General
Target

inv856837915323.xlsb

Filesize

79KB

Completed

09-12-2021 18:05

Task

behavioral2

Score
10/10
MD5

a8b05f0781be741710594ec8616540c7

SHA1

fac6283173d33ac0ec42603afbf7c0af18bf7bee

SHA256

30a27f834183c2c94d01d18838bed678f78aa07a09ba5cd1aec57416ef18a43e

SHA256

907ce01a72b4cd2909f6647f4b555119ac03d52bafd06c10417e065c2653338f95fb491658a553137616e4cc5bb82f42df4eb8485c2435c7d20cf29e07bdac42

Malware Config
Signatures 10

Filter: none

Discovery
  • Process spawned unexpected child process
    wmic.exeexplorer.exe

    Description

    This typically indicates the parent process was compromised via an exploit or macro.

    Reported IOCs

    descriptionpidpid_targetprocesstarget process
    Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process37602724wmic.exeEXCEL.EXE
    Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process1460988explorer.exe
  • Blocklisted process makes network request
    WScript.exe

    Reported IOCs

    flowpidprocess
    453676WScript.exe
  • Checks processor information in registry
    EXCEL.EXE

    Description

    Processor information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0EXCEL.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHzEXCEL.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameStringEXCEL.EXE
  • Enumerates system info in registry
    EXCEL.EXE

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamilyEXCEL.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKUEXCEL.EXE
    Key opened\REGISTRY\MACHINE\Hardware\Description\System\BIOSEXCEL.EXE
  • Modifies registry class
    explorer.exe

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settingsexplorer.exe
  • Script User-Agent

    Description

    Uses user-agent string associated with script host/environment.

    Reported IOCs

    descriptionflowioc
    HTTP User-Agent header45Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
  • Suspicious behavior: AddClipboardFormatListener
    EXCEL.EXE

    Reported IOCs

    pidprocess
    2724EXCEL.EXE
  • Suspicious use of AdjustPrivilegeToken
    wmic.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeIncreaseQuotaPrivilege3760wmic.exe
    Token: SeSecurityPrivilege3760wmic.exe
    Token: SeTakeOwnershipPrivilege3760wmic.exe
    Token: SeLoadDriverPrivilege3760wmic.exe
    Token: SeSystemProfilePrivilege3760wmic.exe
    Token: SeSystemtimePrivilege3760wmic.exe
    Token: SeProfSingleProcessPrivilege3760wmic.exe
    Token: SeIncBasePriorityPrivilege3760wmic.exe
    Token: SeCreatePagefilePrivilege3760wmic.exe
    Token: SeBackupPrivilege3760wmic.exe
    Token: SeRestorePrivilege3760wmic.exe
    Token: SeShutdownPrivilege3760wmic.exe
    Token: SeDebugPrivilege3760wmic.exe
    Token: SeSystemEnvironmentPrivilege3760wmic.exe
    Token: SeRemoteShutdownPrivilege3760wmic.exe
    Token: SeUndockPrivilege3760wmic.exe
    Token: SeManageVolumePrivilege3760wmic.exe
    Token: 333760wmic.exe
    Token: 343760wmic.exe
    Token: 353760wmic.exe
    Token: 363760wmic.exe
    Token: SeIncreaseQuotaPrivilege3760wmic.exe
    Token: SeSecurityPrivilege3760wmic.exe
    Token: SeTakeOwnershipPrivilege3760wmic.exe
    Token: SeLoadDriverPrivilege3760wmic.exe
    Token: SeSystemProfilePrivilege3760wmic.exe
    Token: SeSystemtimePrivilege3760wmic.exe
    Token: SeProfSingleProcessPrivilege3760wmic.exe
    Token: SeIncBasePriorityPrivilege3760wmic.exe
    Token: SeCreatePagefilePrivilege3760wmic.exe
    Token: SeBackupPrivilege3760wmic.exe
    Token: SeRestorePrivilege3760wmic.exe
    Token: SeShutdownPrivilege3760wmic.exe
    Token: SeDebugPrivilege3760wmic.exe
    Token: SeSystemEnvironmentPrivilege3760wmic.exe
    Token: SeRemoteShutdownPrivilege3760wmic.exe
    Token: SeUndockPrivilege3760wmic.exe
    Token: SeManageVolumePrivilege3760wmic.exe
    Token: 333760wmic.exe
    Token: 343760wmic.exe
    Token: 353760wmic.exe
    Token: 363760wmic.exe
  • Suspicious use of SetWindowsHookEx
    EXCEL.EXE

    Reported IOCs

    pidprocess
    2724EXCEL.EXE
    2724EXCEL.EXE
    2724EXCEL.EXE
    2724EXCEL.EXE
    2724EXCEL.EXE
    2724EXCEL.EXE
    2724EXCEL.EXE
    2724EXCEL.EXE
    2724EXCEL.EXE
    2724EXCEL.EXE
    2724EXCEL.EXE
    2724EXCEL.EXE
    2724EXCEL.EXE
    2724EXCEL.EXE
    2724EXCEL.EXE
  • Suspicious use of WriteProcessMemory
    EXCEL.EXEexplorer.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 2724 wrote to memory of 37602724EXCEL.EXEwmic.exe
    PID 2724 wrote to memory of 37602724EXCEL.EXEwmic.exe
    PID 3420 wrote to memory of 36763420explorer.exeWScript.exe
    PID 3420 wrote to memory of 36763420explorer.exeWScript.exe
Processes 5
  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\inv856837915323.xlsb"
    Checks processor information in registry
    Enumerates system info in registry
    Suspicious behavior: AddClipboardFormatListener
    Suspicious use of SetWindowsHookEx
    Suspicious use of WriteProcessMemory
    PID:2724
    • C:\Windows\System32\Wbem\wmic.exe
      wmic process call create "explorer C:\ProgramData\IeVgaFSGRUxioNf.vbs"
      Process spawned unexpected child process
      Suspicious use of AdjustPrivilegeToken
      PID:3760
  • C:\Windows\explorer.exe
    explorer C:\ProgramData\IeVgaFSGRUxioNf.vbs
    Process spawned unexpected child process
    PID:1460
  • C:\Windows\explorer.exe
    C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
    Modifies registry class
    Suspicious use of WriteProcessMemory
    PID:3420
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\ProgramData\IeVgaFSGRUxioNf.vbs"
      Blocklisted process makes network request
      PID:3676
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                      Privilege Escalation
                        Replay Monitor
                        00:00 00:00
                        Downloads
                        • C:\ProgramData\IeVgaFSGRUxioNf.vbs

                          MD5

                          b82665a44b5a93f559f6113a36014821

                          SHA1

                          0bcf4e4a4108a2441f0e6a3ad6ef6dab564495cf

                          SHA256

                          97fa2bd6c47708026aac44870d85307753405d520370d67eeedabffe91e032b0

                          SHA512

                          6bd18225dfe26b78ffa1910c34f397312d5698049abbf4d646b51966d6237c4afb39d6ba058ffb04e831b3bcc13e781146f681f6a9843cdf0c6e9d51d2fe27b7

                        • memory/2724-115-0x00007FFB04400000-0x00007FFB04410000-memory.dmp

                        • memory/2724-116-0x00007FFB04400000-0x00007FFB04410000-memory.dmp

                        • memory/2724-117-0x00007FFB04400000-0x00007FFB04410000-memory.dmp

                        • memory/2724-119-0x000001FE153C0000-0x000001FE153C2000-memory.dmp

                        • memory/2724-120-0x000001FE153C0000-0x000001FE153C2000-memory.dmp

                        • memory/2724-121-0x00007FFB04400000-0x00007FFB04410000-memory.dmp

                        • memory/2724-122-0x000001FE153C0000-0x000001FE153C2000-memory.dmp

                        • memory/2724-118-0x00007FFB04400000-0x00007FFB04410000-memory.dmp

                        • memory/3676-278-0x0000000000000000-mapping.dmp

                        • memory/3760-266-0x0000000000000000-mapping.dmp