373f30874b0bf0abdd58ab6b4fe7f1001c651dd1336649dff47b0d877a4afb5e

General

Target

SpaceX Starbase Invite.xlsm
Size

242KB
MD5

3f8ea86cf6cf87e687b31a59e087dd7f
SHA1

ef9e0e5ac5ede2626db2bc9c0683200fc8a4813a
SHA256

373f30874b0bf0abdd58ab6b4fe7f1001c651dd1336649dff47b0d877a4afb5e
SHA512

a5b9c682fa1f8172c755a09620df394b3dbfca0e3d39eac2fd2edc08b065f7dc3405eee98c4a570301086cd1ae48586c67f6dc7603bef37d39a40dcdd4f82451

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

wmic.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 580 3144 wmic.exe
Blocklisted process makes network request 5 IoCs

Processes:

wmic.exe

flow pid process

30 580 wmic.exe
32 580 wmic.exe
34 580 wmic.exe
36 580 wmic.exe
37 580 wmic.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	580	3144	wmic.exe

flow	pid	process
30	580	wmic.exe
32	580	wmic.exe
34	580	wmic.exe
36	580	wmic.exe
37	580	wmic.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

wmic.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	wmic.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	wmic.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

496 EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

wmic.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	580	wmic.exe
Token: SeSecurityPrivilege	580	wmic.exe
Token: SeTakeOwnershipPrivilege	580	wmic.exe
Token: SeLoadDriverPrivilege	580	wmic.exe
Token: SeSystemProfilePrivilege	580	wmic.exe
Token: SeSystemtimePrivilege	580	wmic.exe
Token: SeProfSingleProcessPrivilege	580	wmic.exe
Token: SeIncBasePriorityPrivilege	580	wmic.exe
Token: SeCreatePagefilePrivilege	580	wmic.exe
Token: SeBackupPrivilege	580	wmic.exe
Token: SeRestorePrivilege	580	wmic.exe
Token: SeShutdownPrivilege	580	wmic.exe
Token: SeDebugPrivilege	580	wmic.exe
Token: SeSystemEnvironmentPrivilege	580	wmic.exe
Token: SeRemoteShutdownPrivilege	580	wmic.exe
Token: SeUndockPrivilege	580	wmic.exe
Token: SeManageVolumePrivilege	580	wmic.exe
Token: 33	580	wmic.exe
Token: 34	580	wmic.exe
Token: 35	580	wmic.exe
Token: 36	580	wmic.exe
Token: SeIncreaseQuotaPrivilege	580	wmic.exe
Token: SeSecurityPrivilege	580	wmic.exe
Token: SeTakeOwnershipPrivilege	580	wmic.exe
Token: SeLoadDriverPrivilege	580	wmic.exe
Token: SeSystemProfilePrivilege	580	wmic.exe
Token: SeSystemtimePrivilege	580	wmic.exe
Token: SeProfSingleProcessPrivilege	580	wmic.exe
Token: SeIncBasePriorityPrivilege	580	wmic.exe
Token: SeCreatePagefilePrivilege	580	wmic.exe
Token: SeBackupPrivilege	580	wmic.exe
Token: SeRestorePrivilege	580	wmic.exe
Token: SeShutdownPrivilege	580	wmic.exe
Token: SeDebugPrivilege	580	wmic.exe
Token: SeSystemEnvironmentPrivilege	580	wmic.exe
Token: SeRemoteShutdownPrivilege	580	wmic.exe
Token: SeUndockPrivilege	580	wmic.exe
Token: SeManageVolumePrivilege	580	wmic.exe
Token: 33	580	wmic.exe
Token: 34	580	wmic.exe
Token: 35	580	wmic.exe
Token: 36	580	wmic.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXE

pid	process
496	EXCEL.EXE
496	EXCEL.EXE
496	EXCEL.EXE
496	EXCEL.EXE
496	EXCEL.EXE
496	EXCEL.EXE
496	EXCEL.EXE
496	EXCEL.EXE
496	EXCEL.EXE
496	EXCEL.EXE
496	EXCEL.EXE
496	EXCEL.EXE

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

wmic.exe

description pid process target process

PID 580 wrote to memory of 2596 580 wmic.exe rundll32.exe
PID 580 wrote to memory of 2596 580 wmic.exe rundll32.exe

description	pid	process	target process
PID 580 wrote to memory of 2596	580	wmic.exe	rundll32.exe
PID 580 wrote to memory of 2596	580	wmic.exe	rundll32.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\SpaceX Starbase Invite.xlsm"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:496

C:\Windows\system32\wbem\wmic.exe
wmic os get /format:"C:\Users\Admin\AppData\Roaming\170D6.xsl"
1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:580

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:/Windows/Temp//wfvzt.dll ValidateLog
2⤵
PID:2596

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\170D6.xsl
MD5
fccb97c0cc885cc8e55e2b60aad50abd

SHA1
042ac7ab02d2d5f201e4fa1be5705aa586796a45

SHA256
94a5b42f06e3bca033eb1232e6f7d08f2478c8cad3ba355c90ed8c6ddc9c6a5b

SHA512
6b3d4107da20dddd062c02894da39542fd7ae702196c2c537fa19e8c8a2bee01579d3e0bd1f6f45b386906b57d54c2f27d9cbef2261ac6c043ada5c8333c0df6

Download Submit
C:\Windows\Temp\wfvzt.dll
MD5
ffd748c37c2ef32632f9cb7cfd42bcf1

SHA1
cf075fda2b6a5c05fa4044da7a45583d90a7f22f

SHA256
8cc808ecd3e7e07c788e97905aa720b62184d81df45115e4037c309ca4d899e9

SHA512
4cddff75d555716cff14a3b33a0b91c0e6305138d92631d70a9087f34db704eb8d91861525b95408bdf25039a5914a2fd8c09ab6e29e884140962d08adcef690

Download Submit
memory/496-2-0x00007FF7E5FB0000-0x00007FF7E5FC0000-memory.dmp

Filesize
64KB

Download
memory/496-3-0x00007FF7E5FB0000-0x00007FF7E5FC0000-memory.dmp

Filesize
64KB

Download
memory/496-4-0x00007FF7E5FB0000-0x00007FF7E5FC0000-memory.dmp

Filesize
64KB

Download
memory/496-5-0x00007FF808F50000-0x00007FF809587000-memory.dmp

Filesize
6.2MB

Download
memory/496-6-0x00007FF7E5FB0000-0x00007FF7E5FC0000-memory.dmp

Filesize
64KB

Download
memory/496-7-0x000001D7B6650000-0x000001D7B6654000-memory.dmp

Filesize
16KB

Download
memory/2596-9-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads