Resubmissions
15/03/2021, 18:00
210315-7f8el774a6 10Analysis
-
max time kernel
69s -
max time network
119s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
15/03/2021, 18:00
Behavioral task
behavioral1
Sample
Documents972.xlsm
Resource
win10v20201028
0 signatures
0 seconds
General
-
Target
Documents972.xlsm
-
Size
57KB
-
MD5
8c9041813c83038de85079aa49f3d936
-
SHA1
6fa687e4396b933d0b4555455b55de5b8db3baf7
-
SHA256
c5444c7252d6e22f4a2de2168a4afeb08e1f841aeba675e6e632e2c64fcd71ca
-
SHA512
9cf1431762f932a3bf4fd858496e4339443115676084b7b6d1f0ab206940277a3cba09c410e02232e1689dc50501286888de4ed62abc3f12ce6077bcb335b309
Score
10/10
Malware Config
Signatures
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3804 1108 wmic.exe 68 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1516 360 regsvr32.exe 76 -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1108 EXCEL.EXE -
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 3804 wmic.exe Token: SeSecurityPrivilege 3804 wmic.exe Token: SeTakeOwnershipPrivilege 3804 wmic.exe Token: SeLoadDriverPrivilege 3804 wmic.exe Token: SeSystemProfilePrivilege 3804 wmic.exe Token: SeSystemtimePrivilege 3804 wmic.exe Token: SeProfSingleProcessPrivilege 3804 wmic.exe Token: SeIncBasePriorityPrivilege 3804 wmic.exe Token: SeCreatePagefilePrivilege 3804 wmic.exe Token: SeBackupPrivilege 3804 wmic.exe Token: SeRestorePrivilege 3804 wmic.exe Token: SeShutdownPrivilege 3804 wmic.exe Token: SeDebugPrivilege 3804 wmic.exe Token: SeSystemEnvironmentPrivilege 3804 wmic.exe Token: SeRemoteShutdownPrivilege 3804 wmic.exe Token: SeUndockPrivilege 3804 wmic.exe Token: SeManageVolumePrivilege 3804 wmic.exe Token: 33 3804 wmic.exe Token: 34 3804 wmic.exe Token: 35 3804 wmic.exe Token: 36 3804 wmic.exe Token: SeIncreaseQuotaPrivilege 3804 wmic.exe Token: SeSecurityPrivilege 3804 wmic.exe Token: SeTakeOwnershipPrivilege 3804 wmic.exe Token: SeLoadDriverPrivilege 3804 wmic.exe Token: SeSystemProfilePrivilege 3804 wmic.exe Token: SeSystemtimePrivilege 3804 wmic.exe Token: SeProfSingleProcessPrivilege 3804 wmic.exe Token: SeIncBasePriorityPrivilege 3804 wmic.exe Token: SeCreatePagefilePrivilege 3804 wmic.exe Token: SeBackupPrivilege 3804 wmic.exe Token: SeRestorePrivilege 3804 wmic.exe Token: SeShutdownPrivilege 3804 wmic.exe Token: SeDebugPrivilege 3804 wmic.exe Token: SeSystemEnvironmentPrivilege 3804 wmic.exe Token: SeRemoteShutdownPrivilege 3804 wmic.exe Token: SeUndockPrivilege 3804 wmic.exe Token: SeManageVolumePrivilege 3804 wmic.exe Token: 33 3804 wmic.exe Token: 34 3804 wmic.exe Token: 35 3804 wmic.exe Token: 36 3804 wmic.exe -
Suspicious use of SetWindowsHookEx 14 IoCs
pid Process 1108 EXCEL.EXE 1108 EXCEL.EXE 1108 EXCEL.EXE 1108 EXCEL.EXE 1108 EXCEL.EXE 1108 EXCEL.EXE 1108 EXCEL.EXE 1108 EXCEL.EXE 1108 EXCEL.EXE 1108 EXCEL.EXE 1108 EXCEL.EXE 1108 EXCEL.EXE 1108 EXCEL.EXE 1108 EXCEL.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 1108 wrote to memory of 3804 1108 EXCEL.EXE 79 PID 1108 wrote to memory of 3804 1108 EXCEL.EXE 79
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Documents972.xlsm"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Windows\System32\Wbem\wmic.exewmic.exe process call create 'regsvr32 -s C:\Users\Public\microsoft.security'2⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
PID:3804
-
-
C:\Windows\system32\regsvr32.exeregsvr32 -s C:\Users\Public\microsoft.security1⤵
- Process spawned unexpected child process
PID:1516