b8a748811ac92bd3b8f8b2b4f69a471856f95cdbed3e1883c2ef965ba6623289

General

Target

apples.xll
Size

529KB
MD5

8dbf2e24ad5da6dfbf08fb67d034d312
SHA1

382711cf2cae7ccb533fbf2ba205fe4df635dede
SHA256

b8a748811ac92bd3b8f8b2b4f69a471856f95cdbed3e1883c2ef965ba6623289
SHA512

8bd7e724e98d887d491399a020d9e0128fe8fdcdd05278e4dddb4985e60e3c6cabea9b5f071d34188f4062688723b9495271ddd4642bf8185af96c3b2e686668
SSDEEP

12288:K4QKmjk2n5YMvHi9lWZr/ESVCqknRpW9r:ak7MvC9Er/TKW

Score

10^/10

Malware Config

Extracted

Language

xlm4.0

Source

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2084 created 3168	2084	EXCEL.EXE	40

Deletes itself 1 IoCs

pid	Process
2084	EXCEL.EXE

Loads dropped DLL 2 IoCs

pid	Process
2084	EXCEL.EXE
2084	EXCEL.EXE

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5104	3168	WerFault.exe	40

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2084	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2084	EXCEL.EXE
2084	EXCEL.EXE
384	EXCEL.EXE
384	EXCEL.EXE

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 1 IoCs

pid	Process
2084	EXCEL.EXE

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2084	EXCEL.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2084	EXCEL.EXE
2084	EXCEL.EXE

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
2084	EXCEL.EXE
2084	EXCEL.EXE
2084	EXCEL.EXE
2084	EXCEL.EXE
2084	EXCEL.EXE
2084	EXCEL.EXE
384	EXCEL.EXE
2084	EXCEL.EXE
2084	EXCEL.EXE
2084	EXCEL.EXE
2084	EXCEL.EXE
2084	EXCEL.EXE
2084	EXCEL.EXE
2084	EXCEL.EXE

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 5104	2084	EXCEL.EXE	85
PID 2084 wrote to memory of 5104	2084	EXCEL.EXE	85
PID 2084 wrote to memory of 5104	2084	EXCEL.EXE	85
PID 2084 wrote to memory of 384	2084	EXCEL.EXE	86
PID 2084 wrote to memory of 384	2084	EXCEL.EXE	86
PID 2084 wrote to memory of 384	2084	EXCEL.EXE	86

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3168
- C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\apples.xll"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Deletes itself
  - Loads dropped DLL
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious behavior: RenamesItself
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2084
- - C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\apples.xll"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:384
- C:\Windows\System32\WerFault.exe
  C:\Windows\System32\WerFault.exe -u -p 3168 -s 160
  2⤵
  - Program crash
  PID:5104

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

Filesize
323KB

MD5
9727b1893f4a4adc3107a50a77813c8e

SHA1
93f76aa52461deeeb49672f7dd497cef15470186

SHA256
a5faca4539374a78a69ef31163e96a358c49014fb3e1fa413f4463b008499d51

SHA512
acf7309e548ba621e94c32b9062149670012bea2eaf280b97359f2ece6d61e7d60eabeb295c7690b42ed3c52982b317d96aa6205cb58fa44dcd553d8468751d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db

Filesize
4KB

MD5
f138a66469c10d5761c6cbb36f2163c3

SHA1
eea136206474280549586923b7a4a3c6d5db1e25

SHA256
c712d6c7a60f170a0c6c5ec768d962c58b1f59a2d417e98c7c528a037c427ab6

SHA512
9d25f943b6137dd2981ee75d57baf3a9e0ee27eea2df19591d580f02ec8520d837b8e419a8b1eb7197614a3c6d8793c56ebc848c38295ada23c31273daa302d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal

Filesize
44KB

MD5
3e9e6df83e501d539d2969cf28593a3d

SHA1
424c0525932cfb30828b1de170dcd13e749dacf6

SHA256
4a1e8a18b631f21e4ce32c4c51b97c0dfebe707a1d15d480c0bbbc9c367e5e3f

SHA512
eaad536ca920b3f772b6513d389fc2ba904b6050d98eec3dd961bf9e606960e324a6b987dedc53827884f1b0ff026054ae4878cee186fb03c5ea2c2756ab11b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\apples.xll

Filesize
8KB

MD5
ef42a2731083ecfe2182ad37c8df7561

SHA1
76a87c606208bd9b06c7150f46a2b1d4a5452547

SHA256
7b74d5318500bd0780912b05c9b6e740b880d66c0166a6021acb5400a9e50d53

SHA512
d961f35abc914fd5866588a9ccc5dbaa14d0d23d0799349f04544f7d7da82d8a0b6da3c7217d222f28cd423152bd7ed2233927bf7c3c79167fdc78f67ec6b375

Download Submit
C:\Users\Admin\AppData\Local\Temp\apples.xll

Filesize
529KB

MD5
8dbf2e24ad5da6dfbf08fb67d034d312

SHA1
382711cf2cae7ccb533fbf2ba205fe4df635dede

SHA256
b8a748811ac92bd3b8f8b2b4f69a471856f95cdbed3e1883c2ef965ba6623289

SHA512
8bd7e724e98d887d491399a020d9e0128fe8fdcdd05278e4dddb4985e60e3c6cabea9b5f071d34188f4062688723b9495271ddd4642bf8185af96c3b2e686668

Download Submit
C:\Users\Admin\AppData\Local\Temp\apples.xll

Filesize
529KB

MD5
8dbf2e24ad5da6dfbf08fb67d034d312

SHA1
382711cf2cae7ccb533fbf2ba205fe4df635dede

SHA256
b8a748811ac92bd3b8f8b2b4f69a471856f95cdbed3e1883c2ef965ba6623289

SHA512
8bd7e724e98d887d491399a020d9e0128fe8fdcdd05278e4dddb4985e60e3c6cabea9b5f071d34188f4062688723b9495271ddd4642bf8185af96c3b2e686668

Download Submit
memory/384-172-0x00007FFE11150000-0x00007FFE11160000-memory.dmp

Filesize
64KB

Download
memory/384-171-0x00007FFE11150000-0x00007FFE11160000-memory.dmp

Filesize
64KB

Download
memory/384-170-0x00007FFE11150000-0x00007FFE11160000-memory.dmp

Filesize
64KB

Download
memory/384-169-0x00007FFE11150000-0x00007FFE11160000-memory.dmp

Filesize
64KB

Download
memory/2084-133-0x00007FFE11150000-0x00007FFE11160000-memory.dmp

Filesize
64KB

Download
memory/2084-136-0x00007FFE11150000-0x00007FFE11160000-memory.dmp

Filesize
64KB

Download
memory/2084-135-0x00007FFE11150000-0x00007FFE11160000-memory.dmp

Filesize
64KB

Download
memory/2084-134-0x00007FFE11150000-0x00007FFE11160000-memory.dmp

Filesize
64KB

Download
memory/2084-137-0x00007FFE11150000-0x00007FFE11160000-memory.dmp

Filesize
64KB

Download
memory/2084-139-0x00007FFE0F060000-0x00007FFE0F070000-memory.dmp

Filesize
64KB

Download
memory/2084-138-0x00007FFE0F060000-0x00007FFE0F070000-memory.dmp

Filesize
64KB

Download
memory/5104-145-0x000002488EF00000-0x000002488EF49000-memory.dmp

Filesize
292KB

Download
memory/5104-147-0x000002488F1F0000-0x000002488F2A7000-memory.dmp

Filesize
732KB

Download
memory/5104-197-0x000002488F2C0000-0x000002488F2C2000-memory.dmp

Filesize
8KB

Download
memory/5104-198-0x000002488F1F0000-0x000002488F2A7000-memory.dmp

Filesize
732KB

Download
memory/5104-199-0x000002488F1F0000-0x000002488F2A7000-memory.dmp

Filesize
732KB

Download
memory/5104-202-0x000002488F1F0000-0x000002488F2A7000-memory.dmp

Filesize
732KB

Download
memory/5104-206-0x000002488F1F0000-0x000002488F2A7000-memory.dmp

Filesize
732KB

Download
memory/5104-214-0x000002488F1F0000-0x000002488F2A7000-memory.dmp

Filesize
732KB

Download
memory/5104-215-0x000002488F1F0000-0x000002488F2A7000-memory.dmp

Filesize
732KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads