Documents972.xlsm

General
Target

Documents972.xlsm

Filesize

57KB

Completed

15-03-2021 18:02

Score
10 /10
MD5

8c9041813c83038de85079aa49f3d936

SHA1

6fa687e4396b933d0b4555455b55de5b8db3baf7

SHA256

c5444c7252d6e22f4a2de2168a4afeb08e1f841aeba675e6e632e2c64fcd71ca

Malware Config
Signatures 7

Filter: none

Discovery
  • Process spawned unexpected child process
    wmic.exeregsvr32.exe

    Description

    This typically indicates the parent process was compromised via an exploit or macro.

    Reported IOCs

    descriptionpidpid_targetprocesstarget process
    Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process38041108wmic.exeEXCEL.EXE
    Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process1516360regsvr32.exe
  • Checks processor information in registry
    EXCEL.EXE

    Description

    Processor information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameStringEXCEL.EXE
    Key opened\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0EXCEL.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHzEXCEL.EXE
  • Enumerates system info in registry
    EXCEL.EXE

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKUEXCEL.EXE
    Key opened\REGISTRY\MACHINE\Hardware\Description\System\BIOSEXCEL.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamilyEXCEL.EXE
  • Suspicious behavior: AddClipboardFormatListener
    EXCEL.EXE

    Reported IOCs

    pidprocess
    1108EXCEL.EXE
  • Suspicious use of AdjustPrivilegeToken
    wmic.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeIncreaseQuotaPrivilege3804wmic.exe
    Token: SeSecurityPrivilege3804wmic.exe
    Token: SeTakeOwnershipPrivilege3804wmic.exe
    Token: SeLoadDriverPrivilege3804wmic.exe
    Token: SeSystemProfilePrivilege3804wmic.exe
    Token: SeSystemtimePrivilege3804wmic.exe
    Token: SeProfSingleProcessPrivilege3804wmic.exe
    Token: SeIncBasePriorityPrivilege3804wmic.exe
    Token: SeCreatePagefilePrivilege3804wmic.exe
    Token: SeBackupPrivilege3804wmic.exe
    Token: SeRestorePrivilege3804wmic.exe
    Token: SeShutdownPrivilege3804wmic.exe
    Token: SeDebugPrivilege3804wmic.exe
    Token: SeSystemEnvironmentPrivilege3804wmic.exe
    Token: SeRemoteShutdownPrivilege3804wmic.exe
    Token: SeUndockPrivilege3804wmic.exe
    Token: SeManageVolumePrivilege3804wmic.exe
    Token: 333804wmic.exe
    Token: 343804wmic.exe
    Token: 353804wmic.exe
    Token: 363804wmic.exe
    Token: SeIncreaseQuotaPrivilege3804wmic.exe
    Token: SeSecurityPrivilege3804wmic.exe
    Token: SeTakeOwnershipPrivilege3804wmic.exe
    Token: SeLoadDriverPrivilege3804wmic.exe
    Token: SeSystemProfilePrivilege3804wmic.exe
    Token: SeSystemtimePrivilege3804wmic.exe
    Token: SeProfSingleProcessPrivilege3804wmic.exe
    Token: SeIncBasePriorityPrivilege3804wmic.exe
    Token: SeCreatePagefilePrivilege3804wmic.exe
    Token: SeBackupPrivilege3804wmic.exe
    Token: SeRestorePrivilege3804wmic.exe
    Token: SeShutdownPrivilege3804wmic.exe
    Token: SeDebugPrivilege3804wmic.exe
    Token: SeSystemEnvironmentPrivilege3804wmic.exe
    Token: SeRemoteShutdownPrivilege3804wmic.exe
    Token: SeUndockPrivilege3804wmic.exe
    Token: SeManageVolumePrivilege3804wmic.exe
    Token: 333804wmic.exe
    Token: 343804wmic.exe
    Token: 353804wmic.exe
    Token: 363804wmic.exe
  • Suspicious use of SetWindowsHookEx
    EXCEL.EXE

    Reported IOCs

    pidprocess
    1108EXCEL.EXE
    1108EXCEL.EXE
    1108EXCEL.EXE
    1108EXCEL.EXE
    1108EXCEL.EXE
    1108EXCEL.EXE
    1108EXCEL.EXE
    1108EXCEL.EXE
    1108EXCEL.EXE
    1108EXCEL.EXE
    1108EXCEL.EXE
    1108EXCEL.EXE
    1108EXCEL.EXE
    1108EXCEL.EXE
  • Suspicious use of WriteProcessMemory
    EXCEL.EXE

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1108 wrote to memory of 38041108EXCEL.EXEwmic.exe
    PID 1108 wrote to memory of 38041108EXCEL.EXEwmic.exe
Processes 3
  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Documents972.xlsm"
    Checks processor information in registry
    Enumerates system info in registry
    Suspicious behavior: AddClipboardFormatListener
    Suspicious use of SetWindowsHookEx
    Suspicious use of WriteProcessMemory
    PID:1108
    • C:\Windows\System32\Wbem\wmic.exe
      wmic.exe process call create 'regsvr32 -s C:\Users\Public\microsoft.security'
      Process spawned unexpected child process
      Suspicious use of AdjustPrivilegeToken
      PID:3804
  • C:\Windows\system32\regsvr32.exe
    regsvr32 -s C:\Users\Public\microsoft.security
    Process spawned unexpected child process
    PID:1516
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                      Privilege Escalation
                        Replay Monitor
                        00:00 00:00
                        Downloads
                        • memory/1108-2-0x00007FFC22770000-0x00007FFC22780000-memory.dmp

                        • memory/1108-3-0x00007FFC22770000-0x00007FFC22780000-memory.dmp

                        • memory/1108-4-0x00007FFC22770000-0x00007FFC22780000-memory.dmp

                        • memory/1108-5-0x00007FFC48440000-0x00007FFC48A77000-memory.dmp

                        • memory/1108-6-0x00007FFC22770000-0x00007FFC22780000-memory.dmp

                        • memory/1108-8-0x00007FFC22770000-0x00007FFC22780000-memory.dmp

                        • memory/1108-9-0x00007FFC22770000-0x00007FFC22780000-memory.dmp

                        • memory/1108-10-0x00007FFC22770000-0x00007FFC22780000-memory.dmp

                        • memory/1108-11-0x00007FFC22770000-0x00007FFC22780000-memory.dmp

                        • memory/3804-7-0x0000000000000000-mapping.dmp