Analysis
-
max time kernel
126s -
max time network
148s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
14-10-2021 14:10
Behavioral task
behavioral1
Sample
Invoice-64145512_20211013.xlsb
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
Invoice-64145512_20211013.xlsb
Resource
win10-en-20210920
General
-
Target
Invoice-64145512_20211013.xlsb
-
Size
269KB
-
MD5
4e6d8b34d4441d66984a1b4fa51fe561
-
SHA1
a991079981a98f9cf3ceba151ce56d39fa522b5d
-
SHA256
6a5cd724baaebc19773830980de192cfa10e9d921469153399e656fbdd0ff972
-
SHA512
a934d862c117c7010b17473fe6c9d71824f43a95fe48e7bf93ce5505142a8dd29b5aacc9dc75bf7257571e494ae6b39e6ec399f9efa0e9dbb99722bcaa080804
Malware Config
Signatures
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
wmic.exemshta.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 1664 2468 wmic.exe EXCEL.EXE Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1624 2488 mshta.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 2468 EXCEL.EXE -
Suspicious use of AdjustPrivilegeToken 42 IoCs
Processes:
wmic.exedescription pid process Token: SeIncreaseQuotaPrivilege 1664 wmic.exe Token: SeSecurityPrivilege 1664 wmic.exe Token: SeTakeOwnershipPrivilege 1664 wmic.exe Token: SeLoadDriverPrivilege 1664 wmic.exe Token: SeSystemProfilePrivilege 1664 wmic.exe Token: SeSystemtimePrivilege 1664 wmic.exe Token: SeProfSingleProcessPrivilege 1664 wmic.exe Token: SeIncBasePriorityPrivilege 1664 wmic.exe Token: SeCreatePagefilePrivilege 1664 wmic.exe Token: SeBackupPrivilege 1664 wmic.exe Token: SeRestorePrivilege 1664 wmic.exe Token: SeShutdownPrivilege 1664 wmic.exe Token: SeDebugPrivilege 1664 wmic.exe Token: SeSystemEnvironmentPrivilege 1664 wmic.exe Token: SeRemoteShutdownPrivilege 1664 wmic.exe Token: SeUndockPrivilege 1664 wmic.exe Token: SeManageVolumePrivilege 1664 wmic.exe Token: 33 1664 wmic.exe Token: 34 1664 wmic.exe Token: 35 1664 wmic.exe Token: 36 1664 wmic.exe Token: SeIncreaseQuotaPrivilege 1664 wmic.exe Token: SeSecurityPrivilege 1664 wmic.exe Token: SeTakeOwnershipPrivilege 1664 wmic.exe Token: SeLoadDriverPrivilege 1664 wmic.exe Token: SeSystemProfilePrivilege 1664 wmic.exe Token: SeSystemtimePrivilege 1664 wmic.exe Token: SeProfSingleProcessPrivilege 1664 wmic.exe Token: SeIncBasePriorityPrivilege 1664 wmic.exe Token: SeCreatePagefilePrivilege 1664 wmic.exe Token: SeBackupPrivilege 1664 wmic.exe Token: SeRestorePrivilege 1664 wmic.exe Token: SeShutdownPrivilege 1664 wmic.exe Token: SeDebugPrivilege 1664 wmic.exe Token: SeSystemEnvironmentPrivilege 1664 wmic.exe Token: SeRemoteShutdownPrivilege 1664 wmic.exe Token: SeUndockPrivilege 1664 wmic.exe Token: SeManageVolumePrivilege 1664 wmic.exe Token: 33 1664 wmic.exe Token: 34 1664 wmic.exe Token: 35 1664 wmic.exe Token: 36 1664 wmic.exe -
Suspicious use of SetWindowsHookEx 14 IoCs
Processes:
EXCEL.EXEpid process 2468 EXCEL.EXE 2468 EXCEL.EXE 2468 EXCEL.EXE 2468 EXCEL.EXE 2468 EXCEL.EXE 2468 EXCEL.EXE 2468 EXCEL.EXE 2468 EXCEL.EXE 2468 EXCEL.EXE 2468 EXCEL.EXE 2468 EXCEL.EXE 2468 EXCEL.EXE 2468 EXCEL.EXE 2468 EXCEL.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
EXCEL.EXEdescription pid process target process PID 2468 wrote to memory of 1664 2468 EXCEL.EXE wmic.exe PID 2468 wrote to memory of 1664 2468 EXCEL.EXE wmic.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Invoice-64145512_20211013.xlsb"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\wmic.exewmic process call create 'mshta C:\ProgramData\srwREKktqM.rtf'2⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\mshta.exemshta C:\ProgramData\srwREKktqM.rtf1⤵
- Process spawned unexpected child process
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\srwREKktqM.rtfMD5
8d1f493b8af4febc05b5dd0634f1d24c
SHA165e9bf9e203aab1b72c7878660044f42bf15c7f3
SHA25689b7347a7ce8567b3178767c556f799507aed73a96b06619d3e541c7107c3d23
SHA512b3af047052fa1c577295683d051bb6fa93c18b723941a48e3bd1daff39f033fe3e0bb4a470599c74fe52bf7c14cf096796f9c2bc79451ce4c521236e63061917
-
memory/1664-267-0x0000000000000000-mapping.dmp
-
memory/2468-115-0x00007FFCB3220000-0x00007FFCB3230000-memory.dmpFilesize
64KB
-
memory/2468-116-0x00007FFCB3220000-0x00007FFCB3230000-memory.dmpFilesize
64KB
-
memory/2468-117-0x00007FFCB3220000-0x00007FFCB3230000-memory.dmpFilesize
64KB
-
memory/2468-118-0x00007FFCB3220000-0x00007FFCB3230000-memory.dmpFilesize
64KB
-
memory/2468-119-0x00007FFCB3220000-0x00007FFCB3230000-memory.dmpFilesize
64KB
-
memory/2468-121-0x000001E2258B0000-0x000001E2258B2000-memory.dmpFilesize
8KB
-
memory/2468-120-0x000001E2258B0000-0x000001E2258B2000-memory.dmpFilesize
8KB
-
memory/2468-122-0x000001E2258B0000-0x000001E2258B2000-memory.dmpFilesize
8KB