token: SeLoadDriverPrivilege	664	wmic.exe
Token: SeSystemProfilePrivilege	664	wmic.exe
Token: SeSystemtimePrivilege	664	wmic.exe
Token: SeProfSingleProcessPrivilege	664	wmic.exe
Token: SeIncBasePriorityPrivilege	664	wmic.exe
Token: SeCreatePagefilePrivilege	664	wmic.exe
Token: SeBackupPrivilege	664	wmic.exe
Token: SeRestorePrivilege	664	wmic.exe
Token: SeShutdownPrivilege	664	wmic.exe
Token: SeDebugPrivilege	664	wmic.exe
Token: SeSystemEnvironmentPrivilege	664	wmic.exe
Token: SeRemoteShutdownPrivilege	664	wmic.exe
Token: SeUndockPrivilege	664	wmic.exe
Token: SeManageVolumePrivilege	664	wmic.exe
Token: 33	664	wmic.exe
Token: 34	664	wmic.exe
Token: 35	664	wmic.exe
Token: 36	664	wmic.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXE

pid	process
580	EXCEL.EXE
580	EXCEL.EXE
580	EXCEL.EXE
580	EXCEL.EXE
580	EXCEL.EXE
580	EXCEL.EXE
580	EXCEL.EXE
580	EXCEL.EXE
580	EXCEL.EXE
580	EXCEL.EXE
580	EXCEL.EXE
580	EXCEL.EXE

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

wmic.exe

description pid process target process

PID 664 wrote to memory of 472 664 wmic.exe rundll32.exe
PID 664 wrote to memory of 472 664 wmic.exe rundll32.exe

description	pid	process	target process
PID 664 wrote to memory of 472	664	wmic.exe	rundll32.exe
PID 664 wrote to memory of 472	664	wmic.exe	rundll32.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\SpaceX Starbase Invite.xlsm"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:580

C:\Windows\system32\wbem\wmic.exe
wmic os get /format:"C:\Users\Admin\AppData\Roaming\5371.xsl"
1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:664

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:/Windows/Temp//ies6j.dll ValidateLog
2⤵
PID:472

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1

T1130

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

3

T1082

Query Registry

2

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\5371.xsl
MD5
b67c73bf9faa4f624ccf10c32df010c9

SHA1
aec7da5f660bdc8eddcd5bc7df37b130b165c66a

SHA256
0b22a69f60a8a4ae0f891f08c6c313ea9892c223d574f7002a34781d9b69666e

SHA512
b4fe6c758621dbe9ea8e0536dc86bca85e2c7707b510cf242be738f605f05f8d90d59a8d9a15857b8f1daf69438a4285705e48266731944fd588027b56f64119

Download Submit
C:\Windows\Temp\ies6j.dll
MD5
d3683d12c3244df6134c069aefffbef3

SHA1
9cbfb9fa792513bd242857556d5970c9b5c45775

SHA256
1dd03784fbed4ca11f843771dfe7059c32100fc2506454768ceec1ffba870ec6

SHA512
441e307751fe3cdc556266d00cecec08afa3e398e91d5a3c21ad4c553a6154354ccd404e6cd04bac4b96bc56517e26a3ad2eaeaf78c8ca9974000c89e9007665

Download Submit
memory/472-9-0x0000000000000000-mapping.dmp

Download
memory/580-2-0x00007FFE76A80000-0x00007FFE76A90000-memory.dmp

Filesize
64KB

Download
memory/580-3-0x00007FFE76A80000-0x00007FFE76A90000-memory.dmp

Filesize
64KB

Download
memory/580-4-0x00007FFE76A80000-0x00007FFE76A90000-memory.dmp

Filesize
64KB

Download
memory/580-5-0x00007FFE76A80000-0x00007FFE76A90000-memory.dmp

Filesize
64KB

Download
memory/580-6-0x00007FFE99BC0000-0x00007FFE9A1F7000-memory.dmp

Filesize
6.2MB

Download
memory/580-7-0x00000251A97F0000-0x00000251A97F4000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads