General
Target

Invoice-5959498320211004.xlsb

Filesize

132KB

Completed

09-12-2021 18:05

Task

behavioral2

Score
10/10
MD5

887bc475305003bdc34e671a2f3bd080

SHA1

7625f787be7479bf54addeff0ce7107cf0f59f23

SHA256

7e0b4b26bafd471703fac1db25b24936230aecad95732e66420184d717a111ee

SHA256

efb52e8c1fdf6e7cbc80b951220e25c78be0aad5c24b732696784b9b4d5d2c7a284df11fb0f524f64fa3f39a887069599c91f5233062d2aa8c01617104dd9ccd

Malware Config
Signatures 5

Filter: none

Discovery
  • Process spawned unexpected child process
    wmic.exemshta.exerundll32.exe

    Description

    This typically indicates the parent process was compromised via an exploit or macro.

    Reported IOCs

    descriptionpidpid_targetprocesstarget process
    Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process34922544wmic.exeEXCEL.EXE
    Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process28243628mshta.exe
    Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process39483628rundll32.exe
  • Checks processor information in registry
    EXCEL.EXE

    Description

    Processor information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0EXCEL.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHzEXCEL.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameStringEXCEL.EXE
  • Enumerates system info in registry
    EXCEL.EXE

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamilyEXCEL.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKUEXCEL.EXE
    Key opened\REGISTRY\MACHINE\Hardware\Description\System\BIOSEXCEL.EXE
  • Suspicious behavior: AddClipboardFormatListener
    EXCEL.EXE

    Reported IOCs

    pidprocess
    2544EXCEL.EXE
  • Suspicious use of SetWindowsHookEx
    EXCEL.EXE

    Reported IOCs

    pidprocess
    2544EXCEL.EXE
    2544EXCEL.EXE
    2544EXCEL.EXE
    2544EXCEL.EXE
    2544EXCEL.EXE
    2544EXCEL.EXE
    2544EXCEL.EXE
    2544EXCEL.EXE
    2544EXCEL.EXE
    2544EXCEL.EXE
    2544EXCEL.EXE
    2544EXCEL.EXE
    2544EXCEL.EXE
    2544EXCEL.EXE
Processes 6
  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Invoice-5959498320211004.xlsb"
    Checks processor information in registry
    Enumerates system info in registry
    Suspicious behavior: AddClipboardFormatListener
    Suspicious use of SetWindowsHookEx
    PID:2544
    • C:\Windows\System32\Wbem\wmic.exe
      wmic process call create 'mshta C:\ProgramData\vlEUL.rtf'
      Process spawned unexpected child process
      PID:3492
  • C:\Windows\system32\mshta.exe
    mshta C:\ProgramData\vlEUL.rtf
    Process spawned unexpected child process
    PID:2824
    • C:\Windows\system32\mshta.exe
      mshta C:\\ProgramData\penchs.rtf
      PID:612
      • C:\Windows\System32\Wbem\wmic.exe
        wmic process call create "rundll32.exe C:\\ProgramData\penchs.png HalGetVectorInput"
        PID:1152
  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\\ProgramData\penchs.png HalGetVectorInput
    Process spawned unexpected child process
    PID:3948
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                      Privilege Escalation
                        Replay Monitor
                        00:00 00:00
                        Downloads
                        • C:\ProgramData\penchs.png

                          MD5

                          4c6bd0c6ad0db354bd1327d0993bcbeb

                          SHA1

                          6f1967c122c876e6e3b1d440b2ea5d473555499d

                          SHA256

                          636fa44a6ba723d5746b64a4411e8e330d4dcc34443962a2e7e2cc378efcec32

                          SHA512

                          59434b260ce6d950e57d8d65ae2a547704989e775f4393fe20e781dc578262c6331fe17a13f8535c40ddffa8e5ca73e599f481cf8de84dcb7e83baae393194d6

                        • C:\ProgramData\penchs.rtf

                          MD5

                          f38dabb35050a8d240d93ae2239300c5

                          SHA1

                          2c4d2d18460cd684ac74e94768341807f46fe05b

                          SHA256

                          fc4150684fe35650afaa37a47abd4ea3f3baf1faf022085b691314b72ded5063

                          SHA512

                          04554121fe823238607455b899429f3cfd5b981b3dfcae68df2534f061191a02bae1ae944eaf8536e2a70a6291ff4e8666d873dede1cf7789737eaf47aff0155

                        • C:\ProgramData\vlEUL.rtf

                          MD5

                          031c5dfeaa97b80bff2c5fd7999352ac

                          SHA1

                          0e89ec2d13631c157f7e577b7617099bc5e45cd5

                          SHA256

                          6fbff6199b9a527c7a6c5ccec275a8ffda62f13b4ad29700075c2a8c217b11b6

                          SHA512

                          766d84ace8e3d0683ab534c2c45bbedbd731121f0bf330edef51ae787350b8a6c81b6d0e103832c185677cdf778bd5567c877ff5e90e3e7ec2ed298c1f11529c

                        • memory/612-301-0x0000000000000000-mapping.dmp

                        • memory/1152-309-0x0000000000000000-mapping.dmp

                        • memory/2544-128-0x00007FF9EB050000-0x00007FF9EB060000-memory.dmp

                        • memory/2544-121-0x00007FF9EE7F0000-0x00007FF9EE800000-memory.dmp

                        • memory/2544-122-0x00000220E99A0000-0x00000220E99A2000-memory.dmp

                        • memory/2544-120-0x00000220E99A0000-0x00000220E99A2000-memory.dmp

                        • memory/2544-129-0x00007FF9EB050000-0x00007FF9EB060000-memory.dmp

                        • memory/2544-119-0x00000220E99A0000-0x00000220E99A2000-memory.dmp

                        • memory/2544-118-0x00007FF9EE7F0000-0x00007FF9EE800000-memory.dmp

                        • memory/2544-117-0x00007FF9EE7F0000-0x00007FF9EE800000-memory.dmp

                        • memory/2544-116-0x00007FF9EE7F0000-0x00007FF9EE800000-memory.dmp

                        • memory/2544-115-0x00007FF9EE7F0000-0x00007FF9EE800000-memory.dmp

                        • memory/3492-272-0x0000000000000000-mapping.dmp