335ade9fc7fc962cd026795de6dcfba8defbbcb198db954dc1aeb8051bca8d6f

General

Target

d4c7e0f06a9b75f6e35287f34b914a58.xls
Size

36KB
MD5

d4c7e0f06a9b75f6e35287f34b914a58
SHA1

e079ad6634ea9787698bbdf8c14257c87f9edc69
SHA256

335ade9fc7fc962cd026795de6dcfba8defbbcb198db954dc1aeb8051bca8d6f
SHA512

47b805e51bf7c8cb828bdca733c3f2e4fb8989a38d928933627e6e33c6d5d18c0537d4e4fa8ec96b57ed10e41bcff6d288cabf95d1e7fa6cfa08addf102dd998
SSDEEP

768:GPqNk3hbdlylKsgqopeJBWhZFGkE+cL2NdAJLS2GOK/90jIhpEVq7:6ok3hbdlylKsgqopeJBWhZFGkE+cL2Nf

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	5072	3224	explorer.exe	86

Blocklisted process makes network request 2 IoCs

flow	pid	Process
22	4276	WScript.exe
52	4276	WScript.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings	explorer.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3224	EXCEL.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3224	EXCEL.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3224	EXCEL.EXE
3224	EXCEL.EXE
3224	EXCEL.EXE
3224	EXCEL.EXE
3224	EXCEL.EXE
3224	EXCEL.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3224 wrote to memory of 5072	3224	EXCEL.EXE	91
PID 3224 wrote to memory of 5072	3224	EXCEL.EXE	91
PID 1312 wrote to memory of 4276	1312	explorer.exe	93
PID 1312 wrote to memory of 4276	1312	explorer.exe	93

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\d4c7e0f06a9b75f6e35287f34b914a58.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3224
- C:\Windows\explorer.exe
  explorer.exe C:\Users\Public\Documents\HBRJ.vbs
  2⤵
  - Process spawned unexpected child process
  PID:5072

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1312
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\HBRJ.vbs"
  2⤵
  - Blocklisted process makes network request
  PID:4276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Documents\HBRJ.vbs

Filesize
562B

MD5
dda3f8bfe3a08f0864f93eec632c8538

SHA1
780f87bb1f96f123387d74e80aca541d1eaeebe9

SHA256
fc567217c4c737bab018ee540e0466e23f5b07c62ad7e07ae1d479850970354d

SHA512
bced6b8eeacbe4932ef0bbb21e6b72c2a7e377bdb16ab9d07ddf908fe777c44cded24a9247dea4ccb52f35791db18e2dcf441d8e03162d204875658248caa431

Download Submit
memory/3224-13-0x00007FFEAADD0000-0x00007FFEAAFC5000-memory.dmp

Filesize
2.0MB

Download
memory/3224-32-0x00007FFEAADD0000-0x00007FFEAAFC5000-memory.dmp

Filesize
2.0MB

Download
memory/3224-2-0x00007FFE6AE50000-0x00007FFE6AE60000-memory.dmp

Filesize
64KB

Download
memory/3224-5-0x00007FFEAADD0000-0x00007FFEAAFC5000-memory.dmp

Filesize
2.0MB

Download
memory/3224-6-0x00007FFEAADD0000-0x00007FFEAAFC5000-memory.dmp

Filesize
2.0MB

Download
memory/3224-7-0x00007FFE6AE50000-0x00007FFE6AE60000-memory.dmp

Filesize
64KB

Download
memory/3224-8-0x00007FFE6AE50000-0x00007FFE6AE60000-memory.dmp

Filesize
64KB

Download
memory/3224-4-0x00007FFE6AE50000-0x00007FFE6AE60000-memory.dmp

Filesize
64KB

Download
memory/3224-9-0x00007FFEAADD0000-0x00007FFEAAFC5000-memory.dmp

Filesize
2.0MB

Download
memory/3224-10-0x00007FFEAADD0000-0x00007FFEAAFC5000-memory.dmp

Filesize
2.0MB

Download
memory/3224-34-0x00007FFEAADD0000-0x00007FFEAAFC5000-memory.dmp

Filesize
2.0MB

Download
memory/3224-3-0x00007FFEAADD0000-0x00007FFEAAFC5000-memory.dmp

Filesize
2.0MB

Download
memory/3224-15-0x00007FFEAADD0000-0x00007FFEAAFC5000-memory.dmp

Filesize
2.0MB

Download
memory/3224-14-0x00007FFEAADD0000-0x00007FFEAAFC5000-memory.dmp

Filesize
2.0MB

Download
memory/3224-12-0x00007FFE684F0000-0x00007FFE68500000-memory.dmp

Filesize
64KB

Download
memory/3224-18-0x00007FFEAADD0000-0x00007FFEAAFC5000-memory.dmp

Filesize
2.0MB

Download
memory/3224-17-0x00007FFEAADD0000-0x00007FFEAAFC5000-memory.dmp

Filesize
2.0MB

Download
memory/3224-19-0x00007FFEAADD0000-0x00007FFEAAFC5000-memory.dmp

Filesize
2.0MB

Download
memory/3224-16-0x00007FFE684F0000-0x00007FFE68500000-memory.dmp

Filesize
64KB

Download
memory/3224-20-0x00007FFEAADD0000-0x00007FFEAAFC5000-memory.dmp

Filesize
2.0MB

Download
memory/3224-0-0x00007FFE6AE50000-0x00007FFE6AE60000-memory.dmp

Filesize
64KB

Download
memory/3224-1-0x00007FFEAADD0000-0x00007FFEAAFC5000-memory.dmp

Filesize
2.0MB

Download
memory/3224-33-0x00007FFEAADD0000-0x00007FFEAAFC5000-memory.dmp

Filesize
2.0MB

Download
memory/3224-11-0x00007FFEAADD0000-0x00007FFEAAFC5000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads