30a27f834183c2c94d01d18838bed678f78aa07a09ba5cd1aec57416ef18a43e

General

Target

inv856837915323.xlsb
Size

79KB
MD5

a8b05f0781be741710594ec8616540c7
SHA1

fac6283173d33ac0ec42603afbf7c0af18bf7bee
SHA256

30a27f834183c2c94d01d18838bed678f78aa07a09ba5cd1aec57416ef18a43e
SHA512

907ce01a72b4cd2909f6647f4b555119ac03d52bafd06c10417e065c2653338f95fb491658a553137616e4cc5bb82f42df4eb8485c2435c7d20cf29e07bdac42

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

wmic.exeexplorer.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3760	2724	wmic.exe	EXCEL.EXE
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1460	988	explorer.exe

Blocklisted process makes network request 1 IoCs

Processes:

WScript.exe

flow pid process

45 3676 WScript.exe

flow	pid	process
45	3676	WScript.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE

Modifies registry class 1 IoCs

Processes:

explorer.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings explorer.exe
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 45 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

2724 EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	explorer.exe

description	flow	ioc
HTTP User-Agent header	45	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

wmic.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	3760	wmic.exe
Token: SeSecurityPrivilege	3760	wmic.exe
Token: SeTakeOwnershipPrivilege	3760	wmic.exe
Token: SeLoadDriverPrivilege	3760	wmic.exe
Token: SeSystemProfilePrivilege	3760	wmic.exe
Token: SeSystemtimePrivilege	3760	wmic.exe
Token: SeProfSingleProcessPrivilege	3760	wmic.exe
Token: SeIncBasePriorityPrivilege	3760	wmic.exe
Token: SeCreatePagefilePrivilege	3760	wmic.exe
Token: SeBackupPrivilege	3760	wmic.exe
Token: SeRestorePrivilege	3760	wmic.exe
Token: SeShutdownPrivilege	3760	wmic.exe
Token: SeDebugPrivilege	3760	wmic.exe
Token: SeSystemEnvironmentPrivilege	3760	wmic.exe
Token: SeRemoteShutdownPrivilege	3760	wmic.exe
Token: SeUndockPrivilege	3760	wmic.exe
Token: SeManageVolumePrivilege	3760	wmic.exe
Token: 33	3760	wmic.exe
Token: 34	3760	wmic.exe
Token: 35	3760	wmic.exe
Token: 36	3760	wmic.exe
Token: SeIncreaseQuotaPrivilege	3760	wmic.exe
Token: SeSecurityPrivilege	3760	wmic.exe
Token: SeTakeOwnershipPrivilege	3760	wmic.exe
Token: SeLoadDriverPrivilege	3760	wmic.exe
Token: SeSystemProfilePrivilege	3760	wmic.exe
Token: SeSystemtimePrivilege	3760	wmic.exe
Token: SeProfSingleProcessPrivilege	3760	wmic.exe
Token: SeIncBasePriorityPrivilege	3760	wmic.exe
Token: SeCreatePagefilePrivilege	3760	wmic.exe
Token: SeBackupPrivilege	3760	wmic.exe
Token: SeRestorePrivilege	3760	wmic.exe
Token: SeShutdownPrivilege	3760	wmic.exe
Token: SeDebugPrivilege	3760	wmic.exe
Token: SeSystemEnvironmentPrivilege	3760	wmic.exe
Token: SeRemoteShutdownPrivilege	3760	wmic.exe
Token: SeUndockPrivilege	3760	wmic.exe
Token: SeManageVolumePrivilege	3760	wmic.exe
Token: 33	3760	wmic.exe
Token: 34	3760	wmic.exe
Token: 35	3760	wmic.exe
Token: 36	3760	wmic.exe

Suspicious use of SetWindowsHookEx 15 IoCs

Processes:

EXCEL.EXE

pid	process
2724	EXCEL.EXE
2724	EXCEL.EXE
2724	EXCEL.EXE
2724	EXCEL.EXE
2724	EXCEL.EXE
2724	EXCEL.EXE
2724	EXCEL.EXE
2724	EXCEL.EXE
2724	EXCEL.EXE
2724	EXCEL.EXE
2724	EXCEL.EXE
2724	EXCEL.EXE
2724	EXCEL.EXE
2724	EXCEL.EXE
2724	EXCEL.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

EXCEL.EXEexplorer.exe

description	pid	process	target process
PID 2724 wrote to memory of 3760	2724	EXCEL.EXE	wmic.exe
PID 2724 wrote to memory of 3760	2724	EXCEL.EXE	wmic.exe
PID 3420 wrote to memory of 3676	3420	explorer.exe	WScript.exe
PID 3420 wrote to memory of 3676	3420	explorer.exe	WScript.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\inv856837915323.xlsb"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2724
- C:\Windows\System32\Wbem\wmic.exe
  wmic process call create "explorer C:\ProgramData\IeVgaFSGRUxioNf.vbs"
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of AdjustPrivilegeToken
  PID:3760

C:\Windows\explorer.exe
explorer C:\ProgramData\IeVgaFSGRUxioNf.vbs
1⤵
- Process spawned unexpected child process
PID:1460

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3420
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\ProgramData\IeVgaFSGRUxioNf.vbs"
  2⤵
  - Blocklisted process makes network request
  PID:3676

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\IeVgaFSGRUxioNf.vbs

MD5
b82665a44b5a93f559f6113a36014821

SHA1
0bcf4e4a4108a2441f0e6a3ad6ef6dab564495cf

SHA256
97fa2bd6c47708026aac44870d85307753405d520370d67eeedabffe91e032b0

SHA512
6bd18225dfe26b78ffa1910c34f397312d5698049abbf4d646b51966d6237c4afb39d6ba058ffb04e831b3bcc13e781146f681f6a9843cdf0c6e9d51d2fe27b7

Download Submit
memory/2724-115-0x00007FFB04400000-0x00007FFB04410000-memory.dmp

Filesize
64KB

Download
memory/2724-116-0x00007FFB04400000-0x00007FFB04410000-memory.dmp

Filesize
64KB

Download
memory/2724-117-0x00007FFB04400000-0x00007FFB04410000-memory.dmp

Filesize
64KB

Download
memory/2724-118-0x00007FFB04400000-0x00007FFB04410000-memory.dmp

Filesize
64KB

Download
memory/2724-119-0x000001FE153C0000-0x000001FE153C2000-memory.dmp

Filesize
8KB

Download
memory/2724-120-0x000001FE153C0000-0x000001FE153C2000-memory.dmp

Filesize
8KB

Download
memory/2724-121-0x00007FFB04400000-0x00007FFB04410000-memory.dmp

Filesize
64KB

Download
memory/2724-122-0x000001FE153C0000-0x000001FE153C2000-memory.dmp

Filesize
8KB

Download
memory/3676-278-0x0000000000000000-mapping.dmp

Download
memory/3760-266-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads