e687341b29dabd3bc36ad264fb6407b555704afc3a79710b9e63c1304c0c117b

General

Target

e687341b29dabd3bc36ad264fb6407b555704afc3a79710b9e63c1304c0c117b.xls
Size

95KB
MD5

de1756f474b990b0b0accfe97a620e0d
SHA1

383b2578803cb59503bdc9f2f5b67c5236aa9c5b
SHA256

e687341b29dabd3bc36ad264fb6407b555704afc3a79710b9e63c1304c0c117b
SHA512

ddc116ec895ebc5a05d5ca6b7a05e21e0e60bfd7c2f8f70731dc07859c98fb7f7b95fd72ef0ed899c38ffae5402969b111e3fd17dc1e866654899b439ed0c989
SSDEEP

1536:LkkkkIhuIZ6WVbrzQ7IIibQx23DkpEWVX1qWPEJiO:lWVbrzQ7II23QpEyX1qiHO

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.execmd.execmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3080	1588	cmd.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1948	1588	cmd.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2720	1588	cmd.exe	EXCEL.EXE

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1588 EXCEL.EXE

Suspicious use of SetWindowsHookEx 19 IoCs

Processes:

EXCEL.EXE

pid	process
1588	EXCEL.EXE
1588	EXCEL.EXE
1588	EXCEL.EXE
1588	EXCEL.EXE
1588	EXCEL.EXE
1588	EXCEL.EXE
1588	EXCEL.EXE
1588	EXCEL.EXE
1588	EXCEL.EXE
1588	EXCEL.EXE
1588	EXCEL.EXE
1588	EXCEL.EXE
1588	EXCEL.EXE
1588	EXCEL.EXE
1588	EXCEL.EXE
1588	EXCEL.EXE
1588	EXCEL.EXE
1588	EXCEL.EXE
1588	EXCEL.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

EXCEL.EXEcmd.exe

description	pid	process	target process
PID 1588 wrote to memory of 3080	1588	EXCEL.EXE	cmd.exe
PID 1588 wrote to memory of 3080	1588	EXCEL.EXE	cmd.exe
PID 1588 wrote to memory of 1948	1588	EXCEL.EXE	cmd.exe
PID 1588 wrote to memory of 1948	1588	EXCEL.EXE	cmd.exe
PID 1588 wrote to memory of 2720	1588	EXCEL.EXE	cmd.exe
PID 1588 wrote to memory of 2720	1588	EXCEL.EXE	cmd.exe
PID 3080 wrote to memory of 1660	3080	cmd.exe	attrib.exe
PID 3080 wrote to memory of 1660	3080	cmd.exe	attrib.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

1660 attrib.exe

pid	process
1660	attrib.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\e687341b29dabd3bc36ad264fb6407b555704afc3a79710b9e63c1304c0c117b.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c attrib -S -h "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:3080

C:\Windows\system32\attrib.exe
attrib -S -h "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"
3⤵
- Views/modifies file attributes
PID:1660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Del /F /Q "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"
2⤵
- Process spawned unexpected child process
PID:1948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c RD /S /Q "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"
2⤵
- Process spawned unexpected child process
PID:2720

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

1

T1158

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1588-145-0x00007FFBCA370000-0x00007FFBCA380000-memory.dmp

Filesize
64KB

Download
memory/1588-132-0x00007FFBCA370000-0x00007FFBCA380000-memory.dmp

Filesize
64KB

Download
memory/1588-134-0x00007FFBCA370000-0x00007FFBCA380000-memory.dmp

Filesize
64KB

Download
memory/1588-135-0x00007FFBCA370000-0x00007FFBCA380000-memory.dmp

Filesize
64KB

Download
memory/1588-148-0x00007FFBCA370000-0x00007FFBCA380000-memory.dmp

Filesize
64KB

Download
memory/1588-137-0x00007FFBC7A10000-0x00007FFBC7A20000-memory.dmp

Filesize
64KB

Download
memory/1588-133-0x00007FFBCA370000-0x00007FFBCA380000-memory.dmp

Filesize
64KB

Download
memory/1588-138-0x00007FFBC7A10000-0x00007FFBC7A20000-memory.dmp

Filesize
64KB

Download
memory/1588-136-0x00007FFBCA370000-0x00007FFBCA380000-memory.dmp

Filesize
64KB

Download
memory/1588-147-0x00007FFBCA370000-0x00007FFBCA380000-memory.dmp

Filesize
64KB

Download
memory/1588-146-0x00007FFBCA370000-0x00007FFBCA380000-memory.dmp

Filesize
64KB

Download
memory/1588-143-0x00000256E91D9000-0x00000256E91DB000-memory.dmp

Filesize
8KB

Download
memory/1660-142-0x0000000000000000-mapping.dmp

Download
memory/1948-140-0x0000000000000000-mapping.dmp

Download
memory/2720-141-0x0000000000000000-mapping.dmp

Download
memory/3080-139-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads