30a27f834183c2c94d01d18838bed678f78aa07a09ba5cd1aec57416ef18a43e

Resubmissions

09-12-2021 18:02

211209-wmrwraeefm 10

09-12-2021 13:54

211209-q7h7fsdecm 10

07-12-2021 10:30

211207-mjt29sggaq 10

Analysis

max time kernel
125s
max time network
132s
platform
windows10_x64
resource
win10-en-20211104
submitted
07-12-2021 10:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

inv856837915323.xlsb
Size

79KB
MD5

a8b05f0781be741710594ec8616540c7
SHA1

fac6283173d33ac0ec42603afbf7c0af18bf7bee
SHA256

30a27f834183c2c94d01d18838bed678f78aa07a09ba5cd1aec57416ef18a43e
SHA512

907ce01a72b4cd2909f6647f4b555119ac03d52bafd06c10417e065c2653338f95fb491658a553137616e4cc5bb82f42df4eb8485c2435c7d20cf29e07bdac42

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3452	3064	wmic.exe	68
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	3976	explorer.exe	75

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings	explorer.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3064	EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3452	wmic.exe
Token: SeSecurityPrivilege	3452	wmic.exe
Token: SeTakeOwnershipPrivilege	3452	wmic.exe
Token: SeLoadDriverPrivilege	3452	wmic.exe
Token: SeSystemProfilePrivilege	3452	wmic.exe
Token: SeSystemtimePrivilege	3452	wmic.exe
Token: SeProfSingleProcessPrivilege	3452	wmic.exe
Token: SeIncBasePriorityPrivilege	3452	wmic.exe
Token: SeCreatePagefilePrivilege	3452	wmic.exe
Token: SeBackupPrivilege	3452	wmic.exe
Token: SeRestorePrivilege	3452	wmic.exe
Token: SeShutdownPrivilege	3452	wmic.exe
Token: SeDebugPrivilege	3452	wmic.exe
Token: SeSystemEnvironmentPrivilege	3452	wmic.exe
Token: SeRemoteShutdownPrivilege	3452	wmic.exe
Token: SeUndockPrivilege	3452	wmic.exe
Token: SeManageVolumePrivilege	3452	wmic.exe
Token: 33	3452	wmic.exe
Token: 34	3452	wmic.exe
Token: 35	3452	wmic.exe
Token: 36	3452	wmic.exe
Token: SeIncreaseQuotaPrivilege	3452	wmic.exe
Token: SeSecurityPrivilege	3452	wmic.exe
Token: SeTakeOwnershipPrivilege	3452	wmic.exe
Token: SeLoadDriverPrivilege	3452	wmic.exe
Token: SeSystemProfilePrivilege	3452	wmic.exe
Token: SeSystemtimePrivilege	3452	wmic.exe
Token: SeProfSingleProcessPrivilege	3452	wmic.exe
Token: SeIncBasePriorityPrivilege	3452	wmic.exe
Token: SeCreatePagefilePrivilege	3452	wmic.exe
Token: SeBackupPrivilege	3452	wmic.exe
Token: SeRestorePrivilege	3452	wmic.exe
Token: SeShutdownPrivilege	3452	wmic.exe
Token: SeDebugPrivilege	3452	wmic.exe
Token: SeSystemEnvironmentPrivilege	3452	wmic.exe
Token: SeRemoteShutdownPrivilege	3452	wmic.exe
Token: SeUndockPrivilege	3452	wmic.exe
Token: SeManageVolumePrivilege	3452	wmic.exe
Token: 33	3452	wmic.exe
Token: 34	3452	wmic.exe
Token: 35	3452	wmic.exe
Token: 36	3452	wmic.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
3064	EXCEL.EXE
3064	EXCEL.EXE
3064	EXCEL.EXE
3064	EXCEL.EXE
3064	EXCEL.EXE
3064	EXCEL.EXE
3064	EXCEL.EXE
3064	EXCEL.EXE
3064	EXCEL.EXE
3064	EXCEL.EXE
3064	EXCEL.EXE
3064	EXCEL.EXE
3064	EXCEL.EXE
3064	EXCEL.EXE
3064	EXCEL.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3064 wrote to memory of 3452	3064	EXCEL.EXE	73
PID 3064 wrote to memory of 3452	3064	EXCEL.EXE	73
PID 1000 wrote to memory of 1260	1000	explorer.exe	78
PID 1000 wrote to memory of 1260	1000	explorer.exe	78

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\inv856837915323.xlsb"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3064
- C:\Windows\System32\Wbem\wmic.exe
  wmic process call create "explorer C:\ProgramData\IeVgaFSGRUxioNf.vbs"
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of AdjustPrivilegeToken
  PID:3452

C:\Windows\explorer.exe
explorer C:\ProgramData\IeVgaFSGRUxioNf.vbs
1⤵
- Process spawned unexpected child process
PID:2512

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1000
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\ProgramData\IeVgaFSGRUxioNf.vbs"
  2⤵
  PID:1260

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3064-124-0x0000012CC9830000-0x0000012CC9832000-memory.dmp

Filesize
8KB

Download
memory/3064-121-0x00007FFB94B00000-0x00007FFB94B10000-memory.dmp

Filesize
64KB

Download
memory/3064-122-0x0000012CC9830000-0x0000012CC9832000-memory.dmp

Filesize
8KB

Download
memory/3064-123-0x0000012CC9830000-0x0000012CC9832000-memory.dmp

Filesize
8KB

Download
memory/3064-118-0x00007FFB94B00000-0x00007FFB94B10000-memory.dmp

Filesize
64KB

Download
memory/3064-130-0x00007FFB94B00000-0x00007FFB94B10000-memory.dmp

Filesize
64KB

Download
memory/3064-179-0x0000012CC9830000-0x0000012CC9832000-memory.dmp

Filesize
8KB

Download
memory/3064-180-0x0000012CC9830000-0x0000012CC9832000-memory.dmp

Filesize
8KB

Download
memory/3064-120-0x00007FFB94B00000-0x00007FFB94B10000-memory.dmp

Filesize
64KB

Download
memory/3064-119-0x00007FFB94B00000-0x00007FFB94B10000-memory.dmp

Filesize
64KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads