Analysis
-
max time kernel
147s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
07-09-2022 09:44
Behavioral task
behavioral1
Sample
subscription_1617056233.xlsb
Resource
win7-20220812-en
General
-
Target
subscription_1617056233.xlsb
-
Size
177KB
-
MD5
1d1ba411ff36cdd1b1350341624ac008
-
SHA1
becdec14b92c6d67b3aa28fdbf4293dabb7b0055
-
SHA256
ae6dbc08e0e21b217352175f916cfd5269c4fd8d5de6bff2d0a93a366f78e8d1
-
SHA512
89a9df6e41300e05c71af3eb45acd7cd6c3915bc511d00cc2a420c5d3a274a704798b3e48e93ffccd7813ee2a25e96a2c1c1f4d1e84ed86c144f2e79af501ef0
-
SSDEEP
3072:jMozgZ9S08bSe71IeyGJE+pCm7nXEMyQuvYKrp/wR+bhzKbzvXAJ732:TgLSPB76eyGjwm75yQuvPSjwJr2
Malware Config
Extracted
Signatures
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 1500 4944 cmd.exe 81 Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3928 4944 rundll32.exe 81 -
Nloader payload 4 IoCs
resource yara_rule behavioral2/memory/2648-146-0x0000000002A90000-0x0000000002A99000-memory.dmp nloader behavioral2/memory/2648-150-0x0000000002AA0000-0x0000000002AA7000-memory.dmp nloader behavioral2/memory/2648-153-0x0000000002AC0000-0x0000000002AC5000-memory.dmp nloader behavioral2/memory/2648-156-0x0000000002A70000-0x0000000002A76000-memory.dmp nloader -
Loads dropped DLL 1 IoCs
pid Process 2648 rundll32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4416 2648 WerFault.exe 86 -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4944 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 4944 EXCEL.EXE 4944 EXCEL.EXE 4944 EXCEL.EXE 4944 EXCEL.EXE 4944 EXCEL.EXE 4944 EXCEL.EXE 4944 EXCEL.EXE 4944 EXCEL.EXE 4944 EXCEL.EXE 4944 EXCEL.EXE 4944 EXCEL.EXE 4944 EXCEL.EXE -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4944 wrote to memory of 1500 4944 EXCEL.EXE 82 PID 4944 wrote to memory of 1500 4944 EXCEL.EXE 82 PID 1500 wrote to memory of 4384 1500 cmd.exe 84 PID 1500 wrote to memory of 4384 1500 cmd.exe 84 PID 4944 wrote to memory of 3928 4944 EXCEL.EXE 85 PID 4944 wrote to memory of 3928 4944 EXCEL.EXE 85 PID 3928 wrote to memory of 2648 3928 rundll32.exe 86 PID 3928 wrote to memory of 2648 3928 rundll32.exe 86 PID 3928 wrote to memory of 2648 3928 rundll32.exe 86
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\subscription_1617056233.xlsb"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c certutil -decode %PUBLIC%\4123.xsg %PUBLIC%\4123.do12⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Windows\system32\certutil.execertutil -decode C:\Users\Public\4123.xsg C:\Users\Public\4123.do13⤵PID:4384
-
-
-
C:\Windows\SYSTEM32\rundll32.exerundll32 C:\Users\Public\4123.do1,DF12⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:3928 -
C:\Windows\SysWOW64\rundll32.exerundll32 C:\Users\Public\4123.do1,DF13⤵
- Loads dropped DLL
PID:2648 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2648 -s 9244⤵
- Program crash
PID:4416
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2648 -ip 26481⤵PID:3652
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
48KB
MD5f776deb4df137b37dcae5406c8f3a07a
SHA1f6a31b594fca39c118927405fa4d14353b8fd49a
SHA25693cc5e6a6b671d9b0124ade32ae8b09269de9f03c5c5e66347fbfc7a8c3b305e
SHA5124077b4214b4683bb4776d470027e61fcc3cb3e78beb9377674e4a4de9115d52911e39cb29a566ab446c6962a252ce01020ffd616b5854a9d8230414262bfafe2
-
Filesize
48KB
MD5f776deb4df137b37dcae5406c8f3a07a
SHA1f6a31b594fca39c118927405fa4d14353b8fd49a
SHA25693cc5e6a6b671d9b0124ade32ae8b09269de9f03c5c5e66347fbfc7a8c3b305e
SHA5124077b4214b4683bb4776d470027e61fcc3cb3e78beb9377674e4a4de9115d52911e39cb29a566ab446c6962a252ce01020ffd616b5854a9d8230414262bfafe2
-
Filesize
64KB
MD5c87e1dee1275fed1f7ee813b97ccb17b
SHA1e8313978e3c0dff6355b843cd470949c719032c6
SHA25692bb3324b68e8780d718ed808cb9633dc1ef1f7988d2b85cc0f9f431ed63a63d
SHA5122d2177413ed0767651789363c2b952ff8fba26de6ebb84a6390af6bc87927577bedf08b802f5bd6e937e7462bddbd707100108ccf6ef4f39ded65bdcb8b40f35