5799983f88a0e3f04717b44ca4e139760f913293f90cf20ce40172c29c5c1fff

General

Target

20200818__0019499400199.xls.exe
Size

882KB
MD5

d4d7fe36e22fd879ffa8ce3cbf6de55d
SHA1

ba2994af343adc732d36a0b5169a70c2b6bad115
SHA256

b56dc20e7a6a6b86fb49f3802961cc8b21b75938af4de7bb55db894a8546246c
SHA512

3049861d9196199227063db90811b8aa5e7a2835087590a9dc9b0f27d66b058e322bde602001a53f25f72dabdc2118ff98bcea004b09eff0cf1e882fd54d3ba1

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

Processes:

20200818__0019499400199.xls.exe

description pid process target process

PID 3684 set thread context of 2196 3684 20200818__0019499400199.xls.exe 20200818__0019499400199.xls.exe

description	pid	process	target process
PID 3684 set thread context of 2196	3684	20200818__0019499400199.xls.exe	20200818__0019499400199.xls.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

20200818__0019499400199.xls.exe20200818__0019499400199.xls.exepowershell.exe

pid	process
3684	20200818__0019499400199.xls.exe
3684	20200818__0019499400199.xls.exe
3684	20200818__0019499400199.xls.exe
3684	20200818__0019499400199.xls.exe
2196	20200818__0019499400199.xls.exe
2196	20200818__0019499400199.xls.exe
2468	powershell.exe
2468	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

20200818__0019499400199.xls.exe20200818__0019499400199.xls.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3684	20200818__0019499400199.xls.exe
Token: SeDebugPrivilege	2196	20200818__0019499400199.xls.exe
Token: SeDebugPrivilege	2468	powershell.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

20200818__0019499400199.xls.exe20200818__0019499400199.xls.execmd.exe

description	pid	process	target process
PID 3684 wrote to memory of 2196	3684	20200818__0019499400199.xls.exe	20200818__0019499400199.xls.exe
PID 3684 wrote to memory of 2196	3684	20200818__0019499400199.xls.exe	20200818__0019499400199.xls.exe
PID 3684 wrote to memory of 2196	3684	20200818__0019499400199.xls.exe	20200818__0019499400199.xls.exe
PID 3684 wrote to memory of 2196	3684	20200818__0019499400199.xls.exe	20200818__0019499400199.xls.exe
PID 3684 wrote to memory of 2196	3684	20200818__0019499400199.xls.exe	20200818__0019499400199.xls.exe
PID 3684 wrote to memory of 2196	3684	20200818__0019499400199.xls.exe	20200818__0019499400199.xls.exe
PID 3684 wrote to memory of 2196	3684	20200818__0019499400199.xls.exe	20200818__0019499400199.xls.exe
PID 3684 wrote to memory of 2196	3684	20200818__0019499400199.xls.exe	20200818__0019499400199.xls.exe
PID 2196 wrote to memory of 2248	2196	20200818__0019499400199.xls.exe	cmd.exe
PID 2196 wrote to memory of 2248	2196	20200818__0019499400199.xls.exe	cmd.exe
PID 2196 wrote to memory of 2248	2196	20200818__0019499400199.xls.exe	cmd.exe
PID 2248 wrote to memory of 2468	2248	cmd.exe	powershell.exe
PID 2248 wrote to memory of 2468	2248	cmd.exe	powershell.exe
PID 2248 wrote to memory of 2468	2248	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\20200818__0019499400199.xls.exe
"C:\Users\Admin\AppData\Local\Temp\20200818__0019499400199.xls.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3684

C:\Users\Admin\AppData\Local\Temp\20200818__0019499400199.xls.exe
"{path}"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2196

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\20200818__0019499400199.xls.exe' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:2248

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\20200818__0019499400199.xls.exe'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2468

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\20200818__0019499400199.xls.exe.log

Filesize
1KB

MD5
8ec831f3e3a3f77e4a7b9cd32b48384c

SHA1
d83f09fd87c5bd86e045873c231c14836e76a05c

SHA256
7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

SHA512
26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

Download Submit
memory/2196-135-0x0000000000000000-mapping.dmp

Download
memory/2196-137-0x00000000059E0000-0x0000000005A46000-memory.dmp

Filesize
408KB

Download
memory/2196-136-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2248-138-0x0000000000000000-mapping.dmp

Download
memory/2468-140-0x0000000000000000-mapping.dmp

Download
memory/2468-145-0x0000000006820000-0x000000000683E000-memory.dmp

Filesize
120KB

Download
memory/2468-149-0x0000000006E10000-0x0000000006E32000-memory.dmp

Filesize
136KB

Download
memory/2468-148-0x0000000007AB0000-0x0000000007B46000-memory.dmp

Filesize
600KB

Download
memory/2468-147-0x0000000006D10000-0x0000000006D2A000-memory.dmp

Filesize
104KB

Download
memory/2468-146-0x0000000008090000-0x000000000870A000-memory.dmp

Filesize
6.5MB

Download
memory/2468-141-0x0000000002E70000-0x0000000002EA6000-memory.dmp

Filesize
216KB

Download
memory/2468-142-0x0000000005A70000-0x0000000006098000-memory.dmp

Filesize
6.2MB

Download
memory/2468-143-0x0000000005620000-0x0000000005642000-memory.dmp

Filesize
136KB

Download
memory/2468-144-0x0000000005870000-0x00000000058D6000-memory.dmp

Filesize
408KB

Download
memory/3684-134-0x0000000007550000-0x00000000075EC000-memory.dmp

Filesize
624KB

Download
memory/3684-130-0x0000000000590000-0x0000000000672000-memory.dmp

Filesize
904KB

Download
memory/3684-131-0x0000000005690000-0x0000000005C34000-memory.dmp

Filesize
5.6MB

Download
memory/3684-132-0x00000000050E0000-0x0000000005172000-memory.dmp

Filesize
584KB

Download
memory/3684-133-0x0000000005030000-0x000000000503A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads