f6d3cbc45d715b753399a9675392530fbbd1329fc2ec02a507af03943d6d4881

General

Target

منتجات مقر الاتحاد العام للصناعات.xll
Size

769KB
MD5

b95b32b432f7eaa17e5b30b6f82a9530
SHA1

0666350494defd43db6d268c132cdf61473635e2
SHA256

f6d3cbc45d715b753399a9675392530fbbd1329fc2ec02a507af03943d6d4881
SHA512

4f5b1619c3e75248e4b67e6ae60675e8dab9328a8e1dcdff4cfb9e4daad008ff55b0bf5657a4956af5c02d508ee94500aba2cd2d1c0c8ab68e794c2621e3f0e2
SSDEEP

12288:NG1N4HkcgMsiOd58bzbBSre4Q0uqZzD1reWabd/zyCmAJoJHpQRwDYhMp:NoOOMX1I+QHT+dbphGJHpSwDYhMp

Score

10^/10

Malware Config

Extracted

Language

xlm4.0

Source

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4292	onlinedrive.exe

Loads dropped DLL 2 IoCs

pid	Process
4580	EXCEL.EXE
4580	EXCEL.EXE

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2120	1424	WerFault.exe	85

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4580	EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4580	EXCEL.EXE

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
4580	EXCEL.EXE
4580	EXCEL.EXE
4580	EXCEL.EXE
4580	EXCEL.EXE
4580	EXCEL.EXE
4580	EXCEL.EXE
4580	EXCEL.EXE
4580	EXCEL.EXE
4580	EXCEL.EXE
4580	EXCEL.EXE
4580	EXCEL.EXE
4580	EXCEL.EXE
4580	EXCEL.EXE
4580	EXCEL.EXE

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4580 wrote to memory of 4292	4580	EXCEL.EXE	87
PID 4580 wrote to memory of 4292	4580	EXCEL.EXE	87
PID 4292 wrote to memory of 4376	4292	onlinedrive.exe	88
PID 4292 wrote to memory of 4376	4292	onlinedrive.exe	88
PID 4292 wrote to memory of 1224	4292	onlinedrive.exe	95
PID 4292 wrote to memory of 1224	4292	onlinedrive.exe	95
PID 4292 wrote to memory of 1516	4292	onlinedrive.exe	97
PID 4292 wrote to memory of 1516	4292	onlinedrive.exe	97
PID 4292 wrote to memory of 3632	4292	onlinedrive.exe	99
PID 4292 wrote to memory of 3632	4292	onlinedrive.exe	99
PID 4292 wrote to memory of 2580	4292	onlinedrive.exe	101
PID 4292 wrote to memory of 2580	4292	onlinedrive.exe	101
PID 4292 wrote to memory of 4728	4292	onlinedrive.exe	103
PID 4292 wrote to memory of 4728	4292	onlinedrive.exe	103

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\منتجات مقر الاتحاد العام للصناعات.xll"
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4580
- C:\Users\Admin\AppData\Local\Temp\onlinedrive.exe
  "C:\Users\Admin\AppData\Local\Temp\onlinedrive.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4292
- - C:\Windows\SYSTEM32\cmd.exe
    cmd
    3⤵
    PID:4376
- - C:\Windows\SYSTEM32\cmd.exe
    cmd
    3⤵
    PID:1224
- - C:\Windows\SYSTEM32\cmd.exe
    cmd
    3⤵
    PID:1516
- - C:\Windows\SYSTEM32\cmd.exe
    cmd
    3⤵
    PID:3632
- - C:\Windows\SYSTEM32\cmd.exe
    cmd
    3⤵
    PID:2580
- - C:\Windows\SYSTEM32\cmd.exe
    cmd
    3⤵
    PID:4728

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 472 -p 1424 -ip 1424
1⤵
PID:372

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1424 -s 1468
1⤵
- Program crash
PID:2120

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\onlinedrive.exe

Filesize
377KB

MD5
cf16b73c4bc8b0b3169def3145515c51

SHA1
d96122f40c613ec7569b0afa431670827b2b20f2

SHA256
8b9242cdae9f1f916e026e7e09620a4f1cfd702caad9312dcd8c60c7921ed30d

SHA512
b09080e5afd57afcbd78dde9ef707f7afb74afd04515d800b5e2e0f7832755131a1c1b7a1f32383e569c9945ffd7b73f9b4c44d9c3894e78093a3cb751310c8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\منتجات مقر الاتحاد العام للصناعات.xll

Filesize
769KB

MD5
b95b32b432f7eaa17e5b30b6f82a9530

SHA1
0666350494defd43db6d268c132cdf61473635e2

SHA256
f6d3cbc45d715b753399a9675392530fbbd1329fc2ec02a507af03943d6d4881

SHA512
4f5b1619c3e75248e4b67e6ae60675e8dab9328a8e1dcdff4cfb9e4daad008ff55b0bf5657a4956af5c02d508ee94500aba2cd2d1c0c8ab68e794c2621e3f0e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\منتجات مقر الاتحاد العام للصناعات.xll

Filesize
769KB

MD5
b95b32b432f7eaa17e5b30b6f82a9530

SHA1
0666350494defd43db6d268c132cdf61473635e2

SHA256
f6d3cbc45d715b753399a9675392530fbbd1329fc2ec02a507af03943d6d4881

SHA512
4f5b1619c3e75248e4b67e6ae60675e8dab9328a8e1dcdff4cfb9e4daad008ff55b0bf5657a4956af5c02d508ee94500aba2cd2d1c0c8ab68e794c2621e3f0e2

Download Submit
memory/4580-138-0x00007FFC6F060000-0x00007FFC6F070000-memory.dmp

Filesize
64KB

Download
memory/4580-137-0x00007FFC6F060000-0x00007FFC6F070000-memory.dmp

Filesize
64KB

Download
memory/4580-144-0x0000024575940000-0x00000245759B2000-memory.dmp

Filesize
456KB

Download
memory/4580-145-0x00000245758E0000-0x00000245758F2000-memory.dmp

Filesize
72KB

Download
memory/4580-146-0x00000245758C0000-0x00000245758CA000-memory.dmp

Filesize
40KB

Download
memory/4580-147-0x000002450B940000-0x000002450C401000-memory.dmp

Filesize
10.8MB

Download
memory/4580-148-0x000002450732C000-0x000002450732F000-memory.dmp

Filesize
12KB

Download
memory/4580-140-0x000002450B660000-0x000002450B739000-memory.dmp

Filesize
868KB

Download
memory/4580-132-0x00007FFC713F0000-0x00007FFC71400000-memory.dmp

Filesize
64KB

Download
memory/4580-143-0x000002457B8B0000-0x000002457BA40000-memory.dmp

Filesize
1.6MB

Download
memory/4580-152-0x000002450B940000-0x000002450C401000-memory.dmp

Filesize
10.8MB

Download
memory/4580-153-0x000002450732C000-0x000002450732F000-memory.dmp

Filesize
12KB

Download
memory/4580-136-0x00007FFC713F0000-0x00007FFC71400000-memory.dmp

Filesize
64KB

Download
memory/4580-135-0x00007FFC713F0000-0x00007FFC71400000-memory.dmp

Filesize
64KB

Download
memory/4580-133-0x00007FFC713F0000-0x00007FFC71400000-memory.dmp

Filesize
64KB

Download
memory/4580-134-0x00007FFC713F0000-0x00007FFC71400000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads