bc64eb93cd133670e5e997bdee03928d2408281ed8f07142ee13371da5352f88

General

Target

subscription_1617898525.xlsb
Size

250KB
MD5

9d39f307b0d6276450038cca7568b2cc
SHA1

72d0c43d84791c50e600d85e6deb2b9021cf7056
SHA256

bc64eb93cd133670e5e997bdee03928d2408281ed8f07142ee13371da5352f88
SHA512

17e98e6da13405142295953f6deb0cd7d44751bf83a22833a7b9747e21ae46630c1edb7d176edcd21f14428182135db181153a06ddd9e3fc70246514f6f1f127

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4024	4812	cmd.exe	EXCEL.EXE

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

29 4540 rundll32.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

4540 rundll32.exe

flow	pid	process
29	4540	rundll32.exe

pid	process
4540	rundll32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

4812 EXCEL.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXE

pid	process
4812	EXCEL.EXE
4812	EXCEL.EXE
4812	EXCEL.EXE
4812	EXCEL.EXE
4812	EXCEL.EXE
4812	EXCEL.EXE
4812	EXCEL.EXE
4812	EXCEL.EXE
4812	EXCEL.EXE
4812	EXCEL.EXE
4812	EXCEL.EXE
4812	EXCEL.EXE

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

EXCEL.EXEcmd.exerundll32.exe

description	pid	process	target process
PID 4812 wrote to memory of 4024	4812	EXCEL.EXE	cmd.exe
PID 4812 wrote to memory of 4024	4812	EXCEL.EXE	cmd.exe
PID 4024 wrote to memory of 2224	4024	cmd.exe	certutil.exe
PID 4024 wrote to memory of 2224	4024	cmd.exe	certutil.exe
PID 4024 wrote to memory of 4576	4024	cmd.exe	rundll32.exe
PID 4024 wrote to memory of 4576	4024	cmd.exe	rundll32.exe
PID 4576 wrote to memory of 4540	4576	rundll32.exe	rundll32.exe
PID 4576 wrote to memory of 4540	4576	rundll32.exe	rundll32.exe
PID 4576 wrote to memory of 4540	4576	rundll32.exe	rundll32.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\subscription_1617898525.xlsb"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4812

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c certutil -decode %PUBLIC%\14118.doy %PUBLIC%\14118.biy && rundll32 %PUBLIC%\14118.biy,DF1
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4024

C:\Windows\system32\certutil.exe
certutil -decode C:\Users\Public\14118.doy C:\Users\Public\14118.biy
3⤵
PID:2224

C:\Windows\system32\rundll32.exe
rundll32 C:\Users\Public\14118.biy,DF1
3⤵
- Suspicious use of WriteProcessMemory
PID:4576

C:\Windows\SysWOW64\rundll32.exe
rundll32 C:\Users\Public\14118.biy,DF1
4⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:4540

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\14118.biy

MD5
0d90eb265cfe49b20037673845bd0c3c

SHA1
6d8fb0ff1aba664991336f039a2cc4451a6160cc

SHA256
acc4ef33e4725fa9b3b1481a30b9ab2790badf06eb8bdc0db5d4cd550f16c6cc

SHA512
64a2a8fc352760907e36373dea7d1ee4867e7d569da44360069ca862161504769e35b08dc557d0aefbc0f15d5be83c996dae9b665540d36b255ed430798cb62d

Download Submit
C:\Users\Public\14118.doy

MD5
61f9ff7edf0a1ff6888e541124226553

SHA1
171fcc225b737185dcb63a7980e7568b3a80f88a

SHA256
5b76d927fc8fbce5d669a8388858986e2b4533176144d08497f5b58672db12fb

SHA512
9cc04bf336b90aeeb9b4a93185dde1173f968f2fb8b9f974c2fbd74d2f2dde499be8058050fed96887439140bb000da368feb48e7f89b3a6ccbbdcf0e4532350

Download Submit
\Users\Public\14118.biy

MD5
0d90eb265cfe49b20037673845bd0c3c

SHA1
6d8fb0ff1aba664991336f039a2cc4451a6160cc

SHA256
acc4ef33e4725fa9b3b1481a30b9ab2790badf06eb8bdc0db5d4cd550f16c6cc

SHA512
64a2a8fc352760907e36373dea7d1ee4867e7d569da44360069ca862161504769e35b08dc557d0aefbc0f15d5be83c996dae9b665540d36b255ed430798cb62d

Download Submit
memory/2224-180-0x0000000000000000-mapping.dmp

Download
memory/4024-179-0x0000000000000000-mapping.dmp

Download
memory/4540-184-0x0000000000000000-mapping.dmp

Download
memory/4576-182-0x0000000000000000-mapping.dmp

Download
memory/4812-115-0x00007FFA3D590000-0x00007FFA3D5A0000-memory.dmp

Filesize
64KB

Download
memory/4812-123-0x000001C641760000-0x000001C643655000-memory.dmp

Filesize
31.0MB

Download
memory/4812-122-0x00007FFA5DB60000-0x00007FFA5EC4E000-memory.dmp

Filesize
16.9MB

Download
memory/4812-119-0x00007FFA3D590000-0x00007FFA3D5A0000-memory.dmp

Filesize
64KB

Download
memory/4812-118-0x00007FFA3D590000-0x00007FFA3D5A0000-memory.dmp

Filesize
64KB

Download
memory/4812-114-0x00007FF69C7A0000-0x00007FF69FD56000-memory.dmp

Filesize
53.7MB

Download
memory/4812-116-0x00007FFA3D590000-0x00007FFA3D5A0000-memory.dmp

Filesize
64KB

Download
memory/4812-117-0x00007FFA3D590000-0x00007FFA3D5A0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads