d4a47cff88117daf3f2ce06778ef9c7978e4429daeb6855b545e11b7586e2027

General

Target

d4a47cff88117daf3f2ce06778ef9c7978e4429daeb6855b545e11b7586e2027.xls
Size

280KB
MD5

840be98d178832a8b2f18becc1edb2b7
SHA1

4167a8c9cf810ad04881da59462f94893f278bbc
SHA256

d4a47cff88117daf3f2ce06778ef9c7978e4429daeb6855b545e11b7586e2027
SHA512

0fb40061e3080913dea6167ce0f7f786cdb6ab5dc571197a1bb05bd14526d8cd0a3aa52143fa3662b45c97222cd1eb5845ca4b2f5d7e889ee4b507f52ff66fa2
SSDEEP

6144:CfOMS9QCYkKTCl2AZRcRvvMVwtPYaUIDrIuqQl6A5Xoq5R:CfxtCsWaOytPYZlI6q5

Score

10^/10

evasion macro macro_on_action persistence xlm

Malware Config

Signatures

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1540	3224	cmd.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4100	3224	cmd.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3884	3224	cmd.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3476	3224	cmd.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3764	3224	cmd.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2672	3224	cmd.exe	EXCEL.EXE

Office macro that triggers on suspicious action 1 IoCs

Office document macro which triggers in special circumstances - often malicious.

macro macro_on_action

Processes:

resource	yara_rule
\??\c:\norma1.xlm	office_macro_on_action

Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

1612 attrib.exe
2512 attrib.exe

pid	process
1612	attrib.exe
2512	attrib.exe

Suspicious Office macro 1 IoCs

Office document equipped with 4.0 macros.

macro xlm

Processes:

resource	yara_rule
\??\c:\norma1.xlm	office_xlm_macros

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Internet.exe = "internet.exe"	EXCEL.EXE

Drops file in System32 directory 1 IoCs

Processes:

EXCEL.EXE

description ioc process

File created C:\Windows\System32\internet.exe EXCEL.EXE

description	ioc	process
File created	C:\Windows\System32\internet.exe	EXCEL.EXE

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEEXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEEXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid process

3224 EXCEL.EXE
3972 WINWORD.EXE

Suspicious use of SetWindowsHookEx 25 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid	process
3224	EXCEL.EXE
3224	EXCEL.EXE
3224	EXCEL.EXE
3224	EXCEL.EXE
3224	EXCEL.EXE
3224	EXCEL.EXE
3224	EXCEL.EXE
3224	EXCEL.EXE
3224	EXCEL.EXE
3224	EXCEL.EXE
3224	EXCEL.EXE
3224	EXCEL.EXE
3224	EXCEL.EXE
3224	EXCEL.EXE
3972	WINWORD.EXE
3972	WINWORD.EXE
3972	WINWORD.EXE
3224	EXCEL.EXE
3224	EXCEL.EXE
3224	EXCEL.EXE
3224	EXCEL.EXE
3224	EXCEL.EXE
3224	EXCEL.EXE
3224	EXCEL.EXE
3224	EXCEL.EXE

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

EXCEL.EXEcmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 3224 wrote to memory of 1540	3224	EXCEL.EXE	cmd.exe
PID 3224 wrote to memory of 1540	3224	EXCEL.EXE	cmd.exe
PID 1540 wrote to memory of 5108	1540	cmd.exe	attrib.exe
PID 1540 wrote to memory of 5108	1540	cmd.exe	attrib.exe
PID 3224 wrote to memory of 4100	3224	EXCEL.EXE	cmd.exe
PID 3224 wrote to memory of 4100	3224	EXCEL.EXE	cmd.exe
PID 4100 wrote to memory of 3900	4100	cmd.exe	attrib.exe
PID 4100 wrote to memory of 3900	4100	cmd.exe	attrib.exe
PID 3224 wrote to memory of 3884	3224	EXCEL.EXE	cmd.exe
PID 3224 wrote to memory of 3884	3224	EXCEL.EXE	cmd.exe
PID 3884 wrote to memory of 4052	3884	cmd.exe	extrac32.exe
PID 3884 wrote to memory of 4052	3884	cmd.exe	extrac32.exe
PID 3224 wrote to memory of 3476	3224	EXCEL.EXE	cmd.exe
PID 3224 wrote to memory of 3476	3224	EXCEL.EXE	cmd.exe
PID 3224 wrote to memory of 3764	3224	EXCEL.EXE	cmd.exe
PID 3224 wrote to memory of 3764	3224	EXCEL.EXE	cmd.exe
PID 3764 wrote to memory of 1612	3764	cmd.exe	attrib.exe
PID 3764 wrote to memory of 1612	3764	cmd.exe	attrib.exe
PID 3224 wrote to memory of 2672	3224	EXCEL.EXE	cmd.exe
PID 3224 wrote to memory of 2672	3224	EXCEL.EXE	cmd.exe
PID 2672 wrote to memory of 2512	2672	cmd.exe	attrib.exe
PID 2672 wrote to memory of 2512	2672	cmd.exe	attrib.exe

Views/modifies file attributes 1 TTPs 4 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exeattrib.exeattrib.exe

pid process

2512 attrib.exe
5108 attrib.exe
3900 attrib.exe
1612 attrib.exe

pid	process
2512	attrib.exe
5108	attrib.exe
3900	attrib.exe
1612	attrib.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\d4a47cff88117daf3f2ce06778ef9c7978e4429daeb6855b545e11b7586e2027.xls"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3224

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c attrib -s -h c:\setflag.exe
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1540

C:\Windows\system32\attrib.exe
attrib -s -h c:\setflag.exe
3⤵
- Views/modifies file attributes
PID:5108

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c attrib -s -h c:\sendto.exe
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4100

C:\Windows\system32\attrib.exe
attrib -s -h c:\sendto.exe
3⤵
- Views/modifies file attributes
PID:3900

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c extrac32 /E /Y /L c:\ c:\cab.cab
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:3884

C:\Windows\system32\extrac32.exe
extrac32 /E /Y /L c:\ c:\cab.cab
3⤵
PID:4052

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c extract /E /Y /L c:\ c:\cab.cab
2⤵
- Process spawned unexpected child process
PID:3476

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c attrib +s +h c:\setflag.exe
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:3764

C:\Windows\system32\attrib.exe
attrib +s +h c:\setflag.exe
3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1612

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c attrib +s +h c:\sendto.exe
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2672

C:\Windows\system32\attrib.exe
attrib +s +h c:\sendto.exe
3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2512

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3972

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

2

T1158

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\sendto.exe
Filesize
20KB

MD5
56bafcef305ce46d847421edd6eec04b

SHA1
e6e31dda260fee10b63c4dd297b433749ea7ac07

SHA256
3c6d90fdf13ef66dd36631796cd50db01dfb8e2db5b472c45202513ab816f272

SHA512
c78210f40daa6e2827d1280eaca5ae22cf036d20ff802826171cfdaf2b64a011f32c8689eec174d3375e197b240e4c92a2fb466b01c66a96e9276cd1de160e20

Download Submit
C:\setflag.exe
Filesize
32KB

MD5
a4f9be8517afb4c5d9c63960a5faf258

SHA1
6d3300bfc43b191819f687df91bfbe2c6294d6bb

SHA256
78b6db289832df709d17fd5c49359ddfb9cacaa8303cd77290427bac4c829ba2

SHA512
c6c918bc91ed645553245cc640ed66882af264035732b8a8c2682f14a9c8f183c38837c1b3e62ca7d16e1560e6bc2a4273b41c9614a046752928c9a0c45ecb2e

Download Submit
\??\c:\cab.cab
Filesize
70KB

MD5
5a876443f36ca54efae1c723041435c0

SHA1
7ebd6188c3df725008209b7d24f914b2b3ce0a6c

SHA256
02397a86f99f98f212adee047d25c56fa6644a3cf6058ddb0da0221d708f1ee9

SHA512
a065a1ed747b8348c49c909e7186da584a3f01bca4652b154d5f7f88c4de15c5f0c03884db5cf33bca9035944cf5c7bc6983571301dd0fa4d7c298942887a149

Download Submit
\??\c:\internet.exe
Filesize
24KB

MD5
072ca9f791665febeacda1be1e71a124

SHA1
20d6d75ef7e06c72b43a2e3be81f5ceab11a1a5a

SHA256
692bfa3ca595a0ed57dd1d5fa6652332162c90ea0c9b8c9b32ddbebbec063f3d

SHA512
3cd1c0727085dcc054b1c9111c934fef3473d57a91e1e247418a220e35c59e495282740621d6c9c01c86a39ad4e5c79d7d95dbd289e25f044cfad1f616d52290

Download Submit
\??\c:\norma1.xlm
Filesize
68KB

MD5
3f08a7010fe4ea32b210b7919448ada6

SHA1
c7bc3bb8f78ef217b83c593542b5c4cf602746a2

SHA256
506260a97f723ce79e3243b651dc8af1c3fcdbf72431be60b1a0afbab8d2dce9

SHA512
be8ac3dcb6574e6876c2f8d2e40c1c6ad75ca611275ccc73c7283f6b17f3956c16c14d9dfa10e36576011baa691378a8ce6115e380b821a2d6f549ea46567b4c

Download Submit
\??\c:\normal.dot
Filesize
103KB

MD5
26ab77fe4d542805e0afdc9d0efc92c2

SHA1
332dc776b13e8f04809a312183ef9532ea2b18d3

SHA256
1cb2d969e56664ddc1f496c63e424cbe1ce2f560f8350f4ffa451f0fc03006d9

SHA512
ef439dbbe390eb175bd9970d76827a6b506b88a4db7cda233d8b6591b22e3c7a454cbb8111ca78dbbd6b195c91aa89c7d0c9df952052d3471eb07ac80f98b89a

Download Submit
memory/1540-139-0x0000000000000000-mapping.dmp

Download
memory/1612-158-0x0000000000000000-mapping.dmp

Download
memory/2512-162-0x0000000000000000-mapping.dmp

Download
memory/2672-161-0x0000000000000000-mapping.dmp

Download
memory/3224-138-0x00007FF85FF60000-0x00007FF85FF70000-memory.dmp

Filesize
64KB

Download
memory/3224-136-0x00007FF862050000-0x00007FF862060000-memory.dmp

Filesize
64KB

Download
memory/3224-133-0x00007FF862050000-0x00007FF862060000-memory.dmp

Filesize
64KB

Download
memory/3224-134-0x00007FF862050000-0x00007FF862060000-memory.dmp

Filesize
64KB

Download
memory/3224-132-0x00007FF862050000-0x00007FF862060000-memory.dmp

Filesize
64KB

Download
memory/3224-137-0x00007FF85FF60000-0x00007FF85FF70000-memory.dmp

Filesize
64KB

Download
memory/3224-135-0x00007FF862050000-0x00007FF862060000-memory.dmp

Filesize
64KB

Download
memory/3476-146-0x0000000000000000-mapping.dmp

Download
memory/3764-157-0x0000000000000000-mapping.dmp

Download
memory/3884-143-0x0000000000000000-mapping.dmp

Download
memory/3900-142-0x0000000000000000-mapping.dmp

Download
memory/3972-153-0x00007FF85FF60000-0x00007FF85FF70000-memory.dmp

Filesize
64KB

Download
memory/3972-154-0x00007FF85FF60000-0x00007FF85FF70000-memory.dmp

Filesize
64KB

Download
memory/3972-164-0x00007FF862050000-0x00007FF862060000-memory.dmp

Filesize
64KB

Download
memory/3972-165-0x00007FF862050000-0x00007FF862060000-memory.dmp

Filesize
64KB

Download
memory/3972-166-0x00007FF862050000-0x00007FF862060000-memory.dmp

Filesize
64KB

Download
memory/3972-167-0x00007FF862050000-0x00007FF862060000-memory.dmp

Filesize
64KB

Download
memory/4052-144-0x0000000000000000-mapping.dmp

Download
memory/4100-141-0x0000000000000000-mapping.dmp

Download
memory/5108-140-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads