Analysis
-
max time kernel
112s -
max time network
129s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
13-10-2021 15:05
Behavioral task
behavioral1
Sample
Invoice-630405_20211013.xlsb
Resource
win7v20210408
Behavioral task
behavioral2
Sample
Invoice-630405_20211013.xlsb
Resource
win10-en-20210920
General
-
Target
Invoice-630405_20211013.xlsb
-
Size
283KB
-
MD5
4a017ea95998067010e773e0047643c8
-
SHA1
c4c6344280074cc96f7ccfbe99c9c2483c5cbe50
-
SHA256
08d2efae12306032ed57faac347ddfade5192a382612014409216497e6e3ff51
-
SHA512
f31a6267a53c35535716e7a162fc4ddd3582b98a7444f4a3cf70226fce1f7adb28cbbab9c16b08b730111c43d9556778074cfe4baa0d00516503750fc13cf5ea
Malware Config
Signatures
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
wmic.exemshta.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 2868 2160 wmic.exe EXCEL.EXE Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3532 4040 mshta.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 2160 EXCEL.EXE -
Suspicious use of AdjustPrivilegeToken 42 IoCs
Processes:
wmic.exedescription pid process Token: SeIncreaseQuotaPrivilege 2868 wmic.exe Token: SeSecurityPrivilege 2868 wmic.exe Token: SeTakeOwnershipPrivilege 2868 wmic.exe Token: SeLoadDriverPrivilege 2868 wmic.exe Token: SeSystemProfilePrivilege 2868 wmic.exe Token: SeSystemtimePrivilege 2868 wmic.exe Token: SeProfSingleProcessPrivilege 2868 wmic.exe Token: SeIncBasePriorityPrivilege 2868 wmic.exe Token: SeCreatePagefilePrivilege 2868 wmic.exe Token: SeBackupPrivilege 2868 wmic.exe Token: SeRestorePrivilege 2868 wmic.exe Token: SeShutdownPrivilege 2868 wmic.exe Token: SeDebugPrivilege 2868 wmic.exe Token: SeSystemEnvironmentPrivilege 2868 wmic.exe Token: SeRemoteShutdownPrivilege 2868 wmic.exe Token: SeUndockPrivilege 2868 wmic.exe Token: SeManageVolumePrivilege 2868 wmic.exe Token: 33 2868 wmic.exe Token: 34 2868 wmic.exe Token: 35 2868 wmic.exe Token: 36 2868 wmic.exe Token: SeIncreaseQuotaPrivilege 2868 wmic.exe Token: SeSecurityPrivilege 2868 wmic.exe Token: SeTakeOwnershipPrivilege 2868 wmic.exe Token: SeLoadDriverPrivilege 2868 wmic.exe Token: SeSystemProfilePrivilege 2868 wmic.exe Token: SeSystemtimePrivilege 2868 wmic.exe Token: SeProfSingleProcessPrivilege 2868 wmic.exe Token: SeIncBasePriorityPrivilege 2868 wmic.exe Token: SeCreatePagefilePrivilege 2868 wmic.exe Token: SeBackupPrivilege 2868 wmic.exe Token: SeRestorePrivilege 2868 wmic.exe Token: SeShutdownPrivilege 2868 wmic.exe Token: SeDebugPrivilege 2868 wmic.exe Token: SeSystemEnvironmentPrivilege 2868 wmic.exe Token: SeRemoteShutdownPrivilege 2868 wmic.exe Token: SeUndockPrivilege 2868 wmic.exe Token: SeManageVolumePrivilege 2868 wmic.exe Token: 33 2868 wmic.exe Token: 34 2868 wmic.exe Token: 35 2868 wmic.exe Token: 36 2868 wmic.exe -
Suspicious use of SetWindowsHookEx 14 IoCs
Processes:
EXCEL.EXEpid process 2160 EXCEL.EXE 2160 EXCEL.EXE 2160 EXCEL.EXE 2160 EXCEL.EXE 2160 EXCEL.EXE 2160 EXCEL.EXE 2160 EXCEL.EXE 2160 EXCEL.EXE 2160 EXCEL.EXE 2160 EXCEL.EXE 2160 EXCEL.EXE 2160 EXCEL.EXE 2160 EXCEL.EXE 2160 EXCEL.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
EXCEL.EXEdescription pid process target process PID 2160 wrote to memory of 2868 2160 EXCEL.EXE wmic.exe PID 2160 wrote to memory of 2868 2160 EXCEL.EXE wmic.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Invoice-630405_20211013.xlsb"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\wmic.exewmic process call create 'mshta C:\ProgramData\ubZVowtaYzhCZEz.rtf'2⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\mshta.exemshta C:\ProgramData\ubZVowtaYzhCZEz.rtf1⤵
- Process spawned unexpected child process
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\ubZVowtaYzhCZEz.rtfMD5
cdc72376df95397e44787c6683ba2485
SHA15cbc8724c3444eaa2d5b17e299e2ab9de136ad68
SHA256451408c55bfd913a8f1f295a58a6dc20c9bfef11adacf3988597dc728c05ca40
SHA5122380e4e0b449f0c8997af44251f26d0c32ce48d01431e6cc31c6c1d20ec9fb8cc28fd32504d529074ed2bb4059f01f217ac56578cc6917d4f20c01b6f0095532
-
memory/2160-115-0x00007FF937A30000-0x00007FF937A40000-memory.dmpFilesize
64KB
-
memory/2160-116-0x00007FF937A30000-0x00007FF937A40000-memory.dmpFilesize
64KB
-
memory/2160-117-0x00007FF937A30000-0x00007FF937A40000-memory.dmpFilesize
64KB
-
memory/2160-118-0x00007FF937A30000-0x00007FF937A40000-memory.dmpFilesize
64KB
-
memory/2160-119-0x0000026AA9A40000-0x0000026AA9A42000-memory.dmpFilesize
8KB
-
memory/2160-120-0x0000026AA9A40000-0x0000026AA9A42000-memory.dmpFilesize
8KB
-
memory/2160-121-0x00007FF937A30000-0x00007FF937A40000-memory.dmpFilesize
64KB
-
memory/2160-122-0x0000026AA9A40000-0x0000026AA9A42000-memory.dmpFilesize
8KB
-
memory/2160-128-0x00007FF934D50000-0x00007FF934D60000-memory.dmpFilesize
64KB
-
memory/2160-129-0x00007FF934D50000-0x00007FF934D60000-memory.dmpFilesize
64KB
-
memory/2868-284-0x0000000000000000-mapping.dmp