Analysis
-
max time kernel
141s -
max time network
57s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
13-10-2021 16:09
Behavioral task
behavioral1
Sample
Invoice-IOMVP.xlsb
Resource
win7v20210408
Behavioral task
behavioral2
Sample
Invoice-IOMVP.xlsb
Resource
win10v20210408
General
-
Target
Invoice-IOMVP.xlsb
-
Size
315KB
-
MD5
2cab816d158d5e2d84fab6d37b377c92
-
SHA1
581824c7553ad46aae4db994f80ea375d2273664
-
SHA256
d7105039328f0029cddf86ed266c29a4aab078fb5f04506b95922466f709a513
-
SHA512
9b6a23bec6dd7945dd4d6ffd0ab00656d5b7c54dee79946d2cf969cb3f715a228697763699e15c9302d44333c6a44549452fb415dba405bad0dee9aa61635059
Malware Config
Signatures
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
wmic.exemshta.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 520 1892 wmic.exe EXCEL.EXE Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 556 896 mshta.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Processes:
EXCEL.EXEmshta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1892 EXCEL.EXE -
Suspicious use of AdjustPrivilegeToken 40 IoCs
Processes:
wmic.exedescription pid process Token: SeIncreaseQuotaPrivilege 520 wmic.exe Token: SeSecurityPrivilege 520 wmic.exe Token: SeTakeOwnershipPrivilege 520 wmic.exe Token: SeLoadDriverPrivilege 520 wmic.exe Token: SeSystemProfilePrivilege 520 wmic.exe Token: SeSystemtimePrivilege 520 wmic.exe Token: SeProfSingleProcessPrivilege 520 wmic.exe Token: SeIncBasePriorityPrivilege 520 wmic.exe Token: SeCreatePagefilePrivilege 520 wmic.exe Token: SeBackupPrivilege 520 wmic.exe Token: SeRestorePrivilege 520 wmic.exe Token: SeShutdownPrivilege 520 wmic.exe Token: SeDebugPrivilege 520 wmic.exe Token: SeSystemEnvironmentPrivilege 520 wmic.exe Token: SeRemoteShutdownPrivilege 520 wmic.exe Token: SeUndockPrivilege 520 wmic.exe Token: SeManageVolumePrivilege 520 wmic.exe Token: 33 520 wmic.exe Token: 34 520 wmic.exe Token: 35 520 wmic.exe Token: SeIncreaseQuotaPrivilege 520 wmic.exe Token: SeSecurityPrivilege 520 wmic.exe Token: SeTakeOwnershipPrivilege 520 wmic.exe Token: SeLoadDriverPrivilege 520 wmic.exe Token: SeSystemProfilePrivilege 520 wmic.exe Token: SeSystemtimePrivilege 520 wmic.exe Token: SeProfSingleProcessPrivilege 520 wmic.exe Token: SeIncBasePriorityPrivilege 520 wmic.exe Token: SeCreatePagefilePrivilege 520 wmic.exe Token: SeBackupPrivilege 520 wmic.exe Token: SeRestorePrivilege 520 wmic.exe Token: SeShutdownPrivilege 520 wmic.exe Token: SeDebugPrivilege 520 wmic.exe Token: SeSystemEnvironmentPrivilege 520 wmic.exe Token: SeRemoteShutdownPrivilege 520 wmic.exe Token: SeUndockPrivilege 520 wmic.exe Token: SeManageVolumePrivilege 520 wmic.exe Token: 33 520 wmic.exe Token: 34 520 wmic.exe Token: 35 520 wmic.exe -
Suspicious use of SetWindowsHookEx 9 IoCs
Processes:
EXCEL.EXEpid process 1892 EXCEL.EXE 1892 EXCEL.EXE 1892 EXCEL.EXE 1892 EXCEL.EXE 1892 EXCEL.EXE 1892 EXCEL.EXE 1892 EXCEL.EXE 1892 EXCEL.EXE 1892 EXCEL.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
EXCEL.EXEdescription pid process target process PID 1892 wrote to memory of 520 1892 EXCEL.EXE wmic.exe PID 1892 wrote to memory of 520 1892 EXCEL.EXE wmic.exe PID 1892 wrote to memory of 520 1892 EXCEL.EXE wmic.exe PID 1892 wrote to memory of 520 1892 EXCEL.EXE wmic.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Invoice-IOMVP.xlsb1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic process call create 'mshta C:\ProgramData\jGKaooqEDeGraw.rtf'2⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\mshta.exemshta C:\ProgramData\jGKaooqEDeGraw.rtf1⤵
- Process spawned unexpected child process
- Modifies Internet Explorer settings
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\jGKaooqEDeGraw.rtfMD5
31caf86f93a425b2807eaab9095968f2
SHA1280c285d680626e69c86db35b2e7a41a591aa898
SHA256fd93ba788727b818dbed02edde316946e7d8930e2b65f8808cc842750c0162ec
SHA512b7b89bf080ecbb70f9207a937e2c5c32c47f05dff922582ea717e3344895bfbe76ccba2472c1f34b55d982a020414e2a1b537fd02eda6937c428160a8a873add
-
memory/520-63-0x0000000000000000-mapping.dmp
-
memory/1892-60-0x000000002FB91000-0x000000002FB94000-memory.dmpFilesize
12KB
-
memory/1892-61-0x00000000714E1000-0x00000000714E3000-memory.dmpFilesize
8KB
-
memory/1892-62-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1892-64-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB