5b029d35e3b26016449753fa274b30071f7e7857b0f07af97d9d0dfed828e581

General

Target

Copy 7739588.xlsm
Size

201KB
MD5

afb5ae0f3a9992fdd329d5353d5faf3d
SHA1

f7900c280982426cf5b69c56500e5c1a3bfa3149
SHA256

5b029d35e3b26016449753fa274b30071f7e7857b0f07af97d9d0dfed828e581
SHA512

8d030af621f5d0370daf98912b69a88f353f8e7e6676a760cf66e6b927aa783dc124f9ad67ef2b103f1a105fe1f4c861ab57971e274072607466ef449c0e8a43

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

wmic.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2124 1972 wmic.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2124	1972	wmic.exe

Blocklisted process makes network request 11 IoCs

Processes:

wmic.exe

flow	pid	process
32	2124	wmic.exe
34	2124	wmic.exe
36	2124	wmic.exe
38	2124	wmic.exe
40	2124	wmic.exe
42	2124	wmic.exe
44	2124	wmic.exe
46	2124	wmic.exe
48	2124	wmic.exe
50	2124	wmic.exe
51	2124	wmic.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

wmic.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	wmic.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	wmic.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

3116 EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

wmic.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2124	wmic.exe
Token: SeSecurityPrivilege	2124	wmic.exe
Token: SeTakeOwnershipPrivilege	2124	wmic.exe
Token: SeLoadDriverPrivilege	2124	wmic.exe
Token: SeSystemProfilePrivilege	2124	wmic.exe
Token: SeSystemtimePrivilege	2124	wmic.exe
Token: SeProfSingleProcessPrivilege	2124	wmic.exe
Token: SeIncBasePriorityPrivilege	2124	wmic.exe
Token: SeCreatePagefilePrivilege	2124	wmic.exe
Token: SeBackupPrivilege	2124	wmic.exe
Token: SeRestorePrivilege	2124	wmic.exe
Token: SeShutdownPrivilege	2124	wmic.exe
Token: SeDebugPrivilege	2124	wmic.exe
Token: SeSystemEnvironmentPrivilege	2124	wmic.exe
Token: SeRemoteShutdownPrivilege	2124	wmic.exe
Token: SeUndockPrivilege	2124	wmic.exe
Token: SeManageVolumePrivilege	2124	wmic.exe
Token: 33	2124	wmic.exe
Token: 34	2124	wmic.exe
Token: 35	2124	wmic.exe
Token: 36	2124	wmic.exe
Token: SeIncreaseQuotaPrivilege	2124	wmic.exe
Token: SeSecurityPrivilege	2124	wmic.exe
Token: SeTakeOwnershipPrivilege	2124	wmic.exe
Token: SeLoadDriverPrivilege	2124	wmic.exe
Token: SeSystemProfilePrivilege	2124	wmic.exe
Token: SeSystemtimePrivilege	2124	wmic.exe
Token: SeProfSingleProcessPrivilege	2124	wmic.exe
Token: SeIncBasePriorityPrivilege	2124	wmic.exe
Token: SeCreatePagefilePrivilege	2124	wmic.exe
Token: SeBackupPrivilege	2124	wmic.exe
Token: SeRestorePrivilege	2124	wmic.exe
Token: SeShutdownPrivilege	2124	wmic.exe
Token: SeDebugPrivilege	2124	wmic.exe
Token: SeSystemEnvironmentPrivilege	2124	wmic.exe
Token: SeRemoteShutdownPrivilege	2124	wmic.exe
Token: SeUndockPrivilege	2124	wmic.exe
Token: SeManageVolumePrivilege	2124	wmic.exe
Token: 33	2124	wmic.exe
Token: 34	2124	wmic.exe
Token: 35	2124	wmic.exe
Token: 36	2124	wmic.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXE

pid	process
3116	EXCEL.EXE
3116	EXCEL.EXE
3116	EXCEL.EXE
3116	EXCEL.EXE
3116	EXCEL.EXE
3116	EXCEL.EXE
3116	EXCEL.EXE
3116	EXCEL.EXE
3116	EXCEL.EXE
3116	EXCEL.EXE
3116	EXCEL.EXE
3116	EXCEL.EXE

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

wmic.exe

description pid process target process

PID 2124 wrote to memory of 2200 2124 wmic.exe rundll32.exe
PID 2124 wrote to memory of 2200 2124 wmic.exe rundll32.exe

description	pid	process	target process
PID 2124 wrote to memory of 2200	2124	wmic.exe	rundll32.exe
PID 2124 wrote to memory of 2200	2124	wmic.exe	rundll32.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Copy 7739588.xlsm"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3116

C:\Windows\system32\wbem\wmic.exe
wmic os get /format:"C:\Users\Admin\AppData\Roaming\45CF7.xsl"
1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2124

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:/Windows/Temp//g4921.dll JsRelease
2⤵
PID:2200

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1

T1130

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

3

T1082

Query Registry

2

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\45CF7.xsl
MD5
ff781c740c3cd774b3013d7a6c542dde

SHA1
e0066536e248f9b3d61abf28992d2b18f2bfb34e

SHA256
5c89f380540741e7b95d594a1c42ed7871ed5bc52aa13c87ff98a79eed4275ea

SHA512
bec8957a04f548e46fe4c05f2509edc02e4142b97a6200f9d5cbf9e76306e34ab6be17cd13aba6da9183679480264c413e70244070621ae5ff23a1b85e964507

Download Submit
C:\Windows\Temp\g4921.dll
MD5
0357aa49ea850b11b99d09a2479c321b

SHA1
41472ba5c40f61fa1c77c42cf06248f13b8785f0

SHA256
0ff0b7fcb090c65d0bdcb2af4bbd2c30f33356b3ce9b117186fa20391ef840a3

SHA512
a317a0f035b8dff7ca60c76b0b75698a3528fd4c7c5e915292c982d2b38c1c937c318362c891e93bee6fdb1b166764d7183140a837fd23daa2be3d2dac5a5dfc

Download Submit
memory/2200-9-0x0000000000000000-mapping.dmp

Download
memory/3116-2-0x00007FF7FC7D0000-0x00007FF7FC7E0000-memory.dmp

Filesize
64KB

Download
memory/3116-3-0x00007FF7FC7D0000-0x00007FF7FC7E0000-memory.dmp

Filesize
64KB

Download
memory/3116-4-0x00007FF7FC7D0000-0x00007FF7FC7E0000-memory.dmp

Filesize
64KB

Download
memory/3116-5-0x00007FF7FC7D0000-0x00007FF7FC7E0000-memory.dmp

Filesize
64KB

Download
memory/3116-6-0x00007FF81FAA0000-0x00007FF8200D7000-memory.dmp

Filesize
6.2MB

Download
memory/3116-7-0x000002BD37CB0000-0x000002BD37CB4000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads