Resubmissions
15-03-2021 18:00
210315-7f8el774a6 10Analysis
-
max time kernel
69s -
max time network
119s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
15-03-2021 18:00
Behavioral task
behavioral1
Sample
Documents972.xlsm
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
Documents972.xlsm
-
Size
57KB
-
MD5
8c9041813c83038de85079aa49f3d936
-
SHA1
6fa687e4396b933d0b4555455b55de5b8db3baf7
-
SHA256
c5444c7252d6e22f4a2de2168a4afeb08e1f841aeba675e6e632e2c64fcd71ca
-
SHA512
9cf1431762f932a3bf4fd858496e4339443115676084b7b6d1f0ab206940277a3cba09c410e02232e1689dc50501286888de4ed62abc3f12ce6077bcb335b309
Score
10/10
Malware Config
Signatures
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
wmic.exeregsvr32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3804 1108 wmic.exe EXCEL.EXE Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1516 360 regsvr32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1108 EXCEL.EXE -
Suspicious use of AdjustPrivilegeToken 42 IoCs
Processes:
wmic.exedescription pid process Token: SeIncreaseQuotaPrivilege 3804 wmic.exe Token: SeSecurityPrivilege 3804 wmic.exe Token: SeTakeOwnershipPrivilege 3804 wmic.exe Token: SeLoadDriverPrivilege 3804 wmic.exe Token: SeSystemProfilePrivilege 3804 wmic.exe Token: SeSystemtimePrivilege 3804 wmic.exe Token: SeProfSingleProcessPrivilege 3804 wmic.exe Token: SeIncBasePriorityPrivilege 3804 wmic.exe Token: SeCreatePagefilePrivilege 3804 wmic.exe Token: SeBackupPrivilege 3804 wmic.exe Token: SeRestorePrivilege 3804 wmic.exe Token: SeShutdownPrivilege 3804 wmic.exe Token: SeDebugPrivilege 3804 wmic.exe Token: SeSystemEnvironmentPrivilege 3804 wmic.exe Token: SeRemoteShutdownPrivilege 3804 wmic.exe Token: SeUndockPrivilege 3804 wmic.exe Token: SeManageVolumePrivilege 3804 wmic.exe Token: 33 3804 wmic.exe Token: 34 3804 wmic.exe Token: 35 3804 wmic.exe Token: 36 3804 wmic.exe Token: SeIncreaseQuotaPrivilege 3804 wmic.exe Token: SeSecurityPrivilege 3804 wmic.exe Token: SeTakeOwnershipPrivilege 3804 wmic.exe Token: SeLoadDriverPrivilege 3804 wmic.exe Token: SeSystemProfilePrivilege 3804 wmic.exe Token: SeSystemtimePrivilege 3804 wmic.exe Token: SeProfSingleProcessPrivilege 3804 wmic.exe Token: SeIncBasePriorityPrivilege 3804 wmic.exe Token: SeCreatePagefilePrivilege 3804 wmic.exe Token: SeBackupPrivilege 3804 wmic.exe Token: SeRestorePrivilege 3804 wmic.exe Token: SeShutdownPrivilege 3804 wmic.exe Token: SeDebugPrivilege 3804 wmic.exe Token: SeSystemEnvironmentPrivilege 3804 wmic.exe Token: SeRemoteShutdownPrivilege 3804 wmic.exe Token: SeUndockPrivilege 3804 wmic.exe Token: SeManageVolumePrivilege 3804 wmic.exe Token: 33 3804 wmic.exe Token: 34 3804 wmic.exe Token: 35 3804 wmic.exe Token: 36 3804 wmic.exe -
Suspicious use of SetWindowsHookEx 14 IoCs
Processes:
EXCEL.EXEpid process 1108 EXCEL.EXE 1108 EXCEL.EXE 1108 EXCEL.EXE 1108 EXCEL.EXE 1108 EXCEL.EXE 1108 EXCEL.EXE 1108 EXCEL.EXE 1108 EXCEL.EXE 1108 EXCEL.EXE 1108 EXCEL.EXE 1108 EXCEL.EXE 1108 EXCEL.EXE 1108 EXCEL.EXE 1108 EXCEL.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
EXCEL.EXEdescription pid process target process PID 1108 wrote to memory of 3804 1108 EXCEL.EXE wmic.exe PID 1108 wrote to memory of 3804 1108 EXCEL.EXE wmic.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Documents972.xlsm"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Windows\System32\Wbem\wmic.exewmic.exe process call create 'regsvr32 -s C:\Users\Public\microsoft.security'2⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
PID:3804
-
-
C:\Windows\system32\regsvr32.exeregsvr32 -s C:\Users\Public\microsoft.security1⤵
- Process spawned unexpected child process
PID:1516