e54e2798f937775cf8e763c8a57ad5401c273bb4dc5893302796937658762e4c

General

Target

Invoice 7739588.xlsm
Size

208KB
MD5

18bda253da854f2ee726961804cb1d81
SHA1

681ce3158dafcc760c247753dfa449e38935275c
SHA256

e54e2798f937775cf8e763c8a57ad5401c273bb4dc5893302796937658762e4c
SHA512

844adfec03231c29e36a3eb827a430d058f488cce5fe0c0ad9ba5d74205718d0891eadedd0208cec418ccbe0daace2b205b495bb6128bf06579841e7c94958bb

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

wmic.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3680 3056 wmic.exe
Blocklisted process makes network request 4 IoCs

Processes:

wmic.exe

flow pid process

31 3680 wmic.exe
33 3680 wmic.exe
35 3680 wmic.exe
36 3680 wmic.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3680	3056	wmic.exe

flow	pid	process
31	3680	wmic.exe
33	3680	wmic.exe
35	3680	wmic.exe
36	3680	wmic.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

wmic.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	wmic.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	wmic.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

496 EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

wmic.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	3680	wmic.exe
Token: SeSecurityPrivilege	3680	wmic.exe
Token: SeTakeOwnershipPrivilege	3680	wmic.exe
Token: SeLoadDriverPrivilege	3680	wmic.exe
Token: SeSystemProfilePrivilege	3680	wmic.exe
Token: SeSystemtimePrivilege	3680	wmic.exe
Token: SeProfSingleProcessPrivilege	3680	wmic.exe
Token: SeIncBasePriorityPrivilege	3680	wmic.exe
Token: SeCreatePagefilePrivilege	3680	wmic.exe
Token: SeBackupPrivilege	3680	wmic.exe
Token: SeRestorePrivilege	3680	wmic.exe
Token: SeShutdownPrivilege	3680	wmic.exe
Token: SeDebugPrivilege	3680	wmic.exe
Token: SeSystemEnvironmentPrivilege	3680	wmic.exe
Token: SeRemoteShutdownPrivilege	3680	wmic.exe
Token: SeUndockPrivilege	3680	wmic.exe
Token: SeManageVolumePrivilege	3680	wmic.exe
Token: 33	3680	wmic.exe
Token: 34	3680	wmic.exe
Token: 35	3680	wmic.exe
Token: 36	3680	wmic.exe
Token: SeIncreaseQuotaPrivilege	3680	wmic.exe
Token: SeSecurityPrivilege	3680	wmic.exe
Token: SeTakeOwnershipPrivilege	3680	wmic.exe
Token: SeLoadDriverPrivilege	3680	wmic.exe
Token: SeSystemProfilePrivilege	3680	wmic.exe
Token: SeSystemtimePrivilege	3680	wmic.exe
Token: SeProfSingleProcessPrivilege	3680	wmic.exe
Token: SeIncBasePriorityPrivilege	3680	wmic.exe
Token: SeCreatePagefilePrivilege	3680	wmic.exe
Token: SeBackupPrivilege	3680	wmic.exe
Token: SeRestorePrivilege	3680	wmic.exe
Token: SeShutdownPrivilege	3680	wmic.exe
Token: SeDebugPrivilege	3680	wmic.exe
Token: SeSystemEnvironmentPrivilege	3680	wmic.exe
Token: SeRemoteShutdownPrivilege	3680	wmic.exe
Token: SeUndockPrivilege	3680	wmic.exe
Token: SeManageVolumePrivilege	3680	wmic.exe
Token: 33	3680	wmic.exe
Token: 34	3680	wmic.exe
Token: 35	3680	wmic.exe
Token: 36	3680	wmic.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXE

pid	process
496	EXCEL.EXE
496	EXCEL.EXE
496	EXCEL.EXE
496	EXCEL.EXE
496	EXCEL.EXE
496	EXCEL.EXE
496	EXCEL.EXE
496	EXCEL.EXE
496	EXCEL.EXE
496	EXCEL.EXE
496	EXCEL.EXE
496	EXCEL.EXE

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

wmic.exe

description pid process target process

PID 3680 wrote to memory of 2596 3680 wmic.exe rundll32.exe
PID 3680 wrote to memory of 2596 3680 wmic.exe rundll32.exe

description	pid	process	target process
PID 3680 wrote to memory of 2596	3680	wmic.exe	rundll32.exe
PID 3680 wrote to memory of 2596	3680	wmic.exe	rundll32.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Invoice 7739588.xlsm"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:496

C:\Windows\system32\wbem\wmic.exe
wmic os get /format:"C:\Users\Admin\AppData\Roaming\28BF0.xsl"
1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3680

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:/Windows/Temp//8ustc.dll JsRelease
2⤵
PID:2596

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\28BF0.xsl
MD5
63545b68e9fd6687e07dab16098cd7b0

SHA1
0dcb7d7062b932f28463def7175edd45652f2614

SHA256
a35781e3e5367c1ad05fdb7049d2485c70a9259910024310486e9f12c386abae

SHA512
502b6715af0cc31c81d9ecdd099d553330d503972dd13e56e4e3f57ecf4f2ec792b21252eb0f48bffefeb059b838a402b1abc7496b789e05ec31068fb4621e25

Download Submit
C:\Windows\Temp\8ustc.dll
MD5
f80a7e6f9d5b95e9a03bf741ebe6abde

SHA1
fe2bc895cb4f2b816571c6da5369f70632a0f86d

SHA256
f9d13e8e39271125a466af1451788409e1d33deb49b5422f3033927170b4caaf

SHA512
2e560df4e4986a9963b2e83ee93742478052e3d1af716f1d770166ffc4e632887238963f4e6ca4e89710b984b66b2800ed5b8460606b2784f592d79cbe00b7d3

Download Submit
memory/496-2-0x00007FF7E5FB0000-0x00007FF7E5FC0000-memory.dmp

Filesize
64KB

Download
memory/496-3-0x00007FF7E5FB0000-0x00007FF7E5FC0000-memory.dmp

Filesize
64KB

Download
memory/496-4-0x00007FF7E5FB0000-0x00007FF7E5FC0000-memory.dmp

Filesize
64KB

Download
memory/496-5-0x00007FF7E5FB0000-0x00007FF7E5FC0000-memory.dmp

Filesize
64KB

Download
memory/496-6-0x00007FF808F50000-0x00007FF809587000-memory.dmp

Filesize
6.2MB

Download
memory/496-7-0x000001D7B6640000-0x000001D7B6644000-memory.dmp

Filesize
16KB

Download
memory/2596-9-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads