7c2dae7cfc7b469c26b14d5cf7aed0e063ab8f854c7563d1e7fca448e6827a05

General

Target

cancel_sub_JPLyeahyourenotgettingmynumber.xlsb
Size

264KB
MD5

f1b51acf675dd0973ce3ec78fd9a1859
SHA1

83e8858f1d6a849151289a7c507a740d59e5da79
SHA256

7c2dae7cfc7b469c26b14d5cf7aed0e063ab8f854c7563d1e7fca448e6827a05
SHA512

9ce754214b348348fbdbdc933a61c9f01646f8021769c1c683fe1eb7d5af59e22950226233244cd7f304944164b46a55d708a668e01cf115085466357b766b43

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3588	644	cmd.exe	EXCEL.EXE

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

1252 rundll32.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1264 1252 WerFault.exe rundll32.exe

pid	process
1252	rundll32.exe

pid	pid_target	process	target process
1264	1252	WerFault.exe	rundll32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

644 EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

WerFault.exe

pid	process
1264	WerFault.exe
1264	WerFault.exe
1264	WerFault.exe
1264	WerFault.exe
1264	WerFault.exe
1264	WerFault.exe
1264	WerFault.exe
1264	WerFault.exe
1264	WerFault.exe
1264	WerFault.exe
1264	WerFault.exe
1264	WerFault.exe
1264	WerFault.exe
1264	WerFault.exe
1264	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 1264 WerFault.exe
Token: SeBackupPrivilege 1264 WerFault.exe
Token: SeDebugPrivilege 1264 WerFault.exe

description	pid	process
Token: SeRestorePrivilege	1264	WerFault.exe
Token: SeBackupPrivilege	1264	WerFault.exe
Token: SeDebugPrivilege	1264	WerFault.exe

Suspicious use of SetWindowsHookEx 19 IoCs

Processes:

EXCEL.EXE

pid	process
644	EXCEL.EXE
644	EXCEL.EXE
644	EXCEL.EXE
644	EXCEL.EXE
644	EXCEL.EXE
644	EXCEL.EXE
644	EXCEL.EXE
644	EXCEL.EXE
644	EXCEL.EXE
644	EXCEL.EXE
644	EXCEL.EXE
644	EXCEL.EXE
644	EXCEL.EXE
644	EXCEL.EXE
644	EXCEL.EXE
644	EXCEL.EXE
644	EXCEL.EXE
644	EXCEL.EXE
644	EXCEL.EXE

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

EXCEL.EXEcmd.exerundll32.exe

description	pid	process	target process
PID 644 wrote to memory of 2368	644	EXCEL.EXE	splwow64.exe
PID 644 wrote to memory of 2368	644	EXCEL.EXE	splwow64.exe
PID 644 wrote to memory of 3588	644	EXCEL.EXE	cmd.exe
PID 644 wrote to memory of 3588	644	EXCEL.EXE	cmd.exe
PID 3588 wrote to memory of 1940	3588	cmd.exe	certutil.exe
PID 3588 wrote to memory of 1940	3588	cmd.exe	certutil.exe
PID 3588 wrote to memory of 3460	3588	cmd.exe	rundll32.exe
PID 3588 wrote to memory of 3460	3588	cmd.exe	rundll32.exe
PID 3460 wrote to memory of 1252	3460	rundll32.exe	rundll32.exe
PID 3460 wrote to memory of 1252	3460	rundll32.exe	rundll32.exe
PID 3460 wrote to memory of 1252	3460	rundll32.exe	rundll32.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\cancel_sub_JPLyeahyourenotgettingmynumber.xlsb"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:644

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:2368

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c certutil -decode C:\Users\Public\4802545.xs1 C:\Users\Public\4802545.xs2 && rundll32 C:\Users\Public\4802545.xs2,DF1
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:3588

C:\Windows\system32\certutil.exe
certutil -decode C:\Users\Public\4802545.xs1 C:\Users\Public\4802545.xs2
3⤵
PID:1940

C:\Windows\system32\rundll32.exe
rundll32 C:\Users\Public\4802545.xs2,DF1
3⤵
- Suspicious use of WriteProcessMemory
PID:3460

C:\Windows\SysWOW64\rundll32.exe
rundll32 C:\Users\Public\4802545.xs2,DF1
4⤵
- Loads dropped DLL
PID:1252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1252 -s 820
5⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1264

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\4802545.xs1

MD5
e3c91eeeec07ed08ff35991cd1f8926d

SHA1
7f4b8b7a2968977de612be4938e4d2563b388884

SHA256
975509717b69e7c6dc7e20ac3421f710591df6b8b08f1fd93b042e44403db0b9

SHA512
389f20e6f01a0a6707ad2aadce542612b3fbefeb7a586d140a471f765c84a1ec55ae19f1c4bef8d353881e1fdb16f2ae33cd9cfb3aae342f10628e54b51246da

Download Submit
C:\Users\Public\4802545.xs2

MD5
cfb94c893280fd1edd40a4c74031727a

SHA1
9bf1f365e14842621854282f976b890478816a77

SHA256
3205ebcea1f138f0171ff3815d594883805b4af48a24bc0d6228d0b0ee12ddb4

SHA512
31b573054e5963c939cab24b48a8610f757ea94eba21c5101f2df3ffd8fc3120327795692feda7d448091a93b4befb389eed48e17662d7f2e3b19cc441a56988

Download Submit
\Users\Public\4802545.xs2

MD5
cfb94c893280fd1edd40a4c74031727a

SHA1
9bf1f365e14842621854282f976b890478816a77

SHA256
3205ebcea1f138f0171ff3815d594883805b4af48a24bc0d6228d0b0ee12ddb4

SHA512
31b573054e5963c939cab24b48a8610f757ea94eba21c5101f2df3ffd8fc3120327795692feda7d448091a93b4befb389eed48e17662d7f2e3b19cc441a56988

Download Submit
memory/644-117-0x00007FF9EE820000-0x00007FF9EE830000-memory.dmp

Filesize
64KB

Download
memory/644-118-0x00007FF9EE820000-0x00007FF9EE830000-memory.dmp

Filesize
64KB

Download
memory/644-121-0x00007FF9EE820000-0x00007FF9EE830000-memory.dmp

Filesize
64KB

Download
memory/644-122-0x00007FFA0F210000-0x00007FFA102FE000-memory.dmp

Filesize
16.9MB

Download
memory/644-123-0x00007FFA0D310000-0x00007FFA0F205000-memory.dmp

Filesize
31.0MB

Download
memory/644-114-0x00007FF736BA0000-0x00007FF73A156000-memory.dmp

Filesize
53.7MB

Download
memory/644-116-0x00007FF9EE820000-0x00007FF9EE830000-memory.dmp

Filesize
64KB

Download
memory/644-115-0x00007FF9EE820000-0x00007FF9EE830000-memory.dmp

Filesize
64KB

Download
memory/1252-185-0x0000000000000000-mapping.dmp

Download
memory/1940-181-0x0000000000000000-mapping.dmp

Download
memory/2368-179-0x0000000000000000-mapping.dmp

Download
memory/3460-183-0x0000000000000000-mapping.dmp

Download
memory/3588-180-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads