40b5ae97c036d45073b6edfcabbd4f5fe1a577d2e21f57282c09ebe2d32b7492

General

Target

Invoice_41292673.xlsm
Size

72KB
MD5

50269b5e8f60e3847888544e68368f3c
SHA1

3b8d2e2087d1936a6dd08013ef1c8a344dbc3515
SHA256

40b5ae97c036d45073b6edfcabbd4f5fe1a577d2e21f57282c09ebe2d32b7492
SHA512

ed2731137742827c315b2447072a40c5e0970b790397a8e43bbb5c94a4739fadd41046965b268ce2a390a9b2d2a95304df461dd8ea890a99d1613b698d3fa747

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

mshta.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3324	508	mshta.exe	EXCEL.EXE

Blocklisted process makes network request 5 IoCs

Processes:

mshta.exe

flow pid process

23 3324 mshta.exe
27 3324 mshta.exe
29 3324 mshta.exe
31 3324 mshta.exe
33 3324 mshta.exe

flow	pid	process
23	3324	mshta.exe
27	3324	mshta.exe
29	3324	mshta.exe
31	3324	mshta.exe
33	3324	mshta.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

508 EXCEL.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

EXCEL.EXE

pid	process
508	EXCEL.EXE
508	EXCEL.EXE
508	EXCEL.EXE
508	EXCEL.EXE
508	EXCEL.EXE
508	EXCEL.EXE
508	EXCEL.EXE
508	EXCEL.EXE
508	EXCEL.EXE
508	EXCEL.EXE
508	EXCEL.EXE
508	EXCEL.EXE
508	EXCEL.EXE
508	EXCEL.EXE
508	EXCEL.EXE
508	EXCEL.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

EXCEL.EXEmshta.exe

description	pid	process	target process
PID 508 wrote to memory of 3324	508	EXCEL.EXE	mshta.exe
PID 508 wrote to memory of 3324	508	EXCEL.EXE	mshta.exe
PID 3324 wrote to memory of 1416	3324	mshta.exe	rundll32.exe
PID 3324 wrote to memory of 1416	3324	mshta.exe	rundll32.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Invoice_41292673.xlsm"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:508

C:\Windows\SYSTEM32\mshta.exe
mshta C:\ProgramData//theArrowHeadWidthMedium.sct
2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:3324

C:\Windows\SYSTEM32\rundll32.exe
rundll32.exe C:\ProgramData\qMacrosheetCell.dll,AddLookaside
3⤵
PID:1416

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\qMacrosheetCell.dll
MD5
4c00b843526452cad516c65e98f1c44d

SHA1
3c62f96dfe2edc0880f76fee21cc23d2bf16ed55

SHA256
ee08196e8bb719cbe8f69d33f625286907ad8728882ec1f5232ea2cd94874bc1

SHA512
d746f55b9238c5081f06599488a0b710419497a0d27e39f6e7fdeb988e3111c21629eaec490d4b0c487cf4fe0ea6bcb93a001461964c108d46ed9cdf40906fcb

Download Submit
C:\ProgramData\theArrowHeadWidthMedium.sct
MD5
51b13f4b56ba397816961014310ca8a0

SHA1
04534df3ed3cf696e4933f0bb1f99cffe4e6d4c5

SHA256
dbe391199095cc0b06885c1f5133f1ec23d8cdc48ba9973997b0ffa14ef369ab

SHA512
c71817fc6a3b58e7d132445d55530055cb7726b0294a5536b0ce0a42cdd90b756fffb1c2bf41d3b96b5c897b4e1cda68bebcf0686cf4cda62244e895d40719b9

Download Submit
memory/508-305-0x00007FF94EEB0000-0x00007FF94EEC0000-memory.dmp

Filesize
64KB

Download
memory/508-116-0x00007FF94EEB0000-0x00007FF94EEC0000-memory.dmp

Filesize
64KB

Download
memory/508-118-0x00007FF94EEB0000-0x00007FF94EEC0000-memory.dmp

Filesize
64KB

Download
memory/508-121-0x00007FF96F780000-0x00007FF97086E000-memory.dmp

Filesize
16.9MB

Download
memory/508-122-0x00007FF94EEB0000-0x00007FF94EEC0000-memory.dmp

Filesize
64KB

Download
memory/508-123-0x00000233931E0000-0x00000233950D5000-memory.dmp

Filesize
31.0MB

Download
memory/508-308-0x00007FF94EEB0000-0x00007FF94EEC0000-memory.dmp

Filesize
64KB

Download
memory/508-117-0x00007FF94EEB0000-0x00007FF94EEC0000-memory.dmp

Filesize
64KB

Download
memory/508-307-0x00007FF94EEB0000-0x00007FF94EEC0000-memory.dmp

Filesize
64KB

Download
memory/508-115-0x00007FF94EEB0000-0x00007FF94EEC0000-memory.dmp

Filesize
64KB

Download
memory/508-114-0x00007FF7611C0000-0x00007FF764776000-memory.dmp

Filesize
53.7MB

Download
memory/508-306-0x00007FF94EEB0000-0x00007FF94EEC0000-memory.dmp

Filesize
64KB

Download
memory/1416-283-0x0000000000000000-mapping.dmp

Download
memory/3324-279-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads